Nope. At 5-8Mbps you should be fine with almost any hardware. I would probably opt for the D525 though if you have the choice, it is significantly more capable. Do you want to encrypt all traffic, the full available bandwidth? Again since that's only 8Mbps you should have no problem. The D525 can push ~50Mbps of encrypted data (~500Mbps unencrypted). Steve

What did you do to fix it?

I think also the A1SRi-2558F could be a valid solution for connections near 100/100. I am designing my unit with that board, home use.

OOPS.  I don't think you're going to be able to hit that box without a serial cable or IPMI (if exists).  Someone correct me if there's another method.  Having this external management ability by default, like many other off-the-shelf firewall solutions, could open the unit up to DNS re-binding type attacks. In hindsight, you CAN add a simple rule to allow administrative access via WAN.  Even though I have done this myself at a couple locations on non-standard ports, this is still considered taboo by many security folks (even though the webserver isn't actually bound to the external interface). Dan

Thank you all for your suggestions. The SuperMicro X10SBA seems to have a very good feature set for the price, however it looks that it only supports a 32 bit UEFI bootloader, see: https://forums.servethehome.com/index.php?threads/how-about-some-bay-trail.2828/#post28536 This causes problems when booting a lot of Linux distro's. I am surprised it works out of the box with FreeBSD 8.3, looks like FreeBSD supports the 32-bit UEFI mode. However, would this be the same for future versions? Perhaps SuperMicro may release a BIOS update which may fix this issue, but I have not seen any post anywhere confirming this. Another option I am considering is an Asus H87I-PLUS ITX or Asus Q87T/CSM Thin ITX motherboard with an i3-4130T. Reports show it should run around 20 watts idle with a PicoPSU, probably lower for the Thin ITX. With some further undervolting and underclocking, this may even be further reduced. On the plus side, this CPU would be more future proof given its higher performance and it also supports AES-NI.

Thanks for the replies! :) Yes I already have Intel ethernet server PCIe card and a few of compatible 16 GB RAM non ECC modules. Q - Will ECC memory modules with a ITX server Motherboard "better" for the small office setup? Q - I am still deciding if I should go for i3 3120T or Pentium G3450T. Your thoughts? I need to go for SNORT and will need the 1Gb WAN and inter-LAN routing between coming file servers to users' LAN. I have not got the motherboard but thought Supermicro a good choice, I was initially going for a cheap MSI B81 ITX board. I did review Supermicro C2758/2550/2558 SOC motherboard but thought the 2.4Ghz CPU speed won't make the LAN-LAN/WAN 1Gbps routing. Moreover I already have the Intel Ethernet Server card. For security and simple setup I chose to keep this PFsense on dedicated physical machine and not on virtualize machine. I read lots have success with their PFsense virtualized but the idea of it connected to WAN seems insecure. Moreover we don't have the in house skills to support virtualization or even VPN access hence the simplification. Q - Given above are we (non IT people) short changing ourselves? Our priority was security and keep things simple for room to grow. Appreciate your time and candid comments.

The BMC offering IPMI is a Linux computer bonding its dedicated interface and the first mainboard interface, using the mainboard interface as failover. You should generally configure it to only use the dedicated interface on a firewall. And no, you can't use it for CARP.

@dmmooney: @ Derelict: I don't think it's a MAC issue - connecting the new wireless router to the cable modem proved that. Proved nothing.  Do not think that cable modem service DHCP works like anything close to normal. do this on the switch: VLAN 10 - port 1 Untagged, port 8 tagged VLAN 80 - port 2-6 Untagged, port 8 tagged Put the cable modem on port 1, factory config pfSense on port 8 (ONLY Exceptions to default: WAN em0_vlan10, LAN em0_vlan80) Plug your LAN devices into ports 2-6. If it doesn't work, it's not pfSense.  Look elsewhere for your problem. It really is as simple as that.

the cpu has been out for almost a year an no one is making embedded solutions yet

Yes you have to use a module compiled on FreeBSD 8.3 and you have to load it at boot using loader.conf.local. You can't load it after boot with kldload, you will just get the 'already exists' error. Steve

Im am not there its for someone else just been asked to come up with something.  and the odder the solution the better so if I can get away with the apu great but it must run those plug in if i am going that route.

several vpns at once. Going with the dual core Pentium haswell @ 3ghz that I got for free. The ASUS H87I-PLUS looks like a good idea given its intel i217 lan. either 8 or 16gb of ram. An ebay Intel PRO/1000 PCI-e Gigabit Dual-Port Lan Card. basic cheapy itx case and a seasonic psu I have here. not sure what type of CF card/ssd to use, or just go with an old set of HDs EDIT: just found this for 175$ basically what the board and network card will cost me. -> http://www.ncix.com/detail/supermicro-motherboard-mbd-x10sba-l-o-celeron-j1900-75-101469.htm may go for this instead

Depends on your definition of "work." https://forum.pfsense.org/index.php?topic=81448.0

@Jason: @Wolf666: I am building mine with the http://www.supermicro.com/products/motherboard/atom/x10/a1srm-2558f.cfm The bill of materials includes: 1 - M350 (case) 2 - 8GB Kingston ECC 3 - Intel S3500 SSD 80GB In EU it will cost around 600€ (tax and shipping included). That board won't fit in the M350 case.  You need the Mini-ITX version. Yup, my fault pasting….it is the A1SRi model of course.

It doesn't make any sense to me either. I did not clear states before testing, but it's my understanding that when the queues are destroyed, there's nothing in the state that would affect it. I have relegated re0 to my DSL backup WAN link. :) Thanks for your help.  I can try other things but I'm left with the take-home that re in freebsd 8.3 needs some work.

Yes, you'll be OK with that setup (Pentium G3220), but some notes: Modem must be "bridge" instead of router Wireless router must be set/used as access point So that PfSense is the only router on your network. Cheers.

Its odd that you had to do anything at all.  I'm using mint (ubuntu) and its unaffected.  But I'm using Chrome Stable.

Who can prove the veracity of any vendor claim?  I don't want to get into that. I can tell you that the AES-NI (AES-GCM) changes will blow the doors off AES-CBC (what you're seeing now). http://freebsdfoundation.blogspot.com/2014/08/freebsd-foundation-announces-ipsec.html I can also tell you that these changes are being tested against a C2758 and another, different Rangeley board. That said, they should work on the i7 just as well. Also, while it isn't running today, there is a "QuickAssist" part on the C2758 that will eventually run (I've just re-engaged Intel about it.)  When that code is finished (and in pfSense), it will blow the doors off the i7 as far as crypto is concerned. https://www.youtube.com/watch?v=M49TKu2cx-Q http://lkml.iu.edu/hypermail/linux/kernel/1406.0/01810.html https://01.org/packet-processing/intel-quickassist-technology-drivers-and-patches (I might get the regex stuff going as well, which could help (a lot) with Snort. http://marc.info/?l=snort-devel&m=128396544311154&w=2 Quad core @ 3.4GHz, or 8 core @ 2.4GHz?  Hmm. The price for the i7 (80 SSD, 8GB ram, single PSU) on that site is $1,830.35.  The C2758 is $1500. Both are supported by the vendor, though the vendor for the C2758 is pfSense.