I have no idea about IMIX results, I just happened to have watched that vid recently.
In your shoes I’d ask your IT people to give you an OpenVPN cert to access your office, then setup an OpenVPN server with that cert, then route your “work” vlan via that gateway. Keep it tidy.
Here’s some more links about hardware sizing and protecteli performance with VPN’s.
On top of firewall routing and VPN services you will probably want to add a few other packages onto pfSense like IPS/IDS-suricata or snort and an add blocker-pfblocker which will use additional resources (cpu/ram). “Certain packages have a significant impact on hardware requirements, and their use must be taken into consideration when selecting hardware.”
https://docs.netgate.com/pfsense/en/latest/hardware/size.html
things to consider:
uptime
agreed upon maintenance windows (for patching, implementing changes).
spare hardware, spare parts (particularly the little m.2 SATA drive)
a test environment; can be virtualized if pfSense
how long would you be down if you needed to RMA a UDM Pro?
What kind of filtering do you want, per VLAN
network segregation
printing. some printers make a fuss if the client isn’t on the same network segment.
Users have high expectations for uptime.
do you have a redundant ISP connection or is tethering off of a mobile phone good enough?
I’d put the router, modem and switch on a UPS.
The APs will be covered via the switch.
I gave the UDM Pro a shot as the lead dog after many years on pfSense on an HP T620+. I miss pfBlockerNG. I’d bring the T620+ back online in about 5 min if the UDM pro decides it needs a day off.
hth.
It really kind of depends what you’re used to. If you’ve never really used pfSense nor Unifi, either one should work for you. I had previously been running pfSense and decided to try out a Dream Machine a couple of years ago.
I’m sure it would do all the same things I was doing with pfSense, but I ended up returning it and going back to pfSense just because I was familiar with where things were located within the web GUI. I think the learning curve is probably easier with Unifi, but there are plenty of videos that walk you through almost everything on both Unifi and pfSense. I often search Tom’s videos specifically to see if he’s done whatever I’m trying to accomplish before.
I’d highly recommend doing what others have suggested and try running pfSense in a VM or on some hardware you already own before deciding which way you’d ultimately like to go.
Over a few months I’ve implemented a site with 6 Unfi pro 6 APs. To implement tagged vlans and Poe I went with two TL-sg1218mpe switches. For me , that was the hardest replacement.
Just replaced routers with a Netgate 4100. (Couldn’t justify the 6100).
Now adding VPNs.
Just adding things slowly, mostly after watching videos.
Thank you @adrian, @jricica2 and @Askingquestions for sharing your install and personal experiences with pfSense. It’s encouraging to hear some average Joe’s finding success and even preference of pfSense over Unifi.
I’ve always been a “monkey see, monkey do” sort of guy. So watching videos or reading documentation and visualizing in my head or with sketches is how I best learn. Plus I don’t mind jumping on forums when needed, and even enjoy it to a certain degree as I love to learn new things.
And @StanleyTheKnife you raise some great points. Acquiring the Unifi pieces I have took a little patience and swift timing when things came in-stock. I assume that demand won’t keep up forever, but really who knows. In regards to some of the finer points of the network, here is where I am so far:
Multiple VLAN’s —> wife work, my work, home/trusted devices, kids, guest, iot, office support (printers, VOIP, etc), cameras & potentially home network storage
VPN —> ability to remote in when away + ability to run all network traffic in/out under select VLAN’s
Printer access —> you nailed it, as one of my concerns now is how do I get a printer on X VLAN to speak to Y, Z and whatever other VLAN’s (securely, of course)
Multiple pfSense packages including: Snort or Suricata, pfBlockerNG, Squid, SquidGuard and LightSquid. Maybe more as I learn what else is available. Probably some sort of reporting app as I understand internal reporting is blah.
Plan to put everything on a UPS. Also if I build hardware, I’d probably consider Xeon and ECC memory as I understand they do better with power failures. We aren’t ready to go HA, or at least I think that is the proper term – basically where it will switch over to a backup duplicate system.
Currently only 1 ISP in/out. Backup would be tethering off cells as you noted. Probably okay for now, although not ideal. We can also get 1gb cable internet as potential redundancy w/o breaking the bank and could write off on business.
