[Many Pics] My new silent firewall build

edwardwong

@BlueKobold:

For commercial, other than those for backup purposes, no one is using PPPoE anymore.

Cool! Then you will be getting out of that single core using and all core can be used to work on that
WAN interface.

Yep, but with the fast development of internet in the country, most people using 300-1000Mbps broadband, and thus we are always chasing faster hardware for firewall/routers :)

edwardwong

BTW I'm now still using 4GB USB memory running as nanobsd, thinking about the re-use of 16GB old pci-e ssd from Asus EEEPC for full install.
I actually wondering, why we can't use HAVP + Proxy with nanobsd with more memory as cache?

Engineer

@edwardwong,

Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours.  Can you give the syntax (assuming it's built into pfsense / FreeBSD?

Just curious as to how the two boards stack up with AES-NI and without?

edwardwong

@Engineer:

@edwardwong,

Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours.  Can you give the syntax (assuming it's built into pfsense / FreeBSD?

Just curious as to how the two boards stack up with AES-NI and without?

I did the test with reference to this document:
https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

Of course this is not an accurate test, the most accurate one should be doing this with 2 clients, but I don't have time so trying to use this as a simple reference.

Engineer

@edwardwong:

@Engineer:

@edwardwong,

Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours.  Can you give the syntax (assuming it's built into pfsense / FreeBSD?

Just curious as to how the two boards stack up with AES-NI and without?

I did the test with reference to this document:
https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

Of course this is not an accurate test, the most accurate one should be doing this with 2 clients, but I don't have time so trying to use this as a simple reference.

Here's what I came up with (modified to 256 from the 128 command since you stated 256)….

$ openssl speed -evp aes-256-cbc -engine cryptodev
engine "cryptodev" set.
Doing aes-256-cbc for 3s on 16 size blocks: 947833 aes-256-cbc's in 0.32s
Doing aes-256-cbc for 3s on 64 size blocks: 945487 aes-256-cbc's in 0.36s
Doing aes-256-cbc for 3s on 256 size blocks: 772576 aes-256-cbc's in 0.21s
Doing aes-256-cbc for 3s on 1024 size blocks: 457823 aes-256-cbc's in 0.20s
Doing aes-256-cbc for 3s on 8192 size blocks: 91829 aes-256-cbc's in 0.03s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
aes-256-cbc      47345.41k  168378.90k  937621.12k  2307991.39k 24072421.38k

edwardwong

Yeah….the AES-NI contributes a lot, can you run it again without crypto engine? I would like to compare, from some other online examples, the AES-NI speeds up about 5-10x

Engineer

@edwardwong:

Yeah….the AES-NI contributes a lot, can you run it again without crypto engine? I would like to compare, from some other online examples, the AES-NI speeds up about 5-10x

Something wrong.  Numbers are as good or better.  Do I need to turn off AES-NI in the settings menu?

Edit:  Turned off AES-NI in the Advanced menu but no difference (I didn't reboot - like my current 98 days uptime).  Anyone have thoughts on why no change?

$ openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 949961 aes-256-cbc's in 0.38s
Doing aes-256-cbc for 3s on 64 size blocks: 968692 aes-256-cbc's in 0.25s
Doing aes-256-cbc for 3s on 256 size blocks: 793691 aes-256-cbc's in 0.31s
Doing aes-256-cbc for 3s on 1024 size blocks: 456773 aes-256-cbc's in 0.19s
Doing aes-256-cbc for 3s on 8192 size blocks: 91937 aes-256-cbc's in 0.05s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
aes-256-cbc      40531.67k  247985.15k  650191.67k  2494589.61k 16067155.29k

edwardwong

Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

Engineer

$ openssl speed aes-256-cbc
Doing aes-256 cbc for 3s on 16 size blocks: 5467107 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 1562852 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 403469 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 254859 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 32236 aes-256 cbc's in 3.00s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type            16 bytes    64 bytes    256 bytes  1024 bytes  8192 bytes
aes-256 cbc      29157.90k    33340.84k    34429.35k    86991.87k    88025.77k

With -multi 4 added on hardware (slower than single thread??)….

System

$ openssl speed -multi 4 -evp aes-256-cbc -engine cryptodev
engine "cryptodev" set.
Forked child 0
Forked child 1
+DT:aes-256-cbc:3:16
Forked child 2
+DT:aes-256-cbc:3:16
+DT:aes-256-cbc:3:16
+DT:aes-256-cbc:3:16
+R:836144:aes-256-cbc:3.000000
+R:824538:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:64
+DT:aes-256-cbc:3:64
+R:857528:aes-256-cbc:3.000000
+R:863606:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:64
+DT:aes-256-cbc:3:64
+R:811091:aes-256-cbc:3.000000
+R:787191:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:256
+DT:aes-256-cbc:3:256
+R:838909:aes-256-cbc:3.000000
+R:814793:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:256
+DT:aes-256-cbc:3:256
+R:657543:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:1024
+R:671720:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:1024
+R:682625:aes-256-cbc:3.000000
+R:679516:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:1024
+DT:aes-256-cbc:3:1024
+R:420495:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:8192
+R:418550:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:8192
+R:426774:aes-256-cbc:3.000000
+R:430329:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:8192
+DT:aes-256-cbc:3:8192
+R:91002:aes-256-cbc:3.000000
+R:90558:aes-256-cbc:3.000000
+R:90635:aes-256-cbc:3.000000
+R:90792:aes-256-cbc:3.000000
Forked child 3
Got: +H:16:64:256:1024:8192 from 0
Got: +F:22:aes-256-cbc:4397536.00:16793408.00:56110336.00:142865066.67:248496128.00 from 0
Got: +H:16:64:256:1024:8192 from 1
Got: +F:22:aes-256-cbc:4459434.67:17303274.67:57320106.67:143528960.00:247283712.00 from 1
Got: +H:16:64:256:1024:8192 from 2
Got: +F:22:aes-256-cbc:4573482.67:17382250.67:57985365.33:145672192.00:247493973.33 from 2
Got: +H:16:64:256:1024:8192 from 3
Got: +F:22:aes-256-cbc:4605898.67:17896725.33:58250666.67:146885632.00:247922688.00 from 3
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
evp              18036.35k    69375.66k  229666.47k  578951.85k  991196.50k

edwardwong

Try to add "-elapsed" when you use the hardware engine, according to OpenSSL document this will perform better when using hardware crypto method.

But yeah, you see the difference with/without AES-NI already  8)

Keljian

Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni

Engineer

@Keljian:

Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni

I would assume just to see how much extra throughput is gained via AES-NI vs without.

Keljian

@Engineer:

@Keljian:

Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni

I would assume just to see how much extra throughput is gained via AES-NI vs without.

Yes but I don't see when you would be without it if you had a processor that supports it. Seems counterintuitive.

Limbi

@edwardwong:

Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

Where I should put "-multi 4" to run 4 encryption together?
Thank you

Ciao

edwardwong

@Limbi:

@edwardwong:

Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

Where I should put "-multi 4" to run 4 encryption together?
Thank you

Ciao

Read the posts above, answer is already there.

Limbi

@edwardwong:

@Limbi:

@edwardwong:

Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.

Where I should put "-multi 4" to run 4 encryption together?
Thank you

Ciao

Read the posts above, answer is already there.

I read that, but I'm a newbie and I don't know witch file to edit.