D2500CC for a 120/20?
-
The X700 PSU is non standard so make sure you know what you're doing. ;)
It is probably not powerful enough for what you are doing anyway.The D2500CCE will easily firewall/NAT as 120/20 connection. You should have no problem doing QoS either. Introduce some anti-virus solution and things get a lot trickier. You are talking about either using Squid with HAVP (tried and tested) or using Dansguardian with ClamAV (much newer). Both these are going to reduce the throughput of the box considerably. Having not tried either of those on an Atom board I can't give you any real numbers but I would think you might be getting down towards 120Mbps max.
Add Snort into the mix and I think I'd have to recommend something more powerful.You definitely won't get 120Mbps of vpn traffic using an Atom but perhaps you don't need it.
Steve
-
Thanks for the reply!
Indeed, I only need about 10Mpbs VPN max (security cameras).
I see here (http://forum.pfsense.org/index.php/topic,53679.0.html) that with snort, you get ca 150Mbps, so ballpark for AV is probably as you say.
Of course:- are the on-the-fly AV-scanning packages for pf really that effective, are they an added value if every pc already have scanners?
- or, do I need to step it up to a G630T or G860 cpu?
-
My pfsense is running on 20/5 Mbit/s connection speed and have Squid,havp and snort packs.
At max (20Mbit/s download) CPU usage of D2500cce goes up to 50%. Therefore, I don't recommend you d2500cce for 120Mbit connection.
-
It's hard to predict how it will scale with throughout because the D2500 is a 2 core, 4 thread CPU. Some of the processes in pfSense, notably pf, do not scale across cores.
However that's still a useful real world number.Steve
-
It's hard to predict how it will scale with throughout because the D2500 is a 2 core, 4 thread CPU. Some of the processes in pfSense, notably pf, do not scale across cores.
However that's still a useful real world number.Steve
D2500 is a core 2 core, 2 thread CPU. No HyperThreading is present.
-
Huh, I stand corrected.
Steve
-
@HakanTT:
My pfsense is running on 20/5 Mbit/s connection speed and have Squid,havp and snort packs.
At max (20Mbit/s download) CPU usage of D2500cce goes up to 50%. Therefore, I don't recommend you d2500cce for 120Mbit connection.
I ran 2x 100Mbps lines with a 1.6Ghz p-m (alot slower than the D2500 and single core). No problem, even with squid vpn (20Mbps upload). Snort is a bit cpu heavy, but your cpu usage seems weird if you are not confusing scaled down speeds & cpu -usage somehow.
And that was with heavy usage (read bittorrent with a tons of connections). Office usage is alot friendlier for the cpu.
-
Don't underestimate the Pentium-M. It may be older but it will outperform the Atom on an clock-for-clock basis by ~60%. Perhaps more depending on the application. E.g. http://www.mydigitallife.info/intel-atom-initial-benchmarking-data-vs-pentium-and-celeron-m-processors-before-official-release/ Admittedly that is the first gen. Atom.
That combined with the single-threaded-ness of pf means that it's not a fair comparison.Steve
-
This chart can help. It is focused on single thread performance. In this benchmark Pentium M beats all Atoms.
http://www.cpubenchmark.net/singleThread.html
-
That does show it up nicely.
Even the Atom D2700 at 2.13GHz is beaten by the Pentium-M 1.2GHz in a single thread test. :oSteve
-
Would be the D2500CCE enough to handle VPN connections with 50Mbps/10Mbps? I´m not sure to consider a VIA C7 1.5 GHz instead the Intel Atom.
-
The D2500 is likely to give similar vpn performance to the D510 that was extensively tested by pfSense developer Seth, here.
The D2500 is clocked slightly faster but doesn't support hyperthreading (see posts above). It will manage 50Mbps is one direction.The Via C7 is a far less powerful cpu but has onboard encryption hardware in the form of Via Padlock. I've not tested it so maybe search the forum for some numbers on that.
Steve
Edit: Numbers seem a little sparse! I found this: http://forum.pfsense.org/index.php/topic,45430.msg237835.html#msg237835
A 1GHz C7 can do 26Mbps OpenVPN @ 75% CPU use. Take from that what you will. ;)A better result is here: http://forum.pfsense.org/index.php/topic,19818.msg104253.html#msg104253
I got 45Mps IPSec AES256 throughput measured by iperf on a 500Mhz VIA C7
So you should have no problems acheiving 50Mbps with a cpu three times faster. :) I would speculate that in the first result I gave the Padlock engine is not being used.
