Best NIC for PfSense?

Taiidan

Realtek sucks, their so called "gigabit" nics can barely reach half that with twice as much cpu usage as an intel nic doing actual 1gbps.
I hate intel for a variety of reasons but they make way better nics than realtek, although they aren't the only game in town.

Anyone who hasn't ever heard of more nic oem's than realtek and intel is simply clueless, off the top of my head mellanox, cavium, solarflare - to name a few but Intel is AFAIK the only company that has widely available modern 1gbps ethernet cards whereas for 10gbps there is the above, mellanox connectx2 can be had for only $10-30 for instance which is a great deal for 10gbe)

Intel i350 (best modern chipset):
You can get a 4 port whitebox reference design (made with a real intel ASIC) for around $50 on fleabay.
The "OEM" unbranded whitebox ones are fine, I have had mine for over a year and it works just as good as the real thing there isn't any reason to spend five times as much if you're using this at home and not a business mission critical environment.
Keep in mind the genuine one is made in china too.

I am a paranoid person but I do not think there is a backdoor, people buying these aren't sticking them in anything important so it isn't worth spending millions to do this and not simply do it to the intel fab itself vs just some gray market ebay shit.

It supports SR-IOV with flexi-ports, whereas the older generation such as gigabit ET series you couldn't assign a single port to a VM you had to do two at a time.

Intel Gigabit ET (older):
Server pulls around $10 for dual port on ebay, sr-iov that doesn't have flexi-port partitioning.

Intel PRO/1000PT (very old):
No virtualization, but you can get a 6 port silicom for $10 on ebay.

VAMike

@Taiidan:

Realtek sucks, their so called "gigabit" nics can barely reach half that with twice as much cpu usage as an intel nic doing actual 1gbps.

curl foo/testfil > /dev/null
  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100 1024M  100 1024M    0    0  111M      0  0:00:09  0:00:09 –:--:--  111M
curl foo-jumbo/testfil > /dev/null
  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100 1024M  100 1024M    0    0  117M      0  0:00:08  0:00:08 --:--:--  117M

That's an 8111G, so your statement is demonstrably false. You wanna argue the i350 is a better nic than an 8111G I won't dispute that, but let's at least keep the criticism grounded in reality.

Intel i350 (best modern chipset):
You can get a 4 port whitebox reference design (made with a real intel ASIC) for around $50 on fleabay.
The "OEM" unbranded whitebox ones are fine, I have had mine for over a year and it works just as good as the real thing there isn't any reason to spend five times as much if you're using this at home and not a business mission critical environment.
Keep in mind the genuine one is made in china too.

The problem isn't the chip in the middle of the board, it's the components surrounding that chip. Chinese factories will produce what they're paid to produce. A legit vendor will pay for high-spec components and QC testing (and will test random samples themselves and reject orders which don't meet spec). A vendor hitting a $50 price point on ebay is using low spec components and skipping the QC. That doesn't mean that the $50 NIC is guaranteed to fail, but it does mean that the chance of it flaking out under load is a heck of a lot higher than the part built from high spec components. If you're buying just one and the failure rate is still something like 1 in 1000 your odds of getting something broken are still pretty low–but anyone doing this should be aware of what they're getting. (And that 1 in 1000 number is completely made up; anecdotally there are batches where the failure rates are a heck of a lot higher than that, and the thing about no-name ebay sellers is that there's no way to figure out what batch your part is coming from or what the real failure rate is.) That said, if you get a bad one you can throw it out and buy another and still come out ahead over buying one from a legit source, as long as your time isn't worth anything and/or you know this can happen and don't waste a lot of time trying to figure out what's wrong.

Pippin

On my GB board are the Realtek 8111G also.

I`m in a home environment and can confirm that they work fine.
950 Mbps + overhead = 1 Gbps, no problem for this Realtek and no sweat for CPU…

Derelict

With similar failures on realtek, stge, and em it is probably time to start considering something other than your NIC choice as the source of your problems.

