pfSense Lockups - Hardware?


#1

Ok, some of you probably saw this on Facebook a couple of weeks ago in the pfSense group on Facebook, but I thought I would ask it here as well to get your thoughts:

"This has happened twice now since I setup my pfSense box a few weeks ago. The box itself responds via the web interface, however it will not route any traffic until I reboot it.

Hardware: 2012 Mac mini with Thunderbolt Gigabit Network adapter for 2nd NIC. 16gb of Ram, 500gb hdd.
Could it be that thunderbolt Nic that is giving me the headache, it is the Nic that the WAN is on."

I bring this up because the system locked up again about 10 PM last night requiring a full reboot of box to bring it back to life. I know that external Nic is not optimal. I know that they are not Intel NICs and that is not optimal. I’ve had a lot of people tell me to get rid of the Mac hardware and get either a protectili box or an actual negate box (SG-3100), or perhaps even something like a dell poweredge R210 ii (this somewhat interests me).

If I were to go server grade hardware there is a good chance that I would virtualize pfSense and try and make more use of the machine because it seems like such a waste to have a piece of equipment like that sit largely idle. The idea somewhat interests me for certain.

Anyway, I now turn to the hive mind here for further advice. Ideally I want to understand what is happening with the box that is causing it to lockup (my guess that its a driver issue or something). If you recommend replacement of the hardware, what do you suggest? Right now I have 400/20 internet, I’m running pfBlockerNG with GeoIP blocks on everything except for the United States, I have a handful of ports open for my unifi controller, mail and web server, and I’m running Suricata as well. Rarely does the hardware I have right now even notice my internet traffic in terms of having to work hard to route things so I don’t know that I need anything a whole lot more powerful, but I do want to be future-proof(ish) so I’m not replacing the hardware if suddenly my needs increase.

Thanks a lot! I look forward to reading all of your responses.

~T


#2

Why torture yourself get the R210 and it will be overkill but do like Tom did and run it in a VM. Tom has a video on how to do it. Macs with the eth > thunderbolt adapter ??? probably throwing malformed packets??? What is the WAN connection ISP WAN – Mac Mini WAN?? Wouldn’t think a Mac would have problems with Free BSD since O SX is BSD at its core. Apple has buggered the hardware and software a little to much for my taste.


#3

if you go with the R210 make sure its a R210 2nd gen other wise wont be able to get an AES-NI compatible CPU for if your wondering how i know i purchased 2 different systems in a span of less then a year, now i could of held off on the update because who know when 2.5 will get here but i did it while i had the budget to do it


#4

I would look into Status - System Logs, anything noted in the ‘lockups’ time frame? Generally the few lines before that happens is where you will information about the lock up.


#6

AES-NI will no longer be required in 2.5 according to a post early this year: https://forum.netgate.com/topic/140586/heads-up-snapshots-moving-to-pfsense-2-5-0-on-freebsd-12-expect-initial-instability