What was your thoughts with the T620+? Enough horsepower to run what I am proposing with near 1gb VPN speeds? Asking because I see lots of folks going this route.
@Cudzu appreciate the info share on VPN speed results with Protectli gear. Quick analysis shows 6C, D or E will yield the speeds I seek. Prices on those are hitting the $600+ mark. They are slightly cheaper than the Netgate 6100 but have better VPN performance, yet fall a little short on port speeds. Not really super important today, but we will likely have this router for 5 years or so and having 2.5G and 10G ports would be nice (not req’d) if we aren’t talking considerably more money.
I think the bigger eye opener has been that while I can get pfSense to run on a $200 machine, getting it to run VPN and the packages I want at the speeds I want probably isn’t feasible for that budget. I think it’s more of a $500-700 budget unless I get dog lucky with some used hardware.
As I continue to maul all this over, I am about 99.9% decided that pfSense is the right choice for us and our future network needs. While easy is preferred, I just think all the things we already want and will likely grow to want/need will require more than the UDMP can offer. So to me it just makes sense to go head first into something that will provide a better long term solution.
I just need to get hardware decided. As temporary interim I think I may just get the Mac Mini up and going until I figure out a better solution.
Just keep in mind those protectli speed results ARE JUST with pfSense and VPN. That doesn’t include running other packages at the same time.
Running suricata and pfblocker on a SATURATED 1 Gig line through a VPN takes a ton of horsepower and ram (trying to do packet inspection on all that data after it’s been decrypted that quickly). The more packages you add the more horsepower you will need.
In my case, I transfer a ton of data. I was using a Intel Pentium Gold G5400T (2 cores/4 threads shows up as 4 pfSense CPU’s), with 16 gigbytes of RAM (the amount of memory effects your state tables and MBuf’s), on a 200 Mbit Saturated line, with an add in QAT card, VPN, Suricata, pfBlocker, and some other small packages and it was almost maxing out that cpu. So scaling that to 1 gig with that cpu wasn’t going to work for me. That’s why I upgraded my chip. Now, most of the time my pfSense “CPU Usage” sits at 0%, but when I’m transferring files, maxing out my connection, saturating my line, with my CURRENT cpu “CPU Usage” runs between 80-95%. The QAT card handles the VPN encryption/decryption like a champ but the cpu still handles Suricata packet inspection and pfblocker.
I did not want my router to be the choke point in my system, at any time.
Now, any of these systems (protectli type, t620+, even the netgate 1100 ( IPsec VPN: 90 Mbps (AES-CBC-128 + SHA1)) will do firewall routing and VPN.
It’s when you ask your firewall to do more than routing that you need more horsepower.
It’s going to depend on how you use your system to how much horsepower you need.
The t620+ is a good entry point into hardware on the cheap and figure out what you can and can’t do with that box and the pfSense packages you want to run. You can always put it on a shelf and use it as a backup box in future.
I do not think the t620 will meet your needs for what you want your router to do.
Another issue with pfSense boxes with switches built in (to give you those extra ports), including netgate (in the past), is/was the switch doesn’t operate at full speed. They were set up as a bridge instead of a separate switch. You will always get faster speeds with a router and external switch than a software bridged switch. Intel pcie add in cards are different than the protectli type box with all those ports. I believe Netgate fixed this issue in the 4100/6100 to a separate, full bandwidth switch? I would recommend only using the ports required for in/out traffic of the router, just enough ports for what ever your setup requires multiple wan in, etc. and external switches. This will also reduce your electricity draw which is becoming more and more important these days.
pfSense will run on almost anything. A 10 year old pc can run pfSense. But, yeah, for what your looking to do you will want a better system than a t620. It’s just a good starting point for someone that hasn’t used pfSense before and doesn’t have an old, unused, PC laying around.
Buying a netgate box, gets you optimized hardware and network ports. If you build your system you will need to optimize your network cards to see full benefit, which is easy to do. I think most people skip this step because “they just work,” if you buy intel network cards. Hardware — Hardware Tuning and Troubleshooting | pfSense Documentation
You have received much good advice just going to describe my pf-Sense. Intel i-3 4GB ram, Intel nics and onboard nic for management. Used system formerly a POS terminal. Adding additional nic for further degrees of separation. So far no issues with add on packages. Good luck with your build out. Read the docs and simulate with internal net before going live.
