pf vs mp

classic Classic list List threaded Threaded
39 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Chris Cappuccio
Quartz [[hidden email]] wrote:
> Quick question: I need to make a decision between a faster single core and a
> slower multicore. The faq currently states that pf gets no improvement from
> mp. Is this still correct/current information? Presumably it would see no
> benefit from hyperthreading either, right?
>
> For an OpenBSD machine acting as a gateway/firewall/router with a handful of
> related tasks (pf, dhcp server, etc) would mp yield anything?

While it was true up until 2012 or 2013 that MP kernels had worse
networking performance than the SP, that is no longer the case. There
were problems in the MP kernel that made latency higher and throughput
lower than SP kernel, especially as traffic levels incrased. This
hasn't been an issue for at least two years. The recommendation
that people use SP kernels for networking is no longer valid.

In fact, under -current, my myx routers now make use of two cores,
today. There is a lot of work going into this area right now.

Chris

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Theo de Raadt
> Quartz [[hidden email]] wrote:
> > Quick question: I need to make a decision between a faster single core and a
> > slower multicore. The faq currently states that pf gets no improvement from
> > mp. Is this still correct/current information? Presumably it would see no
> > benefit from hyperthreading either, right?
> >
> > For an OpenBSD machine acting as a gateway/firewall/router with a handful of
> > related tasks (pf, dhcp server, etc) would mp yield anything?
>
> While it was true up until 2012 or 2013 that MP kernels had worse
> networking performance than the SP, that is no longer the case. There
> were problems in the MP kernel that made latency higher and throughput
> lower than SP kernel, especially as traffic levels incrased. This
> hasn't been an issue for at least two years. The recommendation
> that people use SP kernels for networking is no longer valid.
>
> In fact, under -current, my myx routers now make use of two cores,
> today. There is a lot of work going into this area right now.

I think the OP should buy a single processor machine.

Then, in a year or two, he can provide uplift for the stalling global
economy by purchasing a replacement.

On a more serious note, I don't see how one can actually buy faster
single-core performance for this purpose.  If the question was more
detailed, describing specific models of machines, we'd be able to
show it makes no financial sense.  The cheapest stuff is good enough.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by patric conant
> I'm sorry I'm not familiar with either of the processor's you're
> describing. In the vague terms you have given,

I haven't described any specific models yet, I'm being a little vague
because I was looking more for general guidance than having the list
debate the pros and cons of dozens of different specific motherboards.
The sort of stuff we're looking at are various Intel Atoms, Celerons,
modern Pentium lines (eg, N3700), and a variety of things from AMD.
There's a wide range here, so I'm trying to figure out where we should
start looking first.


>I am 100% that the answer is
> use the multicore setup.

OK

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Joseph Borg
> Maybe this webpage would help you make an informed choice?
>
> https://calomel.org/pf_config.html

That looks like a good reference for setting up pf and the right way to
architect your pf.conf, but it doesn't appear to address any of the cpu
threading issues I'm trying to figure out. Thanks though, I'll keep a
copy of that in my files, it might help when we finally set this system up.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Theo de Raadt
> On a more serious note, I don't see how one can actually buy faster
> single-core performance for this purpose.  If the question was more
> detailed, describing specific models of machines, we'd be able to
> show it makes no financial sense.  The cheapest stuff is good enough.

As I said before, I think information is getting lost here in the
discussion. The issue is we need something that fits within certain
restrictive thermal/size/power/noise limits; these are all fanless
setups and some might even be battery powered. The sort of questions I'm
facing are like do we go for a single core Celeron or a multicore Atom
or what. I understand that the gross performance of a top of the line
Xeon or whatever will make this issue moot, but we can't afford
something like that for this project.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Dot Yet
In reply to this post by quartz-2
Any idea if running an ipsec vpn or openvpn on the same machine will
benefit from the second core? working remotely over VPN is quite common
these days. so all the extra juice may help encryption etc. is it so?

