Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PC Engines apu2 experiences

    Scheduled Pinned Locked Moved Hardware
    711 Posts 73 Posters 759.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheWaterbug @VAMike
      last edited by TheWaterbug

      @vamike said in PC Engines apu2 experiences:

      @thewaterbug said in PC Engines apu2 experiences:

      I suppose I got confused because I purchased this from Netgate in 2014 as a " Netgate APU2".

      yes, it's been confusing people for years. all the netgate apu's were based on the older pcengines apu1 design, regardless of their naming convention.

      Aha! Thank you. I am very slightly less confused, now.

      So I apparently have only a dual-core box with no AES-NI support. And the PCEngines "APU2xxx" was never sold by Netgate, correct?

      Does my Netgate APU unit then belong in the "Official Netgate Hardware" forum?

      stephenw10S 1 Reply Last reply Reply Quote 0
      • T
        TheWaterbug @TheWaterbug
        last edited by

        @thewaterbug said in PC Engines apu2 experiences:

        How does the APU2 stack up against the MBT-2220, performance-wise, for running pfsense, IPSec, and OpenVPN? ...

        The APU2 has: "AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache."

        while the MBT-2220 has: "Intel Atom E3826 (2 x 1.46 GHz, 1MB cache, AES-NI)"

        That comparison was inaccurate, since I have an APU1, not an APU2. The correct comparison is now:

        The APU1 has: "AMD G series T40E APU, 1 GHz dual core (Bobcat core) with 64 bit support, 32K data + 32K instruction + 512KB L2 cache per core."

        while the MBT-2220 has: "Intel Atom E3826 (2 x 1.46 GHz, 1MB cache, AES-NI)"

        So my spiffy new MBT-2220 units are clearly more performant than my old APU units, especially for anything that can use AES-NI acceleration.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator @TheWaterbug
          last edited by

          @thewaterbug said in PC Engines apu2 experiences:

          Does my Netgate APU unit then belong in the "Official Netgate Hardware" forum?

          You can open a thread there but there are a lot of APU users who did not purchase through our store. You might well get more views here.

          Steve

          1 Reply Last reply Reply Quote 0
          • T
            TheWaterbug
            last edited by

            ^^
            Then I'll keep it here, where I get more views!

            By this weekend I should have one of my APU units re-installed with 2.4.4 and an IPSec tunnel to an MBT-2220 running 2.4.4. Can I use iperf between them to measure tunnel performance? Max line rate is only 20 Mbps.

            If I can saturate that with AES turn on (software only) then there's no urgency to upgrade the hardware.

            S 1 Reply Last reply Reply Quote 0
            • S
              Stewart @TheWaterbug
              last edited by

              @thewaterbug

              We used to use the APU1C2 before changing to the APU2C4 with the advent of 2.5 needing aes-ni. We tested them at 300Mbps and, although I don't recall actual numbers for AES in software we were able to get decent speeds and nobody complained. I think you'll be fine with 20Mbps.

              1 Reply Last reply Reply Quote 0
              • T
                TheWaterbug
                last edited by

                Thanks! I guess I missed the very loud debate about 2.5 requiring AES-NI. I'll probably limp along with my ancient hardware until support for 2.4 goes away.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  It should be no problem at 20Mbps. 😉
                  2.5 is still a way out.

                  Steve

                  1 Reply Last reply Reply Quote 1
                  • V
                    VAMike
                    last edited by

                    and who knows, maybe by the time 2.5 comes along, they will have backed off this pointless aes-ni requirement and won't force retirement of working hardware.

                    1 Reply Last reply Reply Quote 1
                    • S
                      Stewart
                      last edited by

                      @vamike

                      While I wish they didn't implement it to be mandatory until the next major revision (and maybe 2.5 is a major revision, idk), I really don't see much of a problem. They gave us something like 2 years notice and 2.4 will be supported for at least a year after 2.5 is released which is likely still some months away as FreeBSD12 isn't even out yet. By that time most of us will have more old equipment that supports aes-ni laying around. For my company it means having to spend about another $1,500 in hardware to replace 6 more devices with APU2s but that's a small price compared to purchasing the alternatives.

