Packet Filter router i368 vs 64bit

classic Classic list List threaded Threaded
36 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Brad Smith-14
On 11/27/14 23:50, jungle Boogie wrote:

> Hi,
> On 27 November 2014 at 20:38,  <[hidden email]> wrote:
>>
>> you can just use old hardware for these purposes.
>>
>> from the man who literally wrote the book on pf (from pf tutorial via
>> http://home.nuug.no/~peter/pf/en/long-firewall.html):
>>
>>    I have not seen comparable tests performed recently [3.1 era], but in my
>>    own experience and that of others, the PF filtering overhead is pretty
>>    much negligible. As one data point, the machine which gateways between
>>    one of the networks where I've done a bit of work and the world is a
>>    Pentium III 450MHz with 384MB of RAM. When I've remembered to check, I've
>>    never seen the machine at less than 96 percent 'idle' according to top.
>>
>
> Yes, that's true! But less fun. ;)
>
> I do have some Dell dimensions machine with OpenBSD -current running
> now that I could easily get two NICs but its kinda old and slow to
> update current. I'll measure the power to see how much it uses.
>
> With the fact that old hardware, why would the APU be "OK" and not good?

I don't see anyone claiming it would not be good. It's more like if you
happen to have some old hw around that it would probably be good enough
for what you're describing but the APU system would also do the job just
fine.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

jungle Boogie
Hi Brad,
On 27 November 2014 at 21:01, Brad Smith <[hidden email]> wrote:
>
> I don't see anyone claiming it would not be good. It's more like if you
> happen to have some old hw around that it would probably be good enough
> for what you're describing but the APU system would also do the job just
> fine.
>
>

Fair enough. ;) Thanks for the info!

>

Best,
j.b.



--
-------
inum: 883510009027723
sip: [hidden email]
xmpp: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Christopher Vance-8
In reply to this post by jungle Boogie
I only have ADSL with downloads < 23Mb/s. A PC Engines ALIX does just fine
for my pf.

On Fri, Nov 28, 2014 at 3:25 PM, jungle Boogie <[hidden email]>
wrote:

> Hi Stan,
> On 27 November 2014 at 20:09, Stan Gammons <[hidden email]> wrote:
> >
> > The latest BIOS, 9/8/2014, doesn't fix the LED issue.
> >
> > I saw Brad's comments in the other email. The APU is Ok to use as a home
> > firewall. I have no experience on using one in more demanding
> environment.
> >
> >
>
> Well what would be something above OK? A soekris? It doesn't seem
> those have as much RAM, though.
>
> > Stan
> >
>
> Thanks,
> jb
>
>
>
> --
> -------
> inum: 883510009027723
> sip: [hidden email]
> xmpp: [hidden email]
>
>


--
Christopher Vance

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Gilles Cafedjian
In reply to this post by Brad Smith-14
On 11/28/2014 06:01 AM, Brad Smith wrote:

> On 11/27/14 23:50, jungle Boogie wrote:
>> Hi,
>> On 27 November 2014 at 20:38,  <[hidden email]> wrote:
>>>
>>> you can just use old hardware for these purposes.
>>>
>>> from the man who literally wrote the book on pf (from pf tutorial via
>>> http://home.nuug.no/~peter/pf/en/long-firewall.html):
>>>
>>>    I have not seen comparable tests performed recently [3.1 era],
>>> but in my
>>>    own experience and that of others, the PF filtering overhead is
>>> pretty
>>>    much negligible. As one data point, the machine which gateways
>>> between
>>>    one of the networks where I've done a bit of work and the world is a
>>>    Pentium III 450MHz with 384MB of RAM. When I've remembered to
>>> check, I've
>>>    never seen the machine at less than 96 percent 'idle' according
>>> to top.
>>>
>>
>> Yes, that's true! But less fun. ;)
>>
>> I do have some Dell dimensions machine with OpenBSD -current running
>> now that I could easily get two NICs but its kinda old and slow to
>> update current. I'll measure the power to see how much it uses.
>>
>> With the fact that old hardware, why would the APU be "OK" and not good?
>
> I don't see anyone claiming it would not be good. It's more like if you
> happen to have some old hw around that it would probably be good enough
> for what you're describing but the APU system would also do the job just
> fine.
>
>
I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a
home firewall with 10MB WAN broadband and 100MB between computers.
All is fine: low temperature, low consumption, same speed as with a
basic 100MBB switch.

