That tast would only be meaingful if the real life workload that he tried to address was also multi threaded, which it wasn't in his case of copying files. But maybe tools like robocopy with its /mt switch might help in this case

It all depends on the sharing protocol used. NFS is multithreaded while SMB isn't (unless SMB multichannel is used). Other thing to keep in mind is pfSense is limited by its kernel-based packet processing which out of the box isn't made for 10Gbps+. People who want more than 10Gbps should look at TNSR instead, which leverage Vector Packet Processing (VPP) and deliver substantially greater packet-processing performance and throughput.

If only TNSR was _also_ a firewall...

I am running a custom built pfSense with a i7 8700k + 32GB of RAM with a Chelsio adapter with 2 x 10GE SFP+ port and I can route at 10Gbps both direction no problem, while the CPU isn't even flinching pass 10% much. I would say with the many labs experiment I did in the past with pfSense on many fanless box, VMs under ESXi, Proxmox, XCP-ng, Virtual Box and Hyper-v, that the drivers used for the NICs will greatly influence the throughput. For example, under Vmware, anything intel E1000 setup for drivers will slow down to a crawl whatever performance benchmark you will do. pfSense kernel also use 1 thread per network session, so CPU single core performance will also be an issue. Sub 3Ghz single core performance will NOT be able to sustain bi-directional 10Gbps. Another thing to consider if you ware using SPF+ Transceiver is their compatibility. If they are not, they will over heat, and if you are using a RJ45_to_SPF+, it will impact your performance too - or reset your switch and or port or both - happened on a Ubiqui EdgeMax 48-port a few years ago.

That's sadly the truth! We're big proponents of virtualization, and having the FW be virtual gives great flexibility. But in our case hurt our performance. Thanks for the comment!

I believe I touch on it in the video, but everything we run here is VMware ESXi. And completely agree that how you configure the VM and the host's workloads affect performance, unfortunately misconfiguration was the source of the bottlenecks. Thanks for the comment!

This is possible. I’m actually going to make some minor cooling changes to the unit here in the near future, I’ll definitely check again!

Noctua NH-L9i-17xx Has a fitting heatsink with heatpipes. The fan won’t fit without cutting a hole in the 1u enclosure though.

You bring up some really good questions about the thermals of the Intel NICs in the box. Next time we do some maintenance we'll throw some better heatsinks on it! Thanks for the suggestion and watching!

Great question! Typically Layer-3 switches have specially designed chips in them called ASICs that are designed to switch packets between interfaces incredibly fast. ASICs do one thing really well, but really only that thing really well. Processing and filtering ACLs requires general computing because rules needs to be calculated per-packet, which is handled by the CPU inside the switch. The CPU typically has enough overhead for a few ACLs here and there, but the more ACLs you have that need to be processed, the greater chance your switch's CPU won't be able to keep up. At a minimum you'll experience performance issues, at a maximum (and I've seen it with certain Cisco L3 switches) they'll crash. In network design theory, it's widely held that if you need to filter packets between networks (inter-vlan, edge, or whatever) you should use a firewall. Unlike a network switch, a firewall's job is to apply rules and filter packets accordingly. This is what a firewall is designed to do, and it does it very well. There are caveats here worth mentioning. 1) If you only have a few ACLs you'll be fine running them on your L3 switch. 2) Technology is always getting faster, it's entirely possible there are L3 switches out there that can handle a massive amount of ACLs and not break a sweat. Hope this helps!

@@2GuysTek then you should know then unlike firewall that analyze full packet switch ACL read only IP headers on packets . So it need much less compute power. And problem may starts on cisco only when you use extended ACLs that analyze also ports information from packets. So you suppose to use proper tools for each case understanding what you doing and why you doing that no saying this is best practice and this is not best practice.

You're not the first to ask! We'll see what we can do!

That’s a good question! I really do love the ports up front that the Sophos provides.

@@2GuysTek Exactly why i bought my SuperMicro unit ! ports up front mate with the ports on the switch nicer too !! You sure rocked this video man !

What would you like to see specifically? Let us know and thanks for watching!

@@2GuysTek I would love to see how to set it up (from start to finish) AND get pfsense data into it.

@@2GuysTek I would like to see how to set it up as well, start to finish

The connection to the downstream switching is a single trunk with multiple connections, yes. I like your thought process, and it might be something to test later on! Thanks for the comment!

I run a small business off my hardware, and it performance perfectly.

Something seems to be going on in the hardware aftermarket lately. There are a lot of things that are just getting out of control price-wise. If you can’t find an affordable SG with SFP+, it might be time to consider building out a small form PC and throw in an SFP+ card.

Sophos sg series is end of sales June 2023, updates ending 2025. Prices should be going down. If I had more gear to attach I might try a CPAC-4-10F in the flexiport.

It did largely for me. As you saw in the video, we're getting great throughput on the 10gig connections, and removing the issue of service interruption when doing updates to our virtual infrastructure was a big win. That SG450 sounds like a beast! It's definitely a step above the SG330 we used! Give it a shot if you've got the money and the interest! I'm sure it'll serve you well for a long time! Best of luck!

Do these run loud? Compared to desktop fans or synology drive.

I can’t speak to your model, but the SG330 isn’t any louder than a Synology NAS.

Unfortunately that's not an option. Thanks for the question!

I have been _trying_ to find any information I can about the internal hardware on the XGS line, and have not found a definitive answer. If the system is running on x86 hardware like ours is, it's very likely you'll be able to easily install pfSense on one. The risk is the case where the XGS is running on ARM instead of x86, and in that situation you'd be out of luck. Best of luck and let us know if you have success!

@@2GuysTek its really hard to find information about sophos hardware, I thought it has a main x86 processor and secondary arm processor but if it’s only built arm I think I’m just gonna stick with XG series

Not at all. The pfSense dashboard correctly recognizes the CPU and shows its features. Potentially if you were to move to an entirely different generation of CPU that may be the case, however, I still suspect it wouldn't be.

@@2GuysTek Ok, thank you.

No you don't need to reinstall as FreeBSD will handle the changes just fine. I even moved the hard drive from my old i7 to Ryzen 9 and it booted up just fine. Only time you need to reinstall if you're switching from X86 to ARM which require a completely different OS.

Don't I look more respectable?!