Intel Celeron J3355B SoC Benchmarks (VPN & IPS): Budget Buy Performer!
-
If you had to guess what would you say this CPU would max at on 128-CBC?
-
I definitely would not have expected that much a difference from switching AES-256-CBC to AES-128-CBC. Maybe there's some peculiarity of the goldmont platform that's letting one pipeline better than the other, or maybe it's an interaction with OpenVPN on that platform.
Yeah, that was a big difference. The results on this page show a max throughput increase of ~130% switching from 258-CBC to 128-GCM, but only about 39% switching from 256-CBC to 128-CBC. Not all CPU's see this kind of improvement, but that looks similar to the performance improvements seen here although it looks like this is seeing ~+10% improvement over the best in the article.
EDIT: Maybe the SHA-NI is helping improve the performance? I haven't generally thought of SHA being a factor for OpenVPN throughput but maybe it is?
https://github.com/weidai11/cryptopp/issues/139#issuecomment-264283385
https://github.com/randombit/botan/issues/807 -
I was having a hard time getting my connection to max out while doing this test (I was using Steam downloads). So I only did a single threaded test with one client, it really makes no difference anyways since I have only one computer to test from.
FWIW, in my experience Steam can and will use multiple clients, even from the same machine. I did a lot of testing in the summer of last year when I was first working out performance issues with PIA and eventually settled on multiple tunnels. Again, FWIW.
-
So I ran pfSense on my J3355B with 2x4GB RAM and an i340-t4 @PCIev2.0x1.
For those that don’t know the J3355B is a $55 Fanless Goldmont SoC Celeron @ 2x2.0GHz turbo 2.5GHz.Great post and thanks for sharing. Do you have any additional details of the build you could share? I know it's more generic things, but the PSU/case etc if it's handy.
On a related note with the 3455 (4 core @ 1.5ghz) vs 3355 (2 core at 2.0ghz), what are users opinions on higher core speed vs more cores? In single threaded applications like OpenVPN (ignoring multiple tunnels here), would the 3355 be preferred with a 33% increase in core clock speed? Not looking to handle anything like gig speed yet, but a 100/100 connection over OpenVPN seems like a non-issue for this board especially once AES-NI gets fully baked.
Thanks!
-
The case was a ten year old gateway desktop case haha, the PSU was a picoPSU 80 non-WI. RAM was something out of an old laptop.
As far as the J3455 v J3355, for a 100/100 connection I think either one will push full line speed at AES-128-CBC without problems.
Beyond that it just comes down to do you want to pay a little more for two more cores? I wouldn't unless you actually need it just because you would be buying something you'll never use.Keep in mind that the J3455 mini-ITX board has physical x1 PCIe slot, so you will have to cut either the back slot out of the motherboard or the pins off of your NIC to make it fit. This is totally technically acceptable and will still max out 4 gigabit ports simultaneously, but obviously you can make a bad cut and brick whichever item you decide to cut. Also, if this is for a customer you obviously don't want to do a hack job like that.
You can get the J3455 in a micro-ATX ASUS board that has a physical x16 slot @ 1x and two more physical x1 slots which will get you up to 6 gigabit ports (i340-t4 in the x16 slot and single port intel gigabit cards in the x1 slots) without cutting anything, and up to 12 gigabit ports (3x i340-t4) if you do (the J3355 and 3455 CPU's support 6 lanes and you only need 3 to max out 12 gigabit ports simultaneously).
-
Great post and thanks for sharing. Do you have any additional details of the build you could share? I know it's more generic things, but the PSU/case etc if it's handy.
On a related note with the 3455 (4 core @ 1.5ghz) vs 3355 (2 core at 2.0ghz), what are users opinions on higher core speed vs more cores? In single threaded applications like OpenVPN (ignoring multiple tunnels here), would the 3355 be preferred with a 33% increase in core clock speed? Not looking to handle anything like gig speed yet, but a 100/100 connection over OpenVPN seems like a non-issue for this board especially once AES-NI gets fully baked.
Thanks!
I was wondering about this too, but thought that enabling speedstep and PowerD would even this out completely?
-
For this application you're probably better off with 2 slightly faster cores than 4 slightly slower cores. If there's a massive scalability improvement at the same time that you have a massive increase in bandwidth, you'll probably want a new machine at that point anyway.
-
Thanks again for the responses, seems like it's a great option and can be had for well under $300 even if you need to buy everything. Qotom and Zotac boxes look decent, but there's something special about building :).
-
You're welcome!
One think I have to say about qotom is that they try to sell their stuff under the guise of it being an official pfSense product, which it is not. I think that's a pretty shitty thing to do.
Their boxes have also never really appealed to me spec wise either. I would buy a used SFF desktop without a HDD off ebay, throw a NIC in it and install to flash drive before I bought a qotom box, but that's just my personal opinion.
-
Love the post and the possibility to build my first pfSense box on the cheap! Just ordered the board (which is rare to find in stock) and now I have to decide about the NIC's and a case. I have Intel EXPI9301CTBLK laying around, so if I use that for WAN and the board's built in NIC for LAN, would that be an acceptable solution?