So I guess the APU1C is fast enought for a home network.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Stan Gammons-2
On 11/28/14 01:32, Blaise Hizded wrote:

> On 11/28/2014 06:01 AM, Brad Smith wrote:
>> On 11/27/14 23:50, jungle Boogie wrote:
>>> Hi,
>>> On 27 November 2014 at 20:38,  <[hidden email]> wrote:
>>>> you can just use old hardware for these purposes.
>>>>
>>>> from the man who literally wrote the book on pf (from pf tutorial via
>>>> http://home.nuug.no/~peter/pf/en/long-firewall.html):
>>>>
>>>>     I have not seen comparable tests performed recently [3.1 era],
>>>> but in my
>>>>     own experience and that of others, the PF filtering overhead is
>>>> pretty
>>>>     much negligible. As one data point, the machine which gateways
>>>> between
>>>>     one of the networks where I've done a bit of work and the world is a
>>>>     Pentium III 450MHz with 384MB of RAM. When I've remembered to
>>>> check, I've
>>>>     never seen the machine at less than 96 percent 'idle' according
>>>> to top.
>>>>
>>> Yes, that's true! But less fun. ;)
>>>
>>> I do have some Dell dimensions machine with OpenBSD -current running
>>> now that I could easily get two NICs but its kinda old and slow to
>>> update current. I'll measure the power to see how much it uses.
>>>
>>> With the fact that old hardware, why would the APU be "OK" and not good?
>> I don't see anyone claiming it would not be good. It's more like if you
>> happen to have some old hw around that it would probably be good enough
>> for what you're describing but the APU system would also do the job just
>> fine.
>>
>>
> I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a
> home firewall with 10MB WAN broadband and 100MB between computers.
> All is fine: low temperature, low consumption, same speed as with a
> basic 100MBB switch.
>
> So I guess the APU1C is fast enought for a home network.
>

The APU1C works fine for a home network.  The only 2 things I dislike
are the CPU temperature and the link LED's are off when the Ethernet
ports are linked at 1 gig. I've complained about the link LED issue on
the PC Engines support forum, but I guess there's no desire to fix it.
Oh well.

# sysctl hw
hw.machine=amd64
hw.model=AMD G-T40E Processor
hw.ncpu=2
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0:ec53da01dd2f4a0e,sd1:
hw.diskcount=2
hw.sensors.km0.temp0=51.50 degC
hw.cpuspeed=1000
hw.setperf=100
hw.vendor=PC Engines
hw.product=APU
hw.version=1.0
hw.serialno=843042
hw.physmem=2098520064
hw.usermem=2098503680
hw.ncpufound=2
hw.allowpowerdown=1
hw.perfpolicy=manual


Stan

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

trondd
In reply to this post by Edgar Pettijohn
On Fri, Nov 28, 2014 at 12:00 AM, Edgar Pettijohn <[hidden email]>
wrote:

>
> This is something I've been interested in trying, but I would want it as a
> wireless access point as well and not sure what cards are supported and
> work well.  Does anyone know of any good choices?
>
>
I went with an athn card in my APU:
http://www.amazon.com/gp/r.html?R=1VP5WEM85ZPGN&C=3JNG5JOTKOGN0&H=TKW2F041FODZDC3VUWNULCCNSVUA&T=C&U=http%3A%2F%2Fwww.amazon.com%2Fdp%2FB005HMZ8B2%2Fref%3Dpe_385040_121528360_TE_dp_3

It's half sized, so it'll need an adapter to full size to mount in the APU.


There are other usable options if you check the wifi man pages and make
sure Host AP mode is supported.

Tim.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Gilles Cafedjian
On 11/28/2014 06:21 PM, trondd wrote:

> On Fri, Nov 28, 2014 at 12:00 AM, Edgar Pettijohn <[hidden email]>
> wrote:
>
>> This is something I've been interested in trying, but I would want it as a
>> wireless access point as well and not sure what cards are supported and
>> work well.  Does anyone know of any good choices?
>>
>>
> I went with an athn card in my APU:
> http://www.amazon.com/gp/r.html?R=1VP5WEM85ZPGN&C=3JNG5JOTKOGN0&H=TKW2F041FODZDC3VUWNULCCNSVUA&T=C&U=http%3A%2F%2Fwww.amazon.com%2Fdp%2FB005HMZ8B2%2Fref%3Dpe_385040_121528360_TE_dp_3
>
> It's half sized, so it'll need an adapter to full size to mount in the APU.
>
>
> There are other usable options if you check the wifi man pages and make
> sure Host AP mode is supported.
>
> Tim.
>
You can also use an external wifi router from any vendor and plug it on
an interface of the APU. Then route the traffic from the wifi router to
the APU and filter it by the dedicated interface.

