Want to downsize my pfsense box, Netgate SG-1000?

[Red Squirrel]

Yeah won't be getting another one. I think I'll just cancel this plan and cut my losses. My current setup works fine, I was just thinking of downsizing it to a smaller box so I can extend my UPS run time when there's a power outage but not like we get those that often. That and I could upgrade to latest version. My current box does not have the AES thing that the newer versions need.

When I do decide to try again think I'll just do a custom build with proper NICs. Probably make it a dedicated self contained VM server with local storage and it will be strictly for internet firewall and internet facing stuff. Hopefully I can do a trunk port straight to a VM nic though, never done that before.

Actually another option is to move my environmental server to a Raspberry Pi which I've been wanting to do, and then use that server for the firewall. It's a 1U short depth supermicro with 2 nics.

 

[sdifox]

Yeah won't be getting another one. I think I'll just cancel this plan and cut my losses. My current setup works fine, I was just thinking of downsizing it to a smaller box so I can extend my UPS run time when there's a power outage but not like we get those that often. That and I could upgrade to latest version. My current box does not have the AES thing that the newer versions need.

When I do decide to try again think I'll just do a custom build with proper NICs. Probably make it a dedicated self contained VM server with local storage and it will be strictly for internet firewall and internet facing stuff. Hopefully I can do a trunk port straight to a VM nic though, never done that before.

Actually another option is to move my environmental server to a Raspberry Pi which I've been wanting to do, and then use that server for the firewall. It's a 1U short depth supermicro with 2 nics.

https://calvin.me/vlan-pfsense/

 

[mxnerd]

https://calvin.me/vlan-pfsense/

He needs to integrate Realtek driver into ESXi 6.7 first.
https://www.sysadminstories.com/2018/08/adding-realtek-8111-driver-to-vsphere.html

 

[sdifox]

He needs to integrate Realtek driver into ESXi 6.7 first.
https://www.sysadminstories.com/2018/08/adding-realtek-8111-driver-to-vsphere.html

He was able to return it.

 

[mxnerd]

He was able to return it.

It seems Amazon.ca only let him exchange a new box, not return it.

 

[sdifox]

It seems Amazon.ca only let him exchange a new box, not return it.

I have returned cracked phone case before, albeit pro-rated :awe:

he mentioned he won't be getting another one that is why I thought he got refunded.

 

[Rifter]

Probably going to give up and go back to the old box. Wasted an entire day on this crap. Now I'm not even getting an IP. It just goes 0.0.0.0.

I even re-introduced the ISP supplied router to the equation to rule out any funny business with how my ISP handles connectivity. Old firewall plugged into it works fine, new one refuses to get an IP even from the local router. My ISP does some weird stuff with how they present the internet, it's on vlan 35, but they also do some hardware level QoS stuff, I have this Asus router with a custom firmware on it that basically handles all that stuff and gives you a pass through port so that you don't need to do a double NAT like you do with the ISP supplied router. But I took all that stuff out for testing purposes, still nothing. I also have the firewall setup with a factory setting with just a laptop for LAN so no vlans or anything. Still won't pass traffic to the internet. Also tried setting MTU to 1500 on WAN interface.

Was hoping this would mostly be plug and play but it's far from it. Might have to cave and just build a normal PC box. May as well make the power usage worth it and make it a dedicated VM server that has local storage and is self contained, and I can also move all my internet facing VMs to it to split it from my private stuff. I just don't want to run it on my main VM server but I could setup a completely separate one.

Sounds like defective hardware for sure, probably the NIC's.

 

[mxnerd]

Sounds like defective hardware for sure, probably the NIC's.

It's driver issue. It works on Linux Mint. FreedBSD and pfSense have very poor Realtek NIC driver support.

https://forums.anandtech.com/thread...nse-box-netgate-sg-1000.2561731/post-39826298

 

[Rifter]

It's driver issue. It works on Linux Mint. FreedBSD and pfSense have very poor Realtek NIC driver support.

https://forums.anandtech.com/thread...nse-box-netgate-sg-1000.2561731/post-39826298

Thats what i thoguht at first but he said they were not realtek NIC's. But yeah trying to use pfsense with realtek is like beating your head against the wall.

 

[mxnerd]

Thats what i thoguht at first but he said they were not realtek NIC's. But yeah trying to use pfsense with realtek is like beating your head against the wall.

I quoted post #100, but when you click the link anand's forum software points to #99.

His box comes with Realtek 8111e.

 

[Rifter]

I quoted post #100, but when you click the link anand's forum software points to #99.

His box comes with Realtek 8111e.

I actually missed a whole page of replies, i now see where he did order the realtec nic box, that was a bad idea, as they make them with both intel and realtek.

I only wanted a 2 port but ended up with a 4 port version just to get intel NIC's.

 

[mxnerd]

I bought a used HP quad port gigabits NIC (HP NC365T) with INTEL chips on eBay that consumes only 5 watts and it costs less than 30 bucks.

https://h20195.www2.hpe.com/v2/GetPDF.aspx/c04111679.pdf

The reason OP bought a box with Realtek probably was that he was way too concerned about Intel's vPRO security issues (could be remote controlled) that we discussed in this or other thread.

 

[Red Squirrel]

https://calvin.me/vlan-pfsense/

Already doing all of that right now. Oh NM I missed the vmware part.

Though for testing purposes after I was having issues the first time I was not using vlans as I did not import my old config.