And what's the smallest case can you guys recommend? I was really hoping I could get away with M350 and PicoPSU. Thanks for any input you can provide! -
IDK about the M350, I've never used one. Does it support PCIe cards (even with a riser card would work)?
Try out the NICs you have and if it doesn't work or causes problems then buy a dual+ port intel.
-
I ran a couple more benchmarks on the J3355B
IDS/IPS on Suricata:
https://forum.pfsense.org/index.php?topic=128572.msg709166#msg709166
@pfBasic:I'll report back with the IDS/IPS performance.
Well, IDS/IPS is certainly taxing but performance is greatly improved when not saturating one core with VPN.
On my J3355B:
I kept my 150/10 connection maxed out for a few minutes by downloading DOTA 2 on Steam.The max CPU I got off the 1 minute RRD's was 61.63% (this pretty well matches up to the top output). At that moment on the RRD graphs it equated to 103.58k pps.
This was using the Open ET & Snort Free rules, paired down to eliminate FP's. It's a home network and it was pretty inactive at the time of the test other than background processes.
Also, suricata, not snort which is single thread only.So IDS/IPS is definitely more CPU intensive than VPN on a modern AES-NI CPU.
That being said, the J3355 is a very low end passively cooled CPU.J3455 would likely get you in the 350Mbps range on suricata.
A G4560 will probably handle just about anything a home user can throw at it short of Gigabit WAN with all the packages or an expectation for line speed VPN.
Synthetic OpenVPN Benchmark FWIW:
https://forum.pfsense.org/index.php?topic=105238.msg709164#msg709164
@pfBasic:FWIW, J3355B:
AES-256-CBC : 291.2Mbps
AES-256-GCM: 302.0MbpsAES-128-CBC: 293.5Mbps
AES-128-GCM: 307.9Mbps#: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.989u 0.015s 0:11.02 99.7% 819+178k 2+0io 0pf+0w #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.596u 0.023s 0:10.66 99.5% 817+178k 2+0io 0pf+0w #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.902u 0.015s 0:10.99 99.2% 821+178k 2+0io 0pf+0w #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm disabling NCP mode (--ncp-disable) because not in P2MP client or server mode 10.392u 0.015s 0:10.46 99.4% 818+177k 2+0io 0pf+0wThis remains the go-to CPU for the majority of home-use cases and plenty of small commercial setups IMO. Really excellent performance per dollar!
-
Sorry to bump an old thread, but in regards to your final recommendation of the G4560…
I found this: https://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.3514464
And am on the verge of pulling the trigger, is there anything that jumps out to you outside of price on why it may be wise to avoid this particular combo?
Thanks in advance!
-
Sorry to bump an old thread, but in regards to your final recommendation of the G4560…
I found this: https://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.3514464
And am on the verge of pulling the trigger, is there anything that jumps out to you outside of price on why it may be wise to avoid this particular combo?
Thanks in advance!
This link gives me: Sorry, the combo deal is no longer available.
-
https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=g4560&ignorear=0&N=-1&isNodeId=1
What about that?
It's the "CPU INTEL PENTIUM G4560 3.5GHz, ASROCK B250M mATX, 8G CORSAIR DDR4 2400" combo package.
-
https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=g4560&ignorear=0&N=-1&isNodeId=1
What about that?
It's the "CPU INTEL PENTIUM G4560 3.5GHz, ASROCK B250M mATX, 8G CORSAIR DDR4 2400" combo package.
Will work fine.
-
I'm looking to go from a tired asus rtac66u to a pfsense build which is not too expensive. this sort of setup looks appealing if I can keep the cost down.
I'm hoping someone can point me too a genuine new or used intel nic on ebay uk. The prices im seeing are like £150+
-
"I'm hoping someone can point me too a genuine new or used intel nic on ebay uk. The prices im seeing are like £150+"
I'm in Australia, and finding the occasionally cheap Intel based NIC isnt too hard (search for the something like "i219 dual nic" or "i211 dual nic"), but that is the only easy part about a self build. J3355 and J3455 boards are as rare as hens teeth around here it would seem, and frankly I'm not even sure most PC shops here have even heard of the ITX format.
I really want to build my own, but considering the J3x55 boards need a NIC card, the smallest case I can find is still about 6 times larger then either a Netgate option or a Qotom option, it just seems such a bulky waste of space and money from my end.
I looked at getting a ASRock H370M-ITX/ac (which has dual intel nics built in) but its $185 AU and I still need to add a $70 G4900 CPU ontop of that, plus case, RAM PSU etc… Its just stupidly expensive, and bulky.
If anyone has a line on a SMALL itx case that can take a NIC card I would be most interested to hear (the Coolmaster Elite M110 is the smallest I can get round here, and it can fit graphic cards in it :( ).
-
The SilverStone SST-ML09B is relatively small, but you need a low profile NIC for it.
-
The SilverStone SST-ML09B is relatively small, but you need a low profile NIC for it.
Thanks. I had looked at that one a couple of times, the desktop profile is certainly a better fit in my workspace then the m110 cube/square profile, but it is still the size of a fat DVD player. Its just hard to justify going that route when the alternative is a device that I can sit on my book case like the netgates or qotoms (which is a pity as I like building).
Its probably the smallest case available though if I do talk myself into building :)