W4RH34D

@VAMike:

@Taiidan:

Realtek sucks, their so called "gigabit" nics can barely reach half that with twice as much cpu usage as an intel nic doing actual 1gbps.

curl foo/testfil > /dev/null
  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100 1024M  100 1024M    0    0  111M      0  0:00:09  0:00:09 –:--:--  111M
curl foo-jumbo/testfil > /dev/null
  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100 1024M  100 1024M    0    0  117M      0  0:00:08  0:00:08 --:--:--  117M

That's an 8111G, so your statement is demonstrably false. You wanna argue the i350 is a better nic than an 8111G I won't dispute that, but let's at least keep the criticism grounded in reality.

Yeah let's just go with reliable consistency.  Realtek and its kind are not consistent enough performers in a myriad of contexts to facilitate a 1st class networking experience via pfsense.  There are always outliers but the statistics are there.  And even if you get an A#1 part, the chips drivers are still considered to be underdeveloped in BSD.

VAMike

@W4RH34D:

Yeah let's just go with reliable consistency.  Realtek and its kind are not consistent enough performers in a myriad of contexts to facilitate a 1st class networking experience via pfsense.  There are always outliers but the statistics are there.  And even if you get an A#1 part, the chips drivers are still considered to be underdeveloped in BSD.

I won't even agree with the consistency thing, there's enough data out there showing they work fine. There are definitely issues with cut rate ebay boards that have historically used rtl as the cheapest option, but IME those are problems with the component integration, not the rtl part. It's exactly the same kind of issues of dodgy VRs and capacitors that plague ebay intel nics, and I can pretty much guarantee now that intel is embedding i200s in almost everything you'll start to see cut rate ebay motherboards with flaky onboard networks that happen to use intel drivers–because so much of this has nothing to do with the networking silicon itself.

I will agree that the bsd re(4) driver has been terrible (though it's getting better), but if that's the beef people should just say that rather than making ludicrous claims that every product made by a major manufacturer doesn't actually work.

Harvy66

I have an Intel i350-T2 running with baremetal PFSense Haswell i5-3.2ghz and it's freaking wonderful.

TCP iperf 1500mtu
client1-PFSense(NAT, HFSC traffic shaping to 1Gb, 2 streams both ways)-client2(internal to network)
1.95Gb/s @ 12% CPU

UDP iperf 64mtu
client1-PFSense(NAT, HFSC traffic shaping to 1Gb, 4 streams one way)-client2(external to network)
1Gb/s @ 17% CPU; PFSense claimed nearly 1Gb/s egress on the WAN, so I assume loss was low. Due to the nature of client2 being outside the network, my internet connection is rate limited well below 1Gb. I would have done an internal test, but Win10 still doesn't work with VLANs. But that's line rate NATing+Shaping.

Derelict

All of my problems receiving DHCP from upstream went away when I swapped out a realtek jetway PCI daughter card for intel. Just sayin. Put it through a switch first so I could capture. ISP was doing the right thing. Card would just "go deaf" out-of-the-blue occasionally.

There are known issues with some realtek chips/drivers not properly implementing things like hard-setting speed/duplex in the edge cases where that's required.

PC Engines didn't switch to intel for APU2 for zero reason.

ESXi pulled support for realtek chips a while back.

Much anecdotal evidence supports avoiding realtek.

W4RH34D

@Derelict:

All of my problems receiving DHCP from upstream went away when I swapped out a realtek jetway PCI daughter card for intel. Just sayin. Put it through a switch first so I could capture. ISP was doing the right thing. Card would just "go deaf" out-of-the-blue occasionally.

There are known issues with some realtek chips/drivers not properly implementing things like hard-setting speed/duplex in the edge cases where that's required.

PC Engines didn't switch to intel for APU2 for zero reason.

ESXi pulled support for realtek chips a while back.

Much anecdotal evidence supports avoiding realtek.

Yeah, the whole system seems to be brought down by this stuff - whether thats some sort of bad voltages or timings or what is not something I have the capability of investigating.  The simple matter is with the recommended hardware, the software behaves as expected.

I thought it was fine - when I had a few realtek chips as well.  Then I put in the intel stuff and the little wonkiness I had experienced stopped.  Everything worked there wasn't an "oh shit I pressed this and now im hosed" type things.  The VPN comes right back up on setting change etc.

Guest

@radarino

I've used Pfsense 1.2.3 for 4-5 years without problems… few months ago I've installed 2.2.x version on a machine with 4 Realtek NIC, but seems have some problems: about once a day one nic (random) stops working and I have to shutdown the server (ifdown/ifup doesn't take effects).