                      I do feel bad for people who paid money for devices specifically for pfSense, like the APU1 series, only to find it will be retired 3 years later but the 2.4 line will still work in the them without issue forever. You still get 5 years of supported service life out of the equipment. The other big name firewalls we use are SonicWall and they don't offer anything beyond the 5 year mark, either.

                      I don't know what precipitated the requirement but I appreciate the big heads up. I hope it's for more than VPN traffic and it is somehow used foundationally to further enhance security. I also hope it clears up the confusion as to what the aes-ni settings should be to get the best performance out of our boxes. I guess we'll see once it launches.

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        VAMike @Stewart
                        last edited by

                        @stewart said in PC Engines apu2 experiences:

                        While I wish they didn't implement it to be mandatory until the next major revision (and maybe 2.5 is a major revision, idk), I really don't see much of a problem. They gave us something like 2 years notice and 2.4 will be supported for at least a year after 2.5 is released which is likely still some months away as FreeBSD12 isn't even out yet. By that time most of us will have more old equipment that supports aes-ni laying around. For my company it means having to spend about another $1,500 in hardware to replace 6 more devices with APU2s but that's a small price compared to purchasing the alternatives.

                        That would all be reasonable--if there were a compelling reason to force the obsolescence. Since there isn't, it's just obnoxious.

                        I don't know what precipitated the requirement but I appreciate the big heads up.

                        As far as I can tell, poking the china box vendors in the eye was what precipitated the requirement.

                        I hope it's for more than VPN traffic and it is somehow used foundationally to further enhance security. I also hope it clears up the confusion as to what the aes-ni settings should be to get the best performance out of our boxes. I guess we'll see once it launches.

                        You leave the settings alone; the confusion is mostly people who don't know what they're doing repeating things they've read on reddit that were written by other people who don't know what they're doing. I would not be at all surprised if there are people pushing "tricks" to "speed up" crypto by doing idiotic things to override the defaults long after 2.5 is released.

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          Stewart @VAMike
                          last edited by

                          @vamike

                          @vamike said in PC Engines apu2 experiences:

                          You leave the settings alone; the confusion is mostly people who don't know what they're doing repeating things they've read on reddit that were written by other people who don't know what they're doing. I would not be at all surprised if there are people pushing "tricks" to "speed up" crypto by doing idiotic things to override the defaults long after 2.5 is released.

                          Maybe that's the way it is now but it's hasn't always been clear. At one time there was a lot of discussion as to what to set where as the results were all over the place depending on the hardware you had. Right now, do you select hardware or software decryption? Or none at all? It all depends on your hardware and which encrypting you are doing.

                          V 1 Reply Last reply Reply Quote 0
                          • V
                            VAMike @Stewart
                            last edited by VAMike

                            @stewart said in PC Engines apu2 experiences:

                            @vamike

                            @vamike said in PC Engines apu2 experiences:

                            You leave the settings alone; the confusion is mostly people who don't know what they're doing repeating things they've read on reddit that were written by other people who don't know what they're doing. I would not be at all surprised if there are people pushing "tricks" to "speed up" crypto by doing idiotic things to override the defaults long after 2.5 is released.

                            Maybe that's the way it is now but it's hasn't always been clear. At one time there was a lot of discussion as to what to set where as the results were all over the place depending on the hardware you had. Right now, do you select hardware or software decryption? Or none at all? It all depends on your hardware and which encrypting you are doing.

                            It's been pretty clear except for people posting misunderstood and misleading openssl benchmark results and shooting themselves in the foot. The discussions mostly revolved around fanciful numbers in which screwing up the config would magically make a system do crypto even faster than it could access memory. Just leave it alone has been the correct action for a long time.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Mmm, that sslspeed thread was.... um...wild!