On Tue, Sep 1, 2015 at 8:59 PM, Quartz <[hidden email]> wrote:

> Maybe this webpage would help you make an informed choice?
>>
>> https://calomel.org/pf_config.html
>>
>
> That looks like a good reference for setting up pf and the right way to
> architect your pf.conf, but it doesn't appear to address any of the cpu
> threading issues I'm trying to figure out. Thanks though, I'll keep a copy
> of that in my files, it might help when we finally set this system up.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Chris Cappuccio
>The recommendation
> that people use SP kernels for networking is no longer valid.

Ah, thank you for mentioning this explicitly. I had a memory of this
kicking around at the bottom of my subconscious. I knew there was
something else about this issue but couldn't put my finger on it.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Giancarlo Razzolini-3
> The short answer is, unless you can guarantee that pf will have its own
> core and no other process will race against it (you can't), then go for
> the mp.

OK, so after more info you're switching to the mp side? If that's true
then all the latest recommendations from this afternoon forwards are in
favor of mp.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Atanas Vladimirov
> I red all thoughts till now and my advice is if you are going to buy
> a new hardware now (year 2015) take multi core CPU. The OpenBSD just
> get better every day and if you follow tech@, source-changes@ and
> misc@ you already know that our beloved OS soon or later will spread
> load on all CPU/CORES (device drivers, TCP/IP stack, pf and so on).

That's a good point in general, but this is an embedded project and it's
pretty much set once made, so future expansion or upgrades aren't really
a selling point.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by quartz-2
> As I said before, I think information is getting lost here in the
> discussion. The issue is we need something that fits within certain
> restrictive thermal/size/power/noise limits; these are all fanless
> setups and some might even be battery powered.

And when I say "fanless" I mean *completely* fanless, there won't even
be any fans in the chassis or power supply, so low TDP is super
important, and that ends up meaning low performance. It's not clear to
me yet how close to the margin we'll end up being.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Patrick Dohman
> On Sep 1, 2015, at 8:40 PM, Quartz <[hidden email]> wrote:
>
> there won't even be any fans in the chassis or power supply, so low TDP is
super important, and that ends up meaning low performance

Embedded systems can often benefit from efficient power design & inefficiency
can unduly impact WLAN etc..

Regards
Patrick

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Janne Johansson-3
In reply to this post by Dot Yet
OpenVPN will eat cpu in userspace mostly so that one will most certainly
find use for MP systems.
IPSec runs in the kernel and will for a while be "limited" to one core,
though for many applications, that one
core will still do more crypto than needed, unless you are pushing it hard
over the VPN.

For the secure remote management and/or monitoring things found on office
vpns, and the occasional file data
move on top of email, dns, and surfing, the limit on single core vpns when
running on modern CPUs isn't that noticeable.


2015-09-02 3:16 GMT+02:00 Dot Yet <[hidden email]>:

> Any idea if running an ipsec vpn or openvpn on the same machine will
> benefit from the second core? working remotely over VPN is quite common
> these days. so all the extra juice may help encryption etc. is it so?
>
> On Tue, Sep 1, 2015 at 8:59 PM, Quartz <[hidden email]> wrote:
>
> > Maybe this webpage would help you make an informed choice?
> >>
> >> https://calomel.org/pf_config.html
> >>
> >
> > That looks like a good reference for setting up pf and the right way to
> > architect your pf.conf, but it doesn't appear to address any of the cpu
> > threading issues I'm trying to figure out. Thanks though, I'll keep a
> copy
> > of that in my files, it might help when we finally set this system up.
>
>


--
May the most significant bit of your life be positive.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
In reply to this post by quartz-2
Em 01-09-2015 22:26, Quartz escreveu:
> OK, so after more info you're switching to the mp side? If that's true
> then all the latest recommendations from this afternoon forwards are
> in favor of mp.
Re-read all my emails. Just because I said I use single core, doesn't
mean I switched sides. As I said, you should try and see. But, in
general, you will benefit from mp. Yes, I'm being vague, as you were.