They are letting me return it, at least I assume, maybe they're just going to send me another, but pretty sure it's going to be a full return. They gave me a packing slip etc. Which reminds me I need to go drop that off to the post office today.

 

[Red Squirrel]

I bought a used HP quad port gigabits NIC (HP NC365T) with INTEL chips on eBay that consumes only 5 watts and it costs less than 30 bucks.

https://h20195.www2.hpe.com/v2/GetPDF.aspx/c04111679.pdf

The reason OP bought a box with Realtek probably was that he was way too concerned about Intel's vPRO security issues (could be remote controlled) that we discussed in this or other thread.

There is no way that card would fit in that box, if it even has a PCIe slot. While I had my concerns about Intel ME I have also learned that the Celeron does not have Vpro, so I didn't have to worry. I thought these boxes all had Intel Nics in them so when I ordered I just assumed it would. Did not figure the realtek nics would be THAT bad in pfsense though. If it was just a performance thing I can live with that but acting all whaky like that I was not expecting it to be that bad.

 

[mxnerd]

There is no way that card would fit in that box, if it even has a PCIe slot.

I was recommending that adapter for your future DIY box.

 

[Rifter]

Did not figure the realtek nics would be THAT bad in pfsense though. If it was just a performance thing I can live with that but acting all whaky like that I was not expecting it to be that bad.

I didnt either the first time i tried pfsense, i used a old AMD phenom box with a few realtek nics i had laying around. spent days trying to figure out what was wrong, probably spent 20-30 hours on it. I was so pissed off I actually ended up taking that box out into the parking lot of my apartment building and beating it to pieces with a baseball bat office space style before trashing it.

Look on the bright side though now that you have also learned your lesson you will never try pfsense and realtek again. Hell after that i dont even use realtek in my desktops.

 

[sdifox]

I didnt either the first time i tried pfsense, i used a old AMD phenom box with a few realtek nics i had laying around. spent days trying to figure out what was wrong, probably spent 20-30 hours on it. I was so pissed off I actually ended up taking that box out into the parking lot of my apartment building and beating it to pieces with a baseball bat office space style before trashing it.

Look on the bright side though now that you have also learned your lesson you will never try pfsense and realtek again. Hell after that i dont even use realtek in my desktops.

I give realtek nics to my enemies xd

 

[Red Squirrel]

I was recommending that adapter for your future DIY box.

Oh yeah of course, probably go with a dual but quad would work too if I do it as a VM server in case I do decide to add separate external storage.

 

[VirtualLarry]

Geez, all this hating on RealTek NICs. I actually (used to?) appreciate RealTek NICs, as they were more often than not, supported under most Linux distros. Whereas, Atheros and Broadcom / Marvell were generally not. Intel NICs, being more or less the "Gold Standard" of NICs, were generally supported too, but you didn't used to find Intel NICs on cheaper motherboards, especially ones with an AMD CPU socket on them.

 

[Red Squirrel]

I think they're only really an issue in pfsense. Never had an issue with them in Linux. If I do go with a separate dedicated VM server and virtualize it, I may even purposely use one to hopefully "break" Intel ME. It won't matter if it's virtualized, pfsense will just see whatever the virtual nic is, and I would imagine they have support for all the common hypervisors. Though I've also heard that simply using an add-on card also breaks ME (which is a good thing) so even if I go with a 2 or 4 port Intel think I'll be fine.

Think I'll just put this on hold for now though, was just not meant to be. My core2duo machine is doing fine.

 

[mxnerd]

Geez, all this hating on RealTek NICs.

No Realtek hate here. Realtek is perfectly fine with PC that's not used on servers that have heavy load or like this case, used as a pfSense firewall.

Most cheap PC / motherboard come with Realtek. When it fails, I would rather replace it with a used Intel adapter instead a new Realtek adapter, however.

 

[mxnerd]

pfSense changed its plan -
pfSense version 2.5.0 WILL NOT require AES-NI.

Releases — 21.02/21.02-p1/2.5.0 New Features and Changes | pfSense Documentation

docs.netgate.com

But really there is no reason to use any CPU without AES-NI nowadays. The performance gap is huge.

 

[Rifter]

pfSense changed its plan -
pfSense version 2.5.0 WILL NOT require AES-NI.

Releases — 21.02/21.02-p1/2.5.0 New Features and Changes | pfSense Documentation

docs.netgate.com

But really there is no reason to use any CPU without AES-NI nowadays. The performance gap is huge.

Of course they did, because i just ordered a new router box a few weeks ago that gets here next week. Specifically so it would have AES-NI.

 

[Red Squirrel]

pfSense changed its plan -
pfSense version 2.5.0 WILL NOT require AES-NI.

Releases — 21.02/21.02-p1/2.5.0 New Features and Changes | pfSense Documentation

docs.netgate.com

But really there is no reason to use any CPU without AES-NI nowadays. The performance gap is huge.

Good to hear, opens up more hardware possibilities as you don't have to make sure the cpu has that feature. I might be able to re-purpose my environmental server as a pfsense box and move environmental stuff to a Raspberry pi.

 

[thecoolnessrune]

Having recently moved to a new home and knowing that my servers would be down for a while, I bought an SG-3100 to support the PFSense community and be able to get some sanity without balancing my servers being down with the home having Internet.

So glad I did. With minor modifications my Virtual PFSense config worked without a hitch on the SG-3100, and it's got more than enough horsepower to do my VPNs and Firewalling in a low-power package. As a bonus, when my servers are back up, I'll be able to do lab work without worrying about bringing the internet down in my home.