You can maybe bridge the wifi and apu.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Chris Cappuccio
In reply to this post by Stan Gammons-2
Stan Gammons [[hidden email]] wrote:
>
> The APU1C works fine for a home network.  The only 2 things I dislike are
> the CPU temperature and the link LED's are off when the Ethernet ports are
> linked at 1 gig. I've complained about the link LED issue on the PC Engines
> support forum, but I guess there's no desire to fix it. Oh well.
>

Call me crazy, but when OpenBSD takes over control of the Realtek chips,
isn't it OpenBSD's responsibility to program them properly, not the BIOS?

In any event, I'm using a redundant pair of APUs with crucial/plextor msata
for DNS, DHCP, NTP, and another pair for FreeRadius with master-master mysql
back-end. I also use one at home and in other low-power environments. They
run a little warm, like everyone says. They are VERY fast compared to the
ALIX.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

lists
On Tue, Dec 02, 2014 at 07:51:19AM -0800, Chris Cappuccio wrote:
> Stan Gammons [[hidden email]] wrote:
> Call me crazy, but when OpenBSD takes over control of the Realtek chips,
> isn't it OpenBSD's responsibility to program them properly, not the BIOS?

Wouldn't this generally be controlled by the firmware?

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Chris Cappuccio
[hidden email] [[hidden email]] wrote:
> On Tue, Dec 02, 2014 at 07:51:19AM -0800, Chris Cappuccio wrote:
> > Stan Gammons [[hidden email]] wrote:
> > Call me crazy, but when OpenBSD takes over control of the Realtek chips,
> > isn't it OpenBSD's responsibility to program them properly, not the BIOS?
>
> Wouldn't this generally be controlled by the firmware?

Which firmware?

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Stan Gammons-2
In reply to this post by Chris Cappuccio
On 12/02/14 09:51, Chris Cappuccio wrote:
> Stan Gammons [[hidden email]] wrote:
>> The APU1C works fine for a home network.  The only 2 things I dislike are
>> the CPU temperature and the link LED's are off when the Ethernet ports are
>> linked at 1 gig. I've complained about the link LED issue on the PC Engines
>> support forum, but I guess there's no desire to fix it. Oh well.
>>
> Call me crazy, but when OpenBSD takes over control of the Realtek chips,
> isn't it OpenBSD's responsibility to program them properly, not the BIOS?
>

Well, using any version of OpenBSD 5.5 and newer the LEDs work right
with this NIC.

re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E-VL
(0x2c80), msi, address 90:2b:34:af:eb:1a
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 5

With this NIC, which is the one in the APU, the LEDs don't work right.

re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
(0x2c00), msi, address 00:0d:b9:33:75:88
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4

So, the question is why don't the LEDs work right on the NIC in the
APU?  The NIC in the APU is very similar to the one that the LEDs do
work right on.

I'm pretty sure the FreeBSD Realtek driver is the same as the OpenBSD
one, although I haven't tried FreeBSD on an APU.  Or have I tried Linux
on one.  I guess I could try both on the APU to see if there's any
difference.


Stan

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Darren Tucker
In reply to this post by Gilles Cafedjian
On Fri, Nov 28, 2014 at 6:32 PM, Blaise Hizded <[hidden email]> wrote:
>
> I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a
> home firewall with 10MB WAN broadband and 100MB between computers.
> All is fine: low temperature, low consumption, same speed as with a
> basic 100MBB switch.
>

I spent some time tuning the vr(4) driver on ALIX a while back[1], and in
my experience the throughput maxes out at around 85 Mbit/s of TCP (ie
iperf) traffic through it.  I don't know what the limiting factor is, but
it's not CPU.  My guess is it's the checksum offload hardware in the chips,
in which case doing those in software would be faster at the cost of using
more CPU, but I never tested this theory.