P.s.: Don't use anything you read on calomel.org. Want to learn pf, read
the manual or buy the book of pf.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Ted Unangst-6
In reply to this post by quartz-2
Quartz wrote:

> > On a more serious note, I don't see how one can actually buy faster
> > single-core performance for this purpose.  If the question was more
> > detailed, describing specific models of machines, we'd be able to
> > show it makes no financial sense.  The cheapest stuff is good enough.
>
> As I said before, I think information is getting lost here in the
> discussion. The issue is we need something that fits within certain
> restrictive thermal/size/power/noise limits; these are all fanless
> setups and some might even be battery powered. The sort of questions I'm
> facing are like do we go for a single core Celeron or a multicore Atom
> or what. I understand that the gross performance of a top of the line
> Xeon or whatever will make this issue moot, but we can't afford
> something like that for this project.

Is it not possible to buy two or three representative models and test them to
find out which of celeron, atom, or amd is fastest?

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Giancarlo Razzolini-3
In reply to this post by quartz-2
Em 01-09-2015 22:40, Quartz escreveu:
> And when I say "fanless" I mean *completely* fanless, there won't even
> be any fans in the chassis or power supply, so low TDP is super
> important, and that ends up meaning low performance. It's not clear to
> me yet how close to the margin we'll end up being.

So now that you are being less vague, then we can start pointing you in
the right direction. I've built some OpenBSD firewalls using this kind
of hardware, completely fanless using CF for storage. I think you are
focusing on the thing that will probably give you less problems, the
CPU. These kind of systems tend to have problems with a lot of things,
*before* you ever get to the CPU. Don't expect top notch performance
from them, specially under heavy loads. That being said, there are lots
of options, but I believe that one of the most recommended here on this
list is soekris. But there are other options too.

P.s.: Talking about this kind of embedded system, you'll most likely end
up with a single core one. Pay attention to the RAM speed and bus speed too.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Ted Unangst-6
> Is it not possible to buy two or three representative models and test them to
> find out which of celeron, atom, or amd is fastest?

Well.... as restrictive as our requirements are, there are still a few
too many options for that. I kinda wanted to narrow it down some more first.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

quartz-2
In reply to this post by Giancarlo Razzolini-3
>I think you are
> focusing on the thing that will probably give you less problems, the
> CPU. These kind of systems tend to have problems with a lot of things,
> *before* you ever get to the CPU.

Such as? These aren't going to be doing hardly any disk IO and they
don't need fancy graphics, so assuming they have a good quality chipset
handling the ethernet ports I can't think of much else that will really
get in the way. Unless you're talking plan bad build quality or something.


> Don't expect top notch performance
> from them, specially under heavy loads.

I'm not, that's why I was trying to sort out the single vs multi core
issue to try to get the best out of it we could.

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

bofh-6
You really need to specify which chips you are looking at.  Or even which
range of chips.  Huge difference between a single core atom vs a 16 core
monster.  I know you've said embedded systems, so you should be able to
provide some idea of CPUs.

Anything else is just a waste of time because of the huge differences.
​

Reply | Threaded
Open this post in threaded view
|

Re: pf vs mp

Stuart Henderson
In reply to this post by Dot Yet
On 2015-09-02, Dot Yet <[hidden email]> wrote:
> Any idea if running an ipsec vpn or openvpn on the same machine will
> benefit from the second core? working remotely over VPN is quite common
> these days. so all the extra juice may help encryption etc. is it so?

Using a processor that supports AESNI (it shows up in the cpu attach
lines in dmesg) and choosing ciphers that work with this (if you have
the choice) will have a much bigger effect than multiple cores.

> On Tue, Sep 1, 2015 at 8:59 PM, Quartz <[hidden email]> wrote:
>
>> Maybe this webpage would help you make an informed choice?
>>>
>>> https://calomel.org/pf_config.html
>>>
>>
>> That looks like a good reference for setting up pf and the right way to
>> architect your pf.conf, but it doesn't appear to address any of the cpu
>> threading issues I'm trying to figure out. Thanks though, I'll keep a copy
>> of that in my files, it might help when we finally set this system up.

That really isn't a great reference. A huge chunk (of a very long page)
deals with things that almost nobody needs to touch, the things which
actually help laying out pf.conf nicely (like tags) are only lightly
dealt with, the "match log(matches)" which is indispensible when
debugging more complex rulesets isn't mentioned at all.

12