@Cudzu my man, you keep delivering amazing info. Thank you so much! Some follow up questions and thoughts to your last response:
What line speed are you at now? You mentioned 200mb as your start point. Are you currently at 1gb?
Aside from the processor, did you stick with the 16gb RAM?
Yeah I think I recall reading the ports of the 6100 are independent speeds so they aren’t bottlenecked. Consequently (for anyone reading this) both the UDMP and UDMP-SE are both bottlenecked. I remember seeing a post about someone raging over it. Regardless I do have a 24 port switch so using the router ports aren’t a necessity. I was just thinking of line speeds increase the router has a longer useful life if there are 2.5G and 10G options. Of course to take advantage I would need to upgrade my switches and probably my cabling too as it had Cat5e before I got here.
What PC do you have and what kind of costs did you spend and now have invested? Trying to get an idea of I’m being too loosey goosey with my cash.
I was playing on a parts picker website and configured this little beast, lol. Slap that $80 card in that you linked earlier and I think I will be okay for 5+ years. Still expensive but seems like considerable more horsepower. Also more power consumption and much larger too. But I have options with the PCIe slots.
PCPartPicker Part List: https://pcpartpicker.com/list/x9VtrD
CPU: Intel Core i5-12400 2.5 GHz 6-Core Processor ($193.95 @ Amazon)
Motherboard: MSI MAG Z690 TOMAHAWK WIFI DDR4 ATX LGA1700 Motherboard ($256.89 @ Amazon)
Memory: G.Skill Ripjaws V 16 GB (2 x 8 GB) DDR4-3200 CL16 Memory ($50.99 @ Newegg)
Storage: Samsung 980 500 GB M.2-2280 NVME Solid State Drive ($54.99 @ Amazon)
Case: Corsair 4000D Airflow ATX Mid Tower Case ($94.99 @ Amazon)
Power Supply: EVGA SuperNOVA 650 650 W 80+ Platinum Certified Fully Modular ATX Power Supply ($69.99 @ EVGA)
Total: $721.80
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2022-09-20 20:15 EDT-0400
I’m back at 200/20 Mbit now. I started with pfSense Pentium 5400t on a 55/5 Mbit line, went to 110/10 Mbit, to 220/20, to 330/30, upgraded the cpu to the i9-9900t and then 1 Gig line (940/50). I can’t justify the cost for the 1 Gig line and went back to 200 Mbit. I have data caps with my provider so 200 Mbit with no data cap is better for me than 1 gig line with data cap. It just takes more time for transfers. It was fun but totally unnecessary and only provides 30 Mbit more upload bandwidth. Although I did build my router to handle those 1 Gig speeds and has 10 gig ethernet.
I have two 8 gig sticks (for dual channel benefits). LOL This router was left over high end parts from a previous PC build I had done. G.Skill Trident Z 16 GB (2 x 8 GB) DDR4-4000 CL19 Memory. It’s always had 16g ram.
The older model netgate hardware used a switch that shared it’s bandwidth. Tom has videos on it. Check out Tom’s netgate 3100 or 7100 review? I’m to lazy to look it up.
My build doesn’t really reflect prices correctly. Everything was bought on sale on Thanksgiving, Blackfriday, or ebay sales that were negotiated down 25+ percent or more. I can’t really remember how much all of it cost anymore it’s been so long. Everything was brand new or “new old stock.” I don’t know if I would do it that way if I were going to do it again. The only reason I upgraded to a 9900t for $200.00 was because it was cheaper replacement than upgrading to new motherboard and cpu was quite a bit more expensive and I could make it work. Probably about 750.00 total with intel i9-9900t cpu and intel x550-t2 10g ethernet card upgrade this year. That is since 2007. It was a intel pentium gold 5400t with a intel i340 4 port nic when I build it. I was using an old, unused pc, with a i340 4 port nic before that. I’m not including costs for all parts. Just parts I didn’t have on hand, didn’t count the “backup’s or spares” laying around.
I would look for a “T” or “L” chip that uses less electricity that is always going to be on, that can throttle down. It may be more expensive initially but will save you money in the long run.
