[Many Pics] My new silent firewall build
-
BTW I'm now still using 4GB USB memory running as nanobsd, thinking about the re-use of 16GB old pci-e ssd from Asus EEEPC for full install.
I actually wondering, why we can't use HAVP + Proxy with nanobsd with more memory as cache? -
Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours. Can you give the syntax (assuming it's built into pfsense / FreeBSD?
Just curious as to how the two boards stack up with AES-NI and without?
-
Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours. Can you give the syntax (assuming it's built into pfsense / FreeBSD?
Just curious as to how the two boards stack up with AES-NI and without?
I did the test with reference to this document:
https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supportedOf course this is not an accurate test, the most accurate one should be doing this with 2 clients, but I don't have time so trying to use this as a simple reference.
-
Since you mentioned the Supermicro X11SBA-LN4F ITX and I have a 'hardware repaired one' (see thread posted earlier - the long one), I would like to run the OpenSSL test that you did on yours. Can you give the syntax (assuming it's built into pfsense / FreeBSD?
Just curious as to how the two boards stack up with AES-NI and without?
I did the test with reference to this document:
https://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supportedOf course this is not an accurate test, the most accurate one should be doing this with 2 clients, but I don't have time so trying to use this as a simple reference.
Here's what I came up with (modified to 256 from the 128 command since you stated 256)….
$ openssl speed -evp aes-256-cbc -engine cryptodev
engine "cryptodev" set.
Doing aes-256-cbc for 3s on 16 size blocks: 947833 aes-256-cbc's in 0.32s
Doing aes-256-cbc for 3s on 64 size blocks: 945487 aes-256-cbc's in 0.36s
Doing aes-256-cbc for 3s on 256 size blocks: 772576 aes-256-cbc's in 0.21s
Doing aes-256-cbc for 3s on 1024 size blocks: 457823 aes-256-cbc's in 0.20s
Doing aes-256-cbc for 3s on 8192 size blocks: 91829 aes-256-cbc's in 0.03s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 47345.41k 168378.90k 937621.12k 2307991.39k 24072421.38k -
Yeah….the AES-NI contributes a lot, can you run it again without crypto engine? I would like to compare, from some other online examples, the AES-NI speeds up about 5-10x
-
Yeah….the AES-NI contributes a lot, can you run it again without crypto engine? I would like to compare, from some other online examples, the AES-NI speeds up about 5-10x
Something wrong. Numbers are as good or better. Do I need to turn off AES-NI in the settings menu?
Edit: Turned off AES-NI in the Advanced menu but no difference (I didn't reboot - like my current 98 days uptime). Anyone have thoughts on why no change?
$ openssl speed -evp aes-256-cbc
Doing aes-256-cbc for 3s on 16 size blocks: 949961 aes-256-cbc's in 0.38s
Doing aes-256-cbc for 3s on 64 size blocks: 968692 aes-256-cbc's in 0.25s
Doing aes-256-cbc for 3s on 256 size blocks: 793691 aes-256-cbc's in 0.31s
Doing aes-256-cbc for 3s on 1024 size blocks: 456773 aes-256-cbc's in 0.19s
Doing aes-256-cbc for 3s on 8192 size blocks: 91937 aes-256-cbc's in 0.05s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256-cbc 40531.67k 247985.15k 650191.67k 2494589.61k 16067155.29k -
Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700. -
$ openssl speed aes-256-cbc
Doing aes-256 cbc for 3s on 16 size blocks: 5467107 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 64 size blocks: 1562852 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 256 size blocks: 403469 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 1024 size blocks: 254859 aes-256 cbc's in 3.00s
Doing aes-256 cbc for 3s on 8192 size blocks: 32236 aes-256 cbc's in 3.00s
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-256 cbc 29157.90k 33340.84k 34429.35k 86991.87k 88025.77kWith -multi 4 added on hardware (slower than single thread??)….
System
$ openssl speed -multi 4 -evp aes-256-cbc -engine cryptodev
engine "cryptodev" set.
Forked child 0
Forked child 1
+DT:aes-256-cbc:3:16
Forked child 2
+DT:aes-256-cbc:3:16
+DT:aes-256-cbc:3:16
+DT:aes-256-cbc:3:16
+R:836144:aes-256-cbc:3.000000
+R:824538:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:64
+DT:aes-256-cbc:3:64
+R:857528:aes-256-cbc:3.000000
+R:863606:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:64
+DT:aes-256-cbc:3:64
+R:811091:aes-256-cbc:3.000000
+R:787191:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:256
+DT:aes-256-cbc:3:256
+R:838909:aes-256-cbc:3.000000
+R:814793:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:256
+DT:aes-256-cbc:3:256
+R:657543:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:1024
+R:671720:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:1024
+R:682625:aes-256-cbc:3.000000
+R:679516:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:1024
+DT:aes-256-cbc:3:1024
+R:420495:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:8192
+R:418550:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:8192
+R:426774:aes-256-cbc:3.000000
+R:430329:aes-256-cbc:3.000000
+DT:aes-256-cbc:3:8192
+DT:aes-256-cbc:3:8192
+R:91002:aes-256-cbc:3.000000
+R:90558:aes-256-cbc:3.000000
+R:90635:aes-256-cbc:3.000000
+R:90792:aes-256-cbc:3.000000
Forked child 3
Got: +H:16:64:256:1024:8192 from 0
Got: +F:22:aes-256-cbc:4397536.00:16793408.00:56110336.00:142865066.67:248496128.00 from 0
Got: +H:16:64:256:1024:8192 from 1
Got: +F:22:aes-256-cbc:4459434.67:17303274.67:57320106.67:143528960.00:247283712.00 from 1
Got: +H:16:64:256:1024:8192 from 2
Got: +F:22:aes-256-cbc:4573482.67:17382250.67:57985365.33:145672192.00:247493973.33 from 2
Got: +H:16:64:256:1024:8192 from 3
Got: +F:22:aes-256-cbc:4605898.67:17896725.33:58250666.67:146885632.00:247922688.00 from 3
OpenSSL 1.0.1l-freebsd 15 Jan 2015
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
evp 18036.35k 69375.66k 229666.47k 578951.85k 991196.50k -
Try to add "-elapsed" when you use the hardware engine, according to OpenSSL document this will perform better when using hardware crypto method.
But yeah, you see the difference with/without AES-NI already 8)
-
Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni
-
Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni
I would assume just to see how much extra throughput is gained via AES-NI vs without.
-
Don't understand why you are testing without, in the "real world" you are never likely to be using the same chip without aes-ni
I would assume just to see how much extra throughput is gained via AES-NI vs without.
Yes but I don't see when you would be without it if you had a processor that supports it. Seems counterintuitive.
-
Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.Where I should put "-multi 4" to run 4 encryption together?
Thank youCiao
-
Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.Where I should put "-multi 4" to run 4 encryption together?
Thank youCiao
Read the posts above, answer is already there.
-
Try not to use -evp option, it looks like everything with this option will trigger the hardware engine. And your CPU is quad core, you can actually put a "-multi 4" as the option to run 4 encryption together.
But that's quite interesting, because I owned a higher end processor, the Avoton C2550, and the number with 4 threads together is half of your single thread. Not sure if this is the problem with the OpenSSL on my Linux server (yes, this is not a pfSense machine). I suppose my Avoton should be running a lot faster compared with your N3700.Where I should put "-multi 4" to run 4 encryption together?
Thank youCiao
Read the posts above, answer is already there.
I read that, but I'm a newbie and I don't know witch file to edit.