What kind of hardware is this? 32Bit or 64Bit? And this is a 32Bit or 64Bit pfSense installation?
If this will be 64Bit capable hardware I would suggesting to install also a 64Bit pfSense version too!

@doktornotor

So, this is my question: which is the most reliable NIC for PfSense?

Not so easy to answer at this moment as I see it right here but watched under different circumstances it might be better to understanding.
(Only my version about it)

• You have a running pfSense installation and all went fine for you, this might be sounding strange but if so and all
  things you need or whish to do can be realized easily there is nothing to talk about the brand or manufacturer name
  of the NICs. If QoS, VLANs, bridging and all other things went fine, you may not need to dicuss the vendor name of
  the NIC producer in any kind or manner. Because all is fine running.

• If you gots trouble and/or problems that can´t be solved you will be better with an actual and good driver supported
  NIC, better then the problem causing one. At this time it might be a good choice to have a look onto Intel NICs that are
  actually also fine running under the actual pfSense hardware and/or that will be used by pfSense (store) appliances it self
  or perhaps they will be really good reported as running fine without any hassle or issues. Perhaps likes;

• Intel Pro/1000 PT dual or quad port NICs

• Intel i210 single or dual port NICs

• Intel i340-T2 or T4 adapters

• Intel i350-T2 or T4 adapters

• Intel X520 or X540 NICs

• Chelsio T520 orT540 NICs

They are causing mostly no problems and/or are very well driver supported and widely reported well working too!

• Before setting up or buying hardware it might be also nice to know which hardware especially which NICs are well
  working and doing their job in all kinds of disciplines well. So it might be good to know before spending money that
  there will be no money wasted for a NIC. For two refurbished Intel PT ones we talk about nearly ~$100 that is quite
  much money for the most if us.

950 Mbps + overhead = 1 Gbps, no problem for this Realtek and no sweat for CPU…

Also Broadcom will be running fine in much systems, and if there will be not a problem or a thing that
can not be done or realized there will be no need to change it, but if something went wrong and can´t
solved out, it might be better to go with an Intel card where no problems will be reported at any time,
and not before. So if all is running fine the brand is absolutely not interesting in my eyes.

All of my problems receiving DHCP from upstream went away when I swapped out a realtek jetway PCI daughter card for intel. Just sayin. Put it through a switch first so I could capture. ISP was doing the right thing. Card would just "go deaf" out-of-the-blue occasionally.

There are known issues with some realtek chips/drivers not properly implementing things like hard-setting speed/duplex in the edge cases where that's required.

You are the lucky one, because that will be mostly based on the PHY that is soldered on this daughter boards. For the NF9HG-2930
I often advice here in the forum, are also two daughter boards are available and the both comes with a Pericom PHY soldered on the
boards that is not really supported by pfSense and so it may be also going on with your RealTek daughter board perhaps!?

Much anecdotal evidence supports avoiding realtek.

In former days it was really not the best bet or option to go with a RealTek NIC based on other things but based on the slower
WAN or Internet connections it was not really important. As todays WAN or Internet connections speed will be fast increasing
it might be becoming more important for users to get a good driver supported NIC for that action (WAN).

In earlier days RealTek was fully offloading any network tasks to the system CPUs, but for low power and/or smaller appliances
this was a really horror, but based on the lower Internet connection speed this was acceptable for the most users.

Intel was soldering a small network chip that was handling the parities only (consumer cards (NICs)) on his cards and so they
was higher in price compared against the mostly other vendors network cards, but they where offloading "some" tasks from
the system CPU and so this systems was acting more agile. But again also for a small but higher price or budget to pay for.

At the server cards Intel was soldering DSPs (real digital signal processors) on the cards that might be able to fully offload or
offloading many more tasks then the consumer based NICs, and so the systems will be more fast and agile then sorted with
NICs from other vendors.

I will agree that the bsd re(4) driver has been terrible (though it's getting better), but if that's the beef people should just say that rather than making ludicrous claims that every product made by a major manufacturer doesn't actually work.