Configurable TDP-down Base Frequency
Configurable TDP-down Base Frequency is a processor operating mode where the processor behavior and performance is modified by lowering TDP and the processor frequency to fixed points. The Configurable TDP-down Base Frequency is where the Configurable TDP-down is defined. Frequency is typically measured in gigahertz (GHz), or billion cycles per second.
You can get slower ram 2133 is cheaper if you want to save money but I would stick with 16 Gig for what you want to do. As well as, two 8 gig sticks. It’s not as important as cpu cores/threads but stick with 16 gig ram.
I like having the built in graphics on the chip. I have direct console access when I want. I have an old, used, monitor on top of the case, with usb keyboard, and just turn them on when I need to access the command line. You will always know what is going on that way with the machine instead of wondering. Mostly I use the gui from a computer on the network but being able to see what that machine is actually doing helps at times.
You can use any old sata or nvme drive to save money. 500 gig is overkill. I have a 120 gig nvme drive and log/store everything and it’s only 1.5 gig full. What ever is the cheapest there. It’s just for logs basically. Everything will run in RAM once booted. You can even use an 8 gig usb drive if you wanted to. A lot of the old micro pfSense builds use a usb drive as a ram disk and have a 100w to 150w power supply in a box the size of a cable arris cable modem.
You can go cheap on the case also. It’s just a box. You want good fans for airflow/cooling though. That’s probably more important than how the box looks.
Your power supply is way overkill. That system has a 211w usage rating. In high end gaming pc’s you want double your power draw for overhead for power spikes from the video card and expansion. You want your power supply and computer to run at 50% of capacity of the power supply because that’s where you get the best efficiency. That’s not really what you want/need in a router/firewall that is going to be on 24/7. I believe I have a corsair 550w because it was “the best” from tom’s hardware, at that time, at the small wattage size, on sale, gold rated at the time (most were bronze), and was completely modular where most were still non modular or semi modular, still completely overkill. In the past there have been issues with reliability and efficiency with smaller power supplies 500w and less. I would drop the wattage at least 100w or more and save money there.
I don’t have sfp ports on all my switches so I went with a X550-t2 which has rj45 ports that handle 1, 2.5, 5, and 10 gig switching capabilities, so I can swap switches and move them around and reconfigure my network as needed. If I was going to stay with a 1 Gig internet line I would switch from the x550-t2 to a X520-DA2 10GbE Dual Port with SFP+ ports and use a dac cable for faster speeds/lower latency and lower heat generation from the router to the switch/es.
More to follow
links for the older netgate hardware and switch throughput
at 2:46 in Tom talks about the switch on the 3100.
at 6:52 Tom talks about the switch for the 7100.
If I were going to buy hardware on a budget and do it all over, right now, and I didn’t have spare parts laying around, not being used, or that could be repurposed, I think I would go along this route:
https://www.techsupplydirect.com/hp-z420-mid-tower-workstation-configure-to-order/
-184.00 case/HP 600 Watt 90% Efficient Power Supply [Included $0.00]
-1x Intel Xeon E5-2630L 2.0GHz (2.5GHz Turbo) 6 Core Processor - 15MB Cache - 60W - (DDR3-1333MHz) [Add $15.00]
6 cores/12 threads 60w tdp
-16GB (2x 8GB) DDR3-1333 PC3-10600R ECC Registered Dual In-line Memory Modules [Add $32.00]
It is only ddr3 memory and only 1333 BUT it’s ECC
-1x 500GB 7.2K SATA 6Gb/s 3.5" Hard Disk Drive [Add $13.00]
Selected the cheapest drive which is a platter drive but you can upgrade to Samsung 250 gig sata for $43.19 if you wanted (no nvme but it’s really not needed. It’s just for bootup and logs.) You might have a spare sata drive laying around you can install.
https://pcpartpicker.com/product/VZ4BD3/samsung-870-evo-250-gb-25-solid-state-drive-mz-77e250bam
it has 4 esata ports so if you wanted you could buy cheap sata drives and install them to keep ALL your logs local without leaving the box.