[1] http://undeadly.org/cgi?action=article&sid=20130201054156

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Josh Grosse
On Wed, Dec 03, 2014 at 10:54:14AM +1100, Darren Tucker wrote:

> On Fri, Nov 28, 2014 at 6:32 PM, Blaise Hizded <[hidden email]> wrote:
> >
> > I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a
> > home firewall with 10MB WAN broadband and 100MB between computers.
> > All is fine: low temperature, low consumption, same speed as with a
> > basic 100MBB switch.
> >
>
> I spent some time tuning the vr(4) driver on ALIX a while back[1], and in
> my experience the throughput maxes out at around 85 Mbit/s of TCP (ie
> iperf) traffic through it.  I don't know what the limiting factor is, but
> it's not CPU.  My guess is it's the checksum offload hardware in the chips,
> in which case doing those in software would be faster at the cost of using
> more CPU, but I never tested this theory.
>
> [1] http://undeadly.org/cgi?action=article&sid=20130201054156

On my Alix 2d13s I have seen peaks of about 230 Mbps as reported by nfsen,
which is in line with Darren's observed results.  They've been a good fit on
100 Mbps Ethernet segments.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

bodie
In reply to this post by mottycruz
On 02.12.2014 22:25, Stan Gammons wrote:

> On 12/02/14 09:51, Chris Cappuccio wrote:
>> Stan Gammons [[hidden email]] wrote:
>>> The APU1C works fine for a home network.  The only 2 things I
>>> dislike are
>>> the CPU temperature and the link LED's are off when the Ethernet
>>> ports are
>>> linked at 1 gig. I've complained about the link LED issue on the PC
>>> Engines
>>> support forum, but I guess there's no desire to fix it. Oh well.
>>>
>> Call me crazy, but when OpenBSD takes over control of the Realtek
>> chips,
>> isn't it OpenBSD's responsibility to program them properly, not the
>> BIOS?
>>
>
> Well, using any version of OpenBSD 5.5 and newer the LEDs work right
> with this NIC.
>
> re0 at pci2 dev 0 function 0 "Realtek 8168" rev 0x06:
> RTL8168E/8111E-VL (0x2c80), msi, address 90:2b:34:af:eb:1a
> rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 5
>
> With this NIC, which is the one in the APU, the LEDs don't work
> right.
>
> re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E
> (0x2c00), msi, address 00:0d:b9:33:75:88
> rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 4
>
> So, the question is why don't the LEDs work right on the NIC in the
> APU?  The NIC in the APU is very similar to the one that the LEDs do
> work right on.

And what was the answer of Realtek on such question? ;-) It may be nice
curiosity.

>
> I'm pretty sure the FreeBSD Realtek driver is the same as the OpenBSD
> one, although I haven't tried FreeBSD on an APU.  Or have I tried
> Linux on one.  I guess I could try both on the APU to see if there's
> any difference.
>
>
> Stan

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Stuart Henderson
In reply to this post by Darren Tucker
On 2014-12-02, Darren Tucker <[hidden email]> wrote:

> On Fri, Nov 28, 2014 at 6:32 PM, Blaise Hizded <[hidden email]> wrote:
>>
>> I run the previous generation ALIX 2D13 with OpenBSD 5.6 on it for a
>> home firewall with 10MB WAN broadband and 100MB between computers.
>> All is fine: low temperature, low consumption, same speed as with a
>> basic 100MBB switch.
>>
>
> I spent some time tuning the vr(4) driver on ALIX a while back[1], and in
> my experience the throughput maxes out at around 85 Mbit/s of TCP (ie
> iperf) traffic through it.  I don't know what the limiting factor is, but
> it's not CPU.  My guess is it's the checksum offload hardware in the chips,
> in which case doing those in software would be faster at the cost of using
> more CPU, but I never tested this theory.
>
> [1] http://undeadly.org/cgi?action=article&sid=20130201054156
>

Linux developers were seeing higher throughput (though obviously higher
cpu usage) when offload was disabled. Apparently the checksum offload
can't pipeline. I'm not sure if vlan hw tagging was also implicated.
IIRC there were more details in an old lkml post.

Reply | Threaded
Open this post in threaded view
|

Re: Packet Filter router i368 vs 64bit

Darren Tucker
On Sat, Dec 6, 2014 at 9:25 AM, Stuart Henderson <[hidden email]>
wrote:
>
> Linux developers were seeing higher throughput (though obviously higher
> cpu usage) when offload was disabled. Apparently the checksum offload
> can't pipeline. I'm not sure if vlan hw tagging was also implicated.
> IIRC there were more details in an old lkml post.
>

I think I found the one you are referring to:
http://lkml.iu.edu/hypermail/linux/kernel/0712.3/1199.html

I can't test this at the moment since the hardware is on the other side of
the planet, but I might give this a spin when I get a chance.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

12