Not every box is a firewall. CPU must be AMD64 with a sane driver story. NIC chipset is the single biggest reason installs fail silently. Here's the full HCL — and a free "send us your specs" check if you'd rather we confirm.
Paste your CPU / RAM / NIC details · We confirm Plus support + recommend the right Netgate if not
No commitment · No spam · Reply typically within 4 business hours
pfSense Plus is AMD64 only. 32-bit is gone. Beyond that, the biggest performance multiplier is crypto offload — AES-NI, and on newer Intel platforms, QAT.
Plus will install on any AMD64 CPU made since ~2008. But "boots" and "handles your traffic" are different things.
| Architecture | AMD64 (x86-64) |
| Cores | 2 minimum |
| Clock | 1 GHz |
| AES-NI | Not required |
| Examples | Atom N270, Pentium Gold, older Xeon |
Anything from the last 5 years with AES-NI. IPsec / OpenVPN throughput doubles or triples with hardware crypto.
| Cores | 4+ physical |
| Clock | 2 GHz+ |
| AES-NI | Required for VPN perf |
| Examples | Intel i3/i5 8xxx+, Ryzen 3, Atom C3000, Xeon D |
| Good sweet spot | Intel N100 mini-PC |
Running Suricata inline, Zenarmor, 500+ concurrent VPN users, or 10G WAN? You want more cores and ideally QAT.
| Cores | 6–8+ physical |
| QAT | Highly recommended |
| L3 cache | 8 MB+ |
| Examples | Xeon D-17xx, Xeon E-2xxx, Ryzen 5/7, EPYC Embedded |
Old mobile-class CPUs, anything 32-bit, ARM boards without Netgate firmware support.
| 32-bit x86 | Not supported at all |
| Raspberry Pi / generic ARM | No pfSense image |
| Intel Atom N2xx/N4xx | Too slow for modern TLS |
| Apple M-series | Not supported |
grep -c aes /proc/cpuinfo — if the count matches your thread count, you have AES-NI. On Windows: Task Manager → Performance → CPU → look for "AES instructions: Yes" in the sidebar (or run coreinfo -f from Sysinternals).
This is where 80% of DIY pfSense builds fail. The driver story matters more than the marketing name on the box.
ifconfig, you're running 15-year-old hardware. Works, but slow and unreliable.Plus is not greedy, but the optional packages are. ZFS prefers RAM too.
| Minimum | 2 GB |
| Base + light packages | 4 GB |
| Suricata on all interfaces | 8 GB |
| Zenarmor + 1M states | 8–16 GB |
| ZFS + 10G + IDS | 16 GB+ |
ZFS likes 1 GB of RAM per 1 TB of storage, but on a firewall with a small disk this barely matters.
| Type | SSD or NVMe — not HDD |
| Minimum | 16 GB |
| Recommended | 64–128 GB |
| With Suricata logs | 256 GB+ |
| USB flash install | Avoid (wear-out) |
Older CE guides suggested USB flash installs with Nano images — those are gone. Use real SSD or NVMe on Plus.
Match the box to the fire-hose. These are conservative real-world numbers from deployed sites — not lab-peak marketing figures.
5–15 users · single ISP · basic rules
15–60 users · VPN · IDS optional
60–250 users · IDS inline · multi-WAN
250+ users · BGP · IDS + DPI inline
4-port 1G desktop unit. AES-NI. Perfect SMB anchor — VPN, IDS, AMC included.
6-port with 2.5G. The sweet spot for 60-seat offices with fibre uplinks.
1U rack, 2× 10G SFP+. For data-centres, ISPs and multi-tenant offices.
Fully supported on Proxmox, ESXi, Hyper-V, KVM, XCP-ng. A few knobs matter more than others.
Use VirtIO on KVM/Proxmox, VMXNET3 on ESXi, Synthetic (netvsc) on Hyper-V. These have mature FreeBSD drivers and full offload. For the physical uplinks, pass-through the host NIC via PCI passthrough / SR-IOV if you want bare-metal performance.
These emulated NICs work but are slow (no offload, CPU-bound). OK for lab VMs that never hit production traffic. Not OK for a real firewall.
Pin the pfSense VM to dedicated physical cores. Sharing cores with a noisy guest (Windows Update, a database, a build server) causes latency spikes in packet processing that look like firewall problems but aren't.
If the underlying virtual switch supports jumbo frames, enable 9000-byte MTU on pfSense internal interfaces for a measurable throughput gain on east-west traffic. Don't enable on the WAN-facing interface unless the ISP confirms it.
Before you send us your specs — run these and copy-paste the output into the form above.
We sell Netgate. We also respect your budget. Here's when each is actually the right call.
We ship Netgate appliances across India with GST invoicing, configure them to your network, migrate from your existing firewall (Fortinet, Sophos, Cisco, SonicWall), and include 90 days of tuning support. Share your requirements and we'll scope the right appliance for your site.