BAYS: 3 external 5.25-inch bays, 3 internal 3.5-inch HDD bays (4 total when using 5.25-inch bay converters); up to 4 eSATA
-1x Nvidia NVS310 512MB GDDR3 64-bit - 2x DP 1.2 (Entry-Level 2D) Graphics Adapter [Add $24.00]
Added the cheapest video card which will let you connect a monitor and keyboard so you can run directly from the console when you want instead of ssh’ing in.
-No Optical Drive [Included $0.00]
-No Operating System [Included $0.00]
Comes with
A speaker built in, so you can hear the beeps when it starts up 
NETWORK: Integrated Intel 82579 Gbit LAN
And
SLOTS: 2 PCI Express Gen3 x16 mechanical/electrical; 1 PCI Express Gen3 x8 mechanical/electrical;
1 PCI Express Gen2 x8 mechanical/x4 electrical; 1 PCI Express Gen2 x4 mechanical/x1 electrical; 1 Legacy PCI
For expansion
268.00 so far
Coupon (LTSERVICES) = $254.60 + free shipping
This system gives you room to expand and add additional pcie cards, QAT card, additional nic ports if you wanted to hardware your network instead of using vlans, etc. If you wanted a nvme drive you could add a pcie card adapter to get your nvme drive lol.
100.00 for an intel x520-da2 card from ebay. I would not get the dell branded card from Techsupply direct (listed below) unless I was putting it into a dell machine. From what I’m told, no actual experience with this, there are differences with the firmware between a dell branded card and a true “intel” card.
Dell X520-DA2 10GbE Dual Port PCI-e Converged Network Adapter Card
https://www.techsupplydirect.com/dell-x520-da2-10gbe-dual-port-pci-e-converged-network-adapter-card/
You might need some 10 gig sfp+ transceiver modules depending on your network setup. Ubiquiti seems to be out of their own modules so mikrotik or wiitek (check out tom’s or serve the home on youtube for more information). Dac cables to connect the server to the switch/es (Tom and others have videos on these too). Not including these in total because you may have them, or I have no idea how many you may need. Just keep this in mind.
Dac cables have lower overhead compared to rj45 connectors which means less latency and lower power draw equals less heat.
So $354.60 so far
Add another 100.00 for an Intel QAT 8950 card for 100.00 from ebay. I would look for an 8960 since it’s the updated version of the 8950 at a reasonable price but if not get an 8950. 8960 draws about half of the power as an 8950. 8960 gets it’s power from the pcie slot. 8950 uses two 4 pin cables from the power supply (Don’t quote me on that, I can’t remember and I’m to lazy to look it up atm. Something Like that).
So 454.60 now. Lets add 100.00 for taxes and shipping and your still at
550.00 total.
It’s a workstation and built to be run. You could upgrade the cpu cooling with a different tower cooler or add another fan or two in the front to get more airflow but neither is probably necessary since it’s been engineered as a “workstation.” It’s older, used hardware but gets you everything I think your looking for for less.
550.00 for this configuration, imo, is much better (better cpu, more ram, ecc ram, qat card, 10 gig ethernet with expansion available) than a protecteli or a netgate 6100 for less $$$ and is more flexible and has more expansion available where you would have to just replace those other two options. It’s not as small a form factor and uses more power but it will do a lot more than the systems you were looking at for a lot cheaper.
Just be sure to use Intel NICs or you will be disappointed.
For people looking at other options besides offical netgate hardware to run your pfSense router software on this machine spec’d above for $254.60US is better buy than anything you can get for the price and it’s capabilities, imo. THE ONLY addition you need to make is add an INTEL single port Gig nic card, so you have dual INTEL nics (one in from your internet carrier and one out to the switch), using the built-in Integrated Intel 82579 Gbit LAN and the add in intel nic card , and you have a much better router than just about anything around. That setup is way more powerful than any small form factor box at less than half the price.
PLUS IT OFFERS EXPANSION.
If you can’t afford to spend more at this time, you can add down the road. You can just add, or switch out (at your leisure), 1 gig, 2.5 gig, 10 gig nic cards, QAT card when you can afford to upgrade at a later date.
The only downside to this build is the form factor/space it takes up and the power draw but with it’s capabilities you will quickly get over that.
https://www.techsupplydirect.com/hp-z420-mid-tower-workstation-configure-to-order/
@Cudzu lots of thoughts here but I will break up a bit. Overall, blown away with the data you have shared. Thank you so much, this is helpful!!
