pfSense is an extremely popular FreeBSD based network appliance platform. With a huge feature set including firewall, VPN, routing, DNS/ DHCP managemet, proxies and content filtering and a slick web GUI it is easy to setup and powerful. The fact that it is free and open source means that it is extremely popular among IT professionals who are on constrained budgets. At STH we test hundreds of hardware combinations each year. From this experience, we are going to keep a running log of the best pfSense hardware components.
Since pfSense is based on FreeBSD (currently FreeBSD 10) network device driver connectivity is much better than in previous versions. With that said, we have a few tips in terms of which network cards to use with pfSense:
Top pfSense Network Cards (NICs)
Generally, a pfSense appliance will sit between the WAN and a LAN. Since WAN speeds are generally lower, they tend to dictate hardware requirements. For example, if you have a 100Mbps down / 20Mbps up connection, there is little sense getting a 40GbE port for WAN connectivity. Likewise, if your primary LAN switch is a SFP+ 10GbE switch such as the QCT QuantaMesh T3048-LY8 or Ubiquiti EdgeSwitch ES-16-XG you will want to have SFP+ LAN connectivity on your pfSense appliance.
Here are our current picks for top pfSense NICs in different speed categories. Note, we are omitting sub 1GbE NICs as the cost for lower-end 1GbE NICs to handle 10/100 speeds is negligible.
FreeNAS 1GbE NIC Top Picks
1GbE NICs in the FreeBSD world generally see Intel as the top choice. The pfSense team also sells Intel based cards and systems with embedded Intel NICs.
- Intel i350 (and Intel i354)
- Intel i210 / Intel i211
- Intel 82574L
The Intel i350 (e.g. Intel i350-t4 network card) is a high-end 1GbE controller capable of servicing up to four ports. The Intel i354 is an embedded NIC for the Intel Atom C2000 series (Avoton and Rangeley.) The Intel i210/ i211 are lower end current generation 1GbE NICs from Intel that are used to control single 1GbE ports. The Intel 82574L is the single port NIC that the i210 replaced. Given current pricing, we recommend sticking to the Intel i350 or Intel i210 NICs.
pfSense 10GbE (SFP+) NIC Top Picks
Moving to 10GbE and specifically the SFP+ interface, we generally look to Chelsio controllers as they are known to work extremely well with FreeBSD:
- Chelsio T520-SO-CR
- Chelsio T520-CR
- Intel X710-da2
- Intel X520-da2 / X520-sr2
- Chelsio T420-CO-SR
- Chelsio T320-CO-SR
When going 10GbE, SFP+ provides solid performance and lower power than 10Gbase-T. Nowadays, there are many inexpensive switches that support SFP+ networking. The Chelsio T320 cards are about to become three generations old as Chelsio is now on a T6 generation for 25/ 50/ 100GbE. We suggest getting a Chelsio T420 option or higher on our list.
pfSense 10GbE (10Gbase-T) NIC Top Picks
10Gbase-T is popular because it is backward compatible with 1GbE networks. This can be important if there is a need for RJ-45 copper networking on both the LAN and WAN sides. Here is our list of top picks for 10Gbase-T pfSense network cards:
- Best: Chelsio T520-BT
- Good: Intel X550-T2
- Good: Chelsio T420-BT
- Good: Intel X540-T2
With 10Gbase-T power consumption is a major concern. Newer network cards are better at using less power. Here we have the Chelsio T520-BT and Intel X550-T2 as the newer cards on the list and our top picks. Older generation cards such as the T420-BT2 and Intel X540-T2 are still very popular. We no longer recommend cards older than the list above.
The Intel X550-T2 is a newer generation Intel 10Gbase-T controller and will be popular going forward. It is also a similar NIC to what is onboard in the Intel Xeon D-1500 series. The pfSense team does ship systems using the Intel Xeon D-1500 X552/ X557 SoC NIC.
pfSense 40GbE NIC Top Picks
40GbE is the fastest networking option we are going to post recommendations for. These are typically going to be used for LAN NICs unless there is a significant amount of WAN bandwidth. Here are our top picks:
- Top Choice: Chelsio T580-LP-CR
- Lower performing/ less expensive T580: Chelsio T580-SO-CR
- Works and less expensive: Intel XL710-qda2
The Chelsio T580 cards are going to be the best bets for performance. The Intel XL710 card is going to be the lowest power of the group and is less costly. If you have 40GbE WAN gear, we highly suggest the Chelsio T580-LP-CR. For the LAN side, the lower power/ cost Chelsio T580-SO-CR may be a good option. From what we have heard, the Chelsio T5 cards are doing significantly more processing offload than the Intel XL710-qda2.
The dual port cards generally carry a slight premium over single port cards yet can help provide a redundant path. One cannot get a full 80Gbps from a single dual port 40GbE PCie 3.0 card because the cards are PCIe 3.0 x8 bus limited.
pfSense 25GbE / 50GbE / 100GbE Top Picks
These are coming soon – we will likely update this with 25GbE and 50GbE options in the near future. 100GbE optics were over $10,000 just a few months ago so we are probably a few months away from 100GbE being a build-your-own option.
As a final thought, at 1GbE speeds the NICs are inexpensive and modern x86 CPUs are not a constraint. Moving to 10GbE and 40GbE speeds one will need to be mindful that the overall system will need to scale in a similar fashion.
You can see more of our pfSense Buyer’s Guides here.