D2500CC for a 120/20?

gekko

Thank you Steve. I will try the VIA C7 1.5 GHz. If its allowed, here another link with some benchmarks i just found. And it seems that this CPU will be able to handle this throughput with Padlock. :)
http://www.hacom.net/kb/ipsec-performance-pfsense-firewall-appliance

My selected Board, iknow that this kind of Realtek NIC´s are not the best. But i found a very cheap complete system with case and power supply for 83€ incl. shipping. Thx for help. And i hope that 1 GB RAM should be enough for normal Internet Traffic and VPN.

http://www.jetwaycomputer.com/spec/J7F4K1G5D.pdf

stephenw10

Ah yes, I forgot Hacom had C7 machines.  :)

Steve

gekko

Hi stephenw10,

i have selected a 1.2 GHz VIA C7 Eden which doesnt need a cooling fan. My first results were

• 128 bit AES-CBC 68% cpu usage and a maximum of 37 Mbit/sec
• VPN connection on my PC can handle 43 Mbit

More or less its ok, but i hoped in the beginning that this CPU would be able to reach the same speed as my PC :(

dmesg | grep padlock
padlock0: <aes-cbc,sha1,sha256>on motherboard</aes-cbc,sha1,sha256>

kldstat
Id Refs Address    Size    Name
1    1 0xc0400000 ebb178  kernel

Test with cryptodev

openssl speed -elapsed -evp a        es128 -engine cryptodev
engine "cryptodev" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 685987 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 669361 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 612256 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 460680 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 87128 aes-128-cbc's in 3.01s
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
aes-128-cbc      3650.45k    14238.43k    52094.96k  156788.82k  237206.54k

Test with padlock

openssl speed -elapsed -evp aes128 -engine padlock
engine "padlock" set.
You have chosen to measure elapsed time instead of user CPU time.
To get the most accurate results, try to run this
program when this computer is idle.
Doing aes-128-cbc for 3s on 16 size blocks: 10512439 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 8872721 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 5276426 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 1024 size blocks: 2031673 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 8192 size blocks: 300961 aes-128-cbc's in 3.00s
OpenSSL 0.9.8n 24 Mar 2010
built on: date not available
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc
available timing options: USE_TOD HZ=128 [sysconf value]
timing function used: gettimeofday
The 'numbers' are in 1000s of bytes per second processed.
type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
aes-128-cbc      55956.91k  188730.29k  448928.58k  690283.55k  820769.76k

Its possible that the Realtek NIC´s are the bottleneck?! I mean 68% cpu usage in "top" is ok, no other processes are visible with higher usage than 0,x %.

stephenw10

People have reported extreme bottlenecks using Realtek cards, like down to 20Mbps, but personally I've never seen anything below 80Mbps unless it was configured incorrectly.
The Realtek NICs on your board are Gigabit anyway so you should not be seeing that problem. The Gigabit Realtek NICs are a far superior device to the older 10/100 NICs the gave them a bad rep.

Try running 'top -SH' to see all the processes.

I have never used the padlock engine personally, I had assumed it was tied into the crypto framework but perhaps not.

Steve

gekko

top -sh output runnig ~ 30 Mbit download

last pid: 15728;  load averages:  0.47,  0.21,  0.12                                                  up 0+20:07:24  14:33:52
109 processes: 4 running, 91 sleeping, 14 waiting
CPU: 28.4% user,  0.0% nice, 34.0% system, 20.5% interrupt, 17.2% idle
Mem: 46M Active, 17M Inact, 57M Wired, 232K Cache, 58M Buf, 805M Free
Swap:

PID USERNAME PRI NICE  SIZE    RES STATE    TIME  WCPU COMMAND
46559 root    109    0  5116K  4112K RUN      9:05 57.96% openvpn
  10 root    171 ki31    0K    8K RUN    18.5H 19.97% idle
  11 root    -28    -    0K  120K RUN    12:06 19.97% {swi5: +}

vmstat- i output….
re0 WAN Port
re1 LAN Port

interrupt                          total      rate
irq3: uart1                            2          0
irq4: uart0                            2          0
irq14: ata0                        18808          0
irq18: re0                      17532120        239
irq19: re1                      16597733        226
cpu0: timer                    29256276        400
Total                          63404941        867

I haven´t configured my IPTV (but not in use), perhaps this is a cause I´m loosing bandwidth. Installation was done using a 4 GB CF card.

stephenw10

Hmm, well it's definitely not using all your system resources then.
Is that 30Mpbs over VPN or just an upstream restriction?

Steve

gekko

I am using my pfSense router to connect to an external VPN provider. So the router is managing everything, connected 24h to the provider. My VDSL2 can handle 50Mbit/10 Mbit
Using OpenVPN on my PC ~ 43 Mbit down

Using my router as client (1.2 GHz Eden C7 / 1GB-RAM) ~ 36 Mbit. I dont know how the other user was managing 45 Mbit with a 500 MHz CPU Via Padlock support. Or he meaned only the throughput and his PC was not running the OpenVPN client? hmm

I recognized many collisions in my status –> Interface (more than 11000 within 2 days.)

stephenw10

One significant difference is that he was using IPSec not OpenVPN. I believe it is easier to specify the encryption engine for IPSec but I never tried it. It could be that you are not using the Padlock engine correctly.
In that post he also says that without Padlock he got 12Mbps from his 500MHz C7. The rates you are seeing could line up with that.

Steve

gekko

I have added the command line into my openvpn.conf as well to ensure the proper start/load of padlock. It was shown during openvpn start. So it can be that my measurement (using OpenVPN as client) can not be compared with the measurement with IPsec.
My vpn provider is only supporting OpenVPN, L2PT/Ipsec and PPTP. I have two options now

• Live with that and use my PC´s to connect through pfsense
• Buy stronger hardware (for example the Intel Atom D2500CEE or a greater VIA CPU with padlock (mini-itx and fanless needed)

At the end, too bad that i haven´t bought the 1.5 GHz VIA C7 board, but this one had a fan. I assume that the additional 300 MHz would be enough for the needed 6-7 Mbit VPN throughput :)
–-----------------------------------
Modify:

I found now this page with some guides to improve the throughput
https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux

I will try it today at home again. Ok i have not a Gigabit Network connection but some commands would perhaps help.

gekko

hi stephenw10,

a short feedback. It is running very well but i dont know the root cause. 42Mbit AES-256bit-CBC@60% cpu usage. I have recognized that using SSH or the webinterface is dropping the download speed extremly for some seconds. If i close all these applications the speed is stable. thx for support