I hadn’t looked at the 3100 and 7100 reviews, mainly because the 3100 was EOL and the 7100 was out of my budget. So my comments I made earlier would be overridden by the videos you shared. In regards to the 6100, I did see @LTS_Tom review and noted the port configuration are all discrete and can be configured as WAN or LAN. A more detailed description below at 3:51.
Edited to Add:
In addition to the 7100 being out of budget, it has the same processor and according to Netgate documentation gets similar speeds as the 6100. Although I personally prefer the 1U form.
And not that Passmark scores tell the whole story, but they can be an indicator of sorts. For instance notice how low powered the 6100 is compared to the Xeon you configured for $250. And as you pointed out, the power consumption is vastly different. Generally speaking, there is an inverse correlation meaning as performance values go up then efficiency goes down.
FYI, I had thought about the i5-12400T when configuring but they only had the 12400 (integrated graphics) and the 12400F (no graphics, discrete video card req’d) available to choose from on the picker website. I believe there is also a 12400K (ability to overclock) variant as well as maybe a 12400KF (overclock + discrete graphics). Again, neither showed as viable options on the picker website.
The above said, here are some screen caps to show the variance in performance and power consumption. I find this useful as your 9900T was able to keep up with 1gb over VPN. Granted you have that QAT card and I don’t know how to adjust the raw CPU horsepower for the processing the card does. Without QAT I assume you need more horsepower.
Let me throw one more curve ball into the equation. AMD Ryzen 5 5600G has similar performance as the 12400 but with lower power consumption closer to the 12400T. Also, I found a motherboard that has dual 2.5G ethernet ports, but one is Realtek and the other is Intel.
I could get price further down with smaller power supply & different case. My bigger concern is everything playing nicely with BSD/pfSense and if having one of those NIC’s as Realtek is going to wreak havoc on the netmap (Suricata/Snort capabilities). If it all plays nice, then a separate NIC wouldn’t be required and a QAT card could be added later (if needed).
Edited to Add:
A few more dollars could be shaved with different RAM and drive selections. I prefer to keep the SSD not so much for speed but because location isn’t ideal temperature wise and prefer no plates. Honestly, those savings are pretty small, maybe $20+/- between both.
PCPartPicker Part List: https://pcpartpicker.com/list/Nv6M6r
CPU: AMD Ryzen 5 5600G 3.9 GHz 6-Core Processor ($141.00 @ Newegg)
Motherboard: Gigabyte B550 VISION D-P ATX AM4 Motherboard ($249.99 @ Amazon)
Memory: G.Skill Ripjaws V 16 GB (2 x 8 GB) DDR4-3200 CL16 Memory ($50.99 @ Newegg)
Storage: HP EX900 250 GB M.2-2280 NVME Solid State Drive ($29.99 @ Amazon)
Case: Phanteks Eclipse P300A Mesh ATX Mid Tower Case ($69.99 @ Newegg)
Power Supply: EVGA SuperNOVA 650 650 W 80+ Platinum Certified Fully Modular ATX Power Supply ($69.99 @ EVGA)
Total: $611.95
Prices include shipping, taxes, and discounts when available
Generated by PCPartPicker 2022-09-22 02:36 EDT-0400
Yeah, I believe they finally fixed the switch throughput it in the new models with the new nic chips inside.
I would get the “T” variant, both, because of the integrated graphics and it’s low power consumption. I like having a monitor and keyboard setup but off at the unit so I can easily diagnosis things from the console. If in the future you decide to replace it the kids can use it as a pc without getting a video card for it. It’s unnecessary but a very nice convenience. I like the “T” variant because of the tdp down figure “35w” compared to the 12400 at “117w.” Both of them just sitting there that’s 3 times as much energy for the “non T” variant doing the same thing. Just an FYI,l on ebay, the chips with onboard graphics sell quicker/easier and for a lot more than a “F” chip without onboard graphics. IMO, it’s more about the amount of CPU’s pfSense sees and uses at one time "8 cores/16 threads=16 CPU’s for my 9900t. I would assume (it’s never safe to assume) pfSense would see the 12400 chip with 6 cores/12threads =12 CPU’s, but I have no idea with the big/little chips. You want more CPU’s working at once when you saturate your line, to process the data, then looking at small GHz increase. Having more CPU’s processing data at the same time is more important to me than processing just a bit faster. I think processing more data a bit slower is better than processing less data a bit faster.