                              The default settings should work well for most. Some tuning can help. The asynchronous-crypto setting in 2.4.4 can dramatically increase ipsec throughput in some situations but can also break it in some edge cases so it not enabled by default in CE.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • D
                                dugeem
                                last edited by

                                PC Engines / 3mdeb have released a new legacy coreboot BIOS v4.0.23.

                                Interestingly the release notes (https://pcengines.github.io/#lr-15) note that ECC is enabled with this release.

                                So on my test APU2 apu2c4 I've updated the BIOS from v4.0.7 to v4.0.23. All working well although only storage in use is a 32GB mSATA card.

                                Unfortunately command dmidecode -t 17 (this should dump memory config) does not work with coreboot - so it is not easy to verify to determine if ECC is actually working. Just have to wait for some cosmic rays or something ...

                                QinnQ 1 Reply Last reply Reply Quote 1
                                • QinnQ
                                  Qinn @dugeem
                                  last edited by

                                  @dugeem Thanks for sharing the result, I just upgraded from v4.0.18 to v4.0.23, all went well (for now ;) )

                                  Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                  Firmware: Latest-stable-pfSense CE (amd64)
                                  Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    dugeem
                                    last edited by dugeem

                                    PC Engines / 3mdeb have released another new legacy coreboot BIOS v4.0.24.

                                    The release notes (https://pcengines.github.io/#lr-16) note that CPB is now enabled with this release. CPB = Core Performance Boost ... the AMD equivalent of Intel Turbo Boost.

                                    On my test pfSense system (2.4.4-RELEASE-p2) I'm seeing a useful 5-10% improvement in single core task performance.

                                    Example using openssl:

                                    openssl speed -elapsed -evp aes-128-gcm
                                    ...
                                    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
                                    aes-128-gcm      52651.25k   134318.72k   296380.07k   408489.98k   482383.19k
                                    

                                    PowerD is enabled in adaptive mode. No significant change in CPU temperature was observed.

                                    /boot/loader.conf.local
                                    #hw.acpi.cpu.cx_lowest=C2
                                    hw.igb.rx_process_limit=-1

                                    Kudos to PC Engines & 3mdeb for these continuing BIOS improvements.

                                    Edit: the hints hint.p4tcc.0.disabled & hint.acpi_throttle.0.disabled in loader.conf.local are no longer required as they are now defaults in /boot/device.hints
                                    Edit2: hw.acpi.cpu.cx_lowest=C2 does not apply from loader.conf.local

                                    QinnQ 1 Reply Last reply Reply Quote 0
                                    • QinnQ
                                      Qinn @dugeem
                                      last edited by Qinn

                                      I am on Bios v4.0.24 also.

                                      edit: noticed that CPU temperature dropped. Normally it was around 54c now it's around 47c.

                                      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                      Firmware: Latest-stable-pfSense CE (amd64)
                                      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        keen
                                        last edited by

                                        i must upgrade my APU, but i would like to know why we can not use Mainline releases...

                                        VeldkornetV 1 Reply Last reply Reply Quote 0
                                        • VeldkornetV
                                          Veldkornet @keen
                                          last edited by

                                          @keen said in PC Engines apu2 experiences:

                                          i must upgrade my APU, but i would like to know why we can not use Mainline releases...

                                          I use mainline, no problems here.

                                          I’m on 4.9.0.2 currently.

                                          QinnQ 1 Reply Last reply Reply Quote 0
                                          • QinnQ
                                            Qinn
                                            last edited by Qinn

                                            Please read this
                                            http://www.pcengines.info/forums/?page=post&id=6D2EEC40-5928-463B-8BAE-7C74A46B2060&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A

                                            Cheers Qinn

                                            https://pcengines.github.io/#mr-19

                                            Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
                                            Firmware: Latest-stable-pfSense CE (amd64)
                                            Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.