-
Thank you Steve. I will try the VIA C7 1.5 GHz. If its allowed, here another link with some benchmarks i just found. And it seems that this CPU will be able to handle this throughput with Padlock. :)
http://www.hacom.net/kb/ipsec-performance-pfsense-firewall-applianceMy selected Board, iknow that this kind of Realtek NIC´s are not the best. But i found a very cheap complete system with case and power supply for 83€ incl. shipping. Thx for help. And i hope that 1 GB RAM should be enough for normal Internet Traffic and VPN.
-
Ah yes, I forgot Hacom had C7 machines. :)
Steve
-
Hi stephenw10,
i have selected a 1.2 GHz VIA C7 Eden which doesnt need a cooling fan. My first results were
- 128 bit AES-CBC 68% cpu usage and a maximum of 37 Mbit/sec
- VPN connection on my PC can handle 43 Mbit
More or less its ok, but i hoped in the beginning that this CPU would be able to reach the same speed as my PC :(
dmesg | grep padlock
padlock0: <aes-cbc,sha1,sha256>on motherboard</aes-cbc,sha1,sha256>kldstat
Id Refs Address Size Name
1 1 0xc0400000 ebb178 kernelTest with cryptodev
openssl speed -elapsed -evp a es128 -engine cryptodev
engine "cryptodev" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 685987 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 669361 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 612256 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 460680 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 87128 aes-128-cbc's in 3.01s
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 3650.45k 14238.43k 52094.96k 156788.82k 237206.54kTest with padlock
openssl speed -elapsed -evp aes128 -engine padlock
engine "padlock" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 10512439 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 8872721 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 5276426 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 2031673 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 300961 aes-128-cbc's in 3.00s
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 55956.91k 188730.29k 448928.58k 690283.55k 820769.76kIts possible that the Realtek NIC´s are the bottleneck?! I mean 68% cpu usage in "top" is ok, no other processes are visible with higher usage than 0,x %.
-
People have reported extreme bottlenecks using Realtek cards, like down to 20Mbps, but personally I've never seen anything below 80Mbps unless it was configured incorrectly.
The Realtek NICs on your board are Gigabit anyway so you should not be seeing that problem. The Gigabit Realtek NICs are a far superior device to the older 10/100 NICs the gave them a bad rep.Try running 'top -SH' to see all the processes.
I have never used the padlock engine personally, I had assumed it was tied into the crypto framework but perhaps not.
Steve
-
top -sh output runnig ~ 30 Mbit download
last pid: 15728; load averages: 0.47, 0.21, 0.12 up 0+20:07:24 14:33:52
109 processes: 4 running, 91 sleeping, 14 waiting
CPU: 28.4% user, 0.0% nice, 34.0% system, 20.5% interrupt, 17.2% idle
Mem: 46M Active, 17M Inact, 57M Wired, 232K Cache, 58M Buf, 805M Free
Swap:PID USERNAME PRI NICE SIZE RES STATE TIME WCPU COMMAND
46559 root 109 0 5116K 4112K RUN 9:05 57.96% openvpn
10 root 171 ki31 0K 8K RUN 18.5H 19.97% idle
11 root -28 - 0K 120K RUN 12:06 19.97% {swi5: +}vmstat- i output….
re0 WAN Port
re1 LAN Portinterrupt total rate
irq3: uart1 2 0
irq4: uart0 2 0
irq14: ata0 18808 0
irq18: re0 17532120 239
irq19: re1 16597733 226
cpu0: timer 29256276 400
Total 63404941 867I haven´t configured my IPTV (but not in use), perhaps this is a cause I´m loosing bandwidth. Installation was done using a 4 GB CF card.
-
Hmm, well it's definitely not using all your system resources then.
Is that 30Mpbs over VPN or just an upstream restriction?Steve
-
I am using my pfSense router to connect to an external VPN provider. So the router is managing everything, connected 24h to the provider. My VDSL2 can handle 50Mbit/10 Mbit
Using OpenVPN on my PC ~ 43 Mbit downUsing my router as client (1.2 GHz Eden C7 / 1GB-RAM) ~ 36 Mbit. I dont know how the other user was managing 45 Mbit with a 500 MHz CPU Via Padlock support. Or he meaned only the throughput and his PC was not running the OpenVPN client? hmm
I recognized many collisions in my status –> Interface (more than 11000 within 2 days.)
-
One significant difference is that he was using IPSec not OpenVPN. I believe it is easier to specify the encryption engine for IPSec but I never tried it. It could be that you are not using the Padlock engine correctly.
In that post he also says that without Padlock he got 12Mbps from his 500MHz C7. The rates you are seeing could line up with that.Steve
