So I posted the following on the pfSense FB page.
I currently have a 20Mbps VDSL line,
Have pfBlockerNG enabled.
Have Suricata enabled on internal LAN only.
Platform is :
Intel(R) Celeron(R) CPU N2940 @ 1.83GHz
Current: 1826 MHz, Max: 1827 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No
Memory always runs at the high 80% (8GB RAM)
Performance sucks... internet is sluggish on everything.
Now if I do a speed test, yes it's patehtic. I disabled Suricata last night, not much better, next up is to disabled pfBlocker and see if it improves.
Seriously thinking of lookng at a nice high GHz quad core i5 based solution with HT disabled, either as a fanless box of as a micro ITX solution.
As it stands I'm upgrading to 200Mbps in January and if its battling already now..
I’ve disabled pfBlockerNG and Suricata, going to reboot the next couple of minutes, and see if things improve.
I’ve gotten to like the pfSense solution, and done quite a bit of work up to now to have my HA via letsencrypt/reverse proxy via CloudFlare configured.
But then the rest of my network is Unifi based.
- on the one side, throw out and go back to Unifi UDM Pro
- Upgrade the pfSense black box solution with a new box from China, ye now is a good time with Black Friday, but what. - most expensive, i3 or i5 / 8GB platform
- get a Netgate 3100 - actually cost wise the best, I’m surprised how low the specs of the 3100 is, like everyone says get 4GB RAM, 8GB better, but then looking at the 3100, get the idea for FW great, but not really good idea to run allot of packages (pfBlockerNG and Surucata) on it also.
some comments please
Got a chinese box with the following spec:
Intel(R) Celeron(R) CPU 3865U @ 1.80GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No
on a 60/20 line. I get close to line speed, however, I’ve applied limiters to address bufferbloat. Not running surricata but do have pfBlocker.
Hardly ever see CPU or RAM hitting any high numbers.
I’d say you have a config issue … somewhere. Could be anything.
It sounds like your current box ought to be able to handle a faster line. You’re probably just wasting your money, but perhaps your box will be struggling with a 1G line. You probably need to go over your config again, I’d say something is off.
so… going to probably answer some of this in reverse,
Yes, looking at the chip, and what I read online misassumption was also that I should easily be able to do what I wanted to… up to a 300Mbps line, well I’m on a 20Mbps at the moment and only getting like 3.5Mbps… disabled Suricata and pfBlockerNG, re read the speed test and we’re up to 5Mbps. CPU is now under 7.5% (down from 60-70% ) and memory at 10% down from 80%.
ye… config issue, I’m not keen on spending if not needed, but then also can pick up a NetGate 3100 at 1/2 the normal price, which is just slightly less than a Unifi UDM Pro…
If I had to go Chinese, it would be easily be $150 more for a decent i5/8GB platform… none of this I| really have, but at the moment neither do we have a proper useable internet either and I work from home, so this is not just play time now.
… so… in the end (will advise) might not be pfSense at all, had a port reset done on my line, modem took forever to log back in, had a line check done, it’s all good, luckily the Infrastructure/Telko provider technician went a little further and used a tool he has and did a check against my modem, seems the modem have gone into some state where it is refusing to sync above 8Mbps… and well considering I’m getting 3-4, at some times pushing 5Mbps not to bad, So I’m busy reconfiguring a old modem, to see if the modem is fried.
Started wonder… when we did a port reset and the modem took forever to log back in, (where it is normally immediately).