Here is your 12400t chip brand new for 50.00 cheaper than pcpartpicker approved vendors. Just remember to pay with paypal on ebay in case you have a problem.
https://www.ebay.com/itm/363928728722?hash=item54bbd7b492:g:fLQAAOSwOppiabdO&amdata=enc%3AAQAHAAAAoA%2BpzcIS9Fp6UaXT8tVlNhElq%2BvyhQWqweaOI0KXO%2BfLMXzCFJVDpguXmfF1D7K5m7OWYJFCf2k6I7Yc4RFp9TaqgnL4MQI%2BvMiOgPAy4kuJN%2FXwHvkGBx7DDvYaQ9UfnEG8mYolirdXZ3nWMQrbu9e4%2BSXx5QEE%2BxasLLKurzvX1L7uk3y874IIM7Nab95PP6TjEu9cO19YrXtltdz8KHY%3D|tkp%3ABk9SR7TXi9bsYA
The old pc I started with for a pfSense box was a AMD chip. I don’t remember the model. It’s in the closet collecting dust as a backup for my parents pfSense box. It works but there are quirks. From my experience, pfSense/FreeBSD doesn’t like anything but INTEL for both processors and nics. Everything plays so much better together when everything is INTEL for pfSense. I originally started this intel 9900t build with an AMD chip. It went AMD Athlon 200GE with Radeon Vega Graphics but quickly switched to intel motherboard/chip Intel Pentium Gold 5400GT and upgraded to 9900t. There were a few widgets that provide info on the GUI interface that didn’t work with the AMD chip. The main one I can remember is the chip temp sensors. In my location/environment it’s very critical to be able to monitor temperatures. That may have changed now with the new chips but I have no knowledge or experience with them.
You do not want to use RealTek nics in a pfSense box. In the official netgate pfSense documentation “… leading to the packets being rejected by various parts of the network… This has historically been an issue with Realtek NICs.” " If an adapter is listed as having long frame support does not guarantee the specific implementation of that NIC chipset properly supports long frames. Realtek rl(4) NICs are the biggest offenders. Many will work fine, but some do not properly support long frames, and some will not accept 802.1Q tagged frames at all." There are horror stories all over any/and all of the pfSense forums about using Realtek nics.
I will work up a pcpartpicker list based the links you provided (to follow)
Here’s my build for everything you’ve been talking about. Full build i5-12400t, 16gig ram, 10gig ethernet, QAT card for $683.89.
If you click on the custom parts it shows the ebay links for each item.
https://pcpartpicker.com/list/Ds2xtn
intel 12400t processor, with 35w tdp down
You will need a cpu cooler Deepcool AK400 is one of the highest rated 1 fan coolers around. Should work just fine. Almost any cpu cooler will work. If it’s having a hard time keeping the temps you want you can just add another fan on the backside of the cpu cooler for improved cooling with both push/pull fan setup.
the asrock motherboard has 1 PCIe 4.0 x16, 1 PCIe 3.0 x16, 2 PCIe 3.0 x1
1 M.2 Key-E for WiFi so a QAT card and 10 gig ethernet nic will work fine. You have two pcie 3.0x1 slots so you could add two additional Intel i225 2.5 gig nics if you wanted or upgrade your 10 gig card for more nics in the future if you needed more than the two 10 gig ports + 1 one gig intel port built in.
16 gig ddr4 ram 3200 speed
nvme solid state drive
FD case has two front fans and with a noctua exhaust fan there will be absolutely no issues with cooling and it should be whisper quiet.
Corsair RM550x “Best PSU up to 550w” according to Tom’s hardware. This is what I have in my machine. It’s gold rated efficiency, 10 year warranty, It will be on all the time. Worth the extra money imo.
Intel x520-da2 10 gig sfp+ two port card (or get an intel rj45 nic i-210-t1 intel i-225t1 to go with the built in intel nic).
Intel QAT 8950 crypto card
I think this satisfies your needs for everything you’ve expressed?