This might be also based on the interest from the vendor that is selling that hardware. If Intel is showing up FreeBSD
drivers able to download from their website and RealTek is not really interested on doing this too, this might be not the
problems from the driver writers from BSD, FreeBSD or pfSense.

…...the chips drivers are still considered to be underdeveloped in BSD.

But with a viewing eye toward to pfSense and remembering the starting post in that thread here, it might be also
nice to wish what kind of system (hardware) and which pfSense version (32Bit or 64Bit) will be really in the game.
Because in the near future, we will see only a 64Bit pfSense version and why then all this 32Bit hardware and NICs
on 32Bit systems should be sorted with new drivers? If this will be sooner as we could imagine it becomes true I
would say I can understand this point from the driver programmers.

Elrick75

@Taiidan said in Best NIC for PfSense?:

personne paranoïaque, mais je ne pense pas qu’il existe une porte dérobée. Les gens qui achètent ces produits ne les conservent pas pour rien d’important. Il ne vaut donc pas la peine de dépenser des millions de dollars pour le faire et pas simplement de le faire à l’intel fab par rapport à quelques-uns seulement. marché gris ebay merde.
Il prend en charge SR-IOV avec flexi-ports, alors que l’ancienne génération telle que la série gigabit ET ne permettait pas d’attribuer un seul port à une machine virtuelle que vous deviez faire deux à la fois.
Intel Gigabit ET (ancien): le
serveur prélève environ 10 USD pour le double port sur eBay, Sr-iov ne disposant pas de partitionnement Flexi-Port.
Intel PRO / 1000PT (très ancien):

Hi,

What about the i350T4 counterfeit ? some person says that they are better than the genuine version...
i350T4V2 exist, i dunno if counterfeit exist ? do you have information about this ?

Man thanks.

provels

@Elrick75 Here are a couple of articles on the i350 fakes.
https://forums.servethehome.com/index.php?threads/comparison-intel-i350-t4-genuine-vs-fake.6917/
https://www.servethehome.com/investigating-fake-intel-i350-network-adapters/
I bought the IBM variant of the i340-T4 for about $20 on Ebay and is working great in a virtual environment.

Elrick75

@provels said in Best NIC for PfSense?:

nte IBM du i340-T4 pour environ 20 dollars sur Ebay et fonctionne très bien dans un environnement virtuel.

Thanks, i already know one of these two links but it doesn't answer to my question, no concrete example comparing an official v2 and a counterfeit v2 ;(

stephenw10

Hard to imagine anyone is claiming the fakes are better than the genuine version.

Steve

Elrick75

@stephenw10 I agree about this.

**But how to make difference between genuine and counterfeit v2 ? does the difference are the same than v1 ?

A workaround is maybe to purcahse 2x10G or 4x10G (copper) instead of 1G ? in this case, does it exist some psSense NIC compliant ?**

stephenw10

Most (if not all) Intel 10GbaseT NICs are compatible with FreeBSD and hence pfSense.

https://www.freebsd.org/releases/11.2R/hardware.html#ethernet

Steve

Derelict

"better" might just mean "cheaper"

tman222

FWIW, I've great experience using the following NIC chipsets/cards with pfSense:

Intel i340-T4
Intel i350-T4
Intel i210
Chelsio T520-SO-CR
Chelsio T540-SO-CR

Of that list I consider the i340 and T540 to be "sweet spots" -- one can find some great deals on the i340 out there. It's fairly modern and actually quite similarly spec'd to the i350 (which often still sells for a premium). The Chelsio T540 is one of the only quad SFP+ cards that I know of. For the price, I think it's a decent deal for 4 x 10Gbit ports.

Hope this helps.

Elrick75

@tman222 Thanks for your return.
Finally, i purchase :

• Intel X550-T2,very difficult to find true genuine card, so much chinese clone, only one true available
  I chose this one because it's 10GBASE-T card (copper) not very expensive (to i350-T4), more recent, less power consumption than chelsio T520-BT.
  With 10GBASE-T, i will be sure that my 1G WAN connexion will not be limited by bandwidth
  It's only 2 port, but i don't need more, i have two other ethernet port internally on my Dell R230, it will be used for ADSL and 4G connexion reduncy, no question to ask with this poor traffic usage.
• T540-CR, the only best card to have 4x SFP+ port with pfSense