Thanks all of you for the replies. The answers you sent were about what I imagined. I have a spare router for just in case. It's good enough to do the job. I've even experimented with pfSense on a spare laptop with one usb3 - lan adapter. It worked fine although I wouldn't trust it for long as it seems so uncommon. belt9, I agree about the value of used equipment. Most of my tablets and laptops are used and/or refurbs. The used off lease laptops are A-stock 3rd gen i5 models and each cost about 80% off list. All were upgraded to Win10 (free) and have SSD and AC wireless now. This is a big savings. One is a 24/7 media server now. If usb3 lan adapters were reportedly more reliable, one would be my next pfSense router. I've thought about swapping out pfSense when AES-NI is required but decided against it. I have too much time invested in learning pfSense and none of the others work as well or are as flexible in the areas I consider important.

Get a board with an AES-NI CPU. Get Intel network cards. All your problems should go away! :)

@seifer44: @ptt: @seifer44: My embedded NIC is a Realtek ALC892, That's what I get for assuming that "Oh hey, since I can't find that particular Realtek interface on pfsense's forums, it must be fine!" The Realtek ALC892 is the Audio Codec, not the "NIC"  ;) http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=28&Level=5&Conn=4&ProdID=284 facepalm it's a Realtek 8111GR. Bad copypasta. Well, they are all crab, copypasta or not…  ;D  :P

Not really. Or at least nothing specific to OpenVPN. You can use something that OpenSSL can use directly, like AES-NI, or something that can tie into the crypto framework, like CESA. Both those will accelerate OpenSSL and hence OpenVPN but total throughput in OpenVPN is still limited by context switching (between kernel and user modes). Steve

Or use VLANs with whatever interface is built into the laptop. Steve

There are a lot of variables here but….  I wouldn't expect any of those to have any issues at 150Mbps, including the SG-4860. The only way you would get close to the limit there is with VPN, probably only with OpenVPN. Though maybe if you ran Snort and Squid and IPSec you might run out of cycles. Steve

Yes, more info needed. Has this happened before? Does it happen every 15 days? What is your hardware? What version are you running? Are you running anything unusual, setup or packages? Steve

Final motherboard choice is ASRock - H270M-ITX/ac Mini ITX LGA1151 Motherboard. Is there anything I should know when setting up pfsense.

@syndax: @stephenw10: Yes, you can bridge the interfaces to put them in the same subnet. It just than in most situations a switch is a better choice for that. If you have NICs to spare and CPU cycles to service them then you can do it. Steve I'm doing this in order to reduce clutter and merge several devices into one. Would an core i5 2500k suffice to achieve 1gbps speeds? Maybe. Bridging in BSD is not great. Also you're not putting the NICs in the same "subnet" you're putting them in the same broadcast domain (L3 vs L2). Even if you have the CPU to push 1Gb/s on all of your ports, you will still have much higher latency (lag). Get a cheap 12 port gig switch for $20 on ebay and it will be faster and easier to setup. It will also use less power and (if you looking at an i5) make less noise. Keep in mind bridging in pfSense means you should have an understanding of Layer 2 traffic and broadcast protocols like mDNS. In short, get the SG-3100 and support the project or look at the qotam boxes and a small switch.

That's a really old thread. You might want to check out 2.4 with ZFS options. For example: https://forum.pfsense.org/index.php?topic=135937.0 Steve

This thread needs to go in the ghetto weirdest thread hall of fame. 8)

what are your actual requirements? the C3xxx series comes in a lot of different sizes designed for a lot of different workloads. Whether they'd be better or worse than a different solution depends on the requirements…

Keep in mind that if you simply ingest that mirror port, you won't really have to worry about NAT speed or bridging or routing etc. Only 'eating' packets fast enough.

[image: CCTV%20Rules.png]

It's installed but not enabled by default. Go to System > Advanced > Miscellaneous. Enable powerd and set all three power types to 'high adaptive'. Check the dashboard to see the CPU current frequency. Depending on the CPU load that may make a significant difference. Steve

Nice. We'll be here. That hardware looks like it could be pretty slow by modern standards. Fun project though.  ;) The by-pass relays could be extra fun! Steve

Thanks for the confirmation. I'm resigned to using an mSATA or plain SATA drive until Up^2 places nicely with FreeBSD. At least my eMMC wont get hammered with writes…  :-\

Ah!  ;) Good to know anyway, thanks. Steve

Yeah I agree with that. Have you seen our store?  ;D If you really want to run on battery you might be better off with a DC supply. It's generally significantly more efficient even if you need converters. I salute your use of blue LEDS though.  ;) Steve