Intel Celeron J3355B SoC Benchmarks (VPN & IPS): Budget Buy Performer!


  • Banned

    So I ran pfSense on my J3355B with 2x4GB RAM and an i340-t4 @PCIev2.0x1.
    For those that don’t know the J3355B is a $55 Fanless Goldmont SoC Celeron @ 2x2.0GHz turbo 2.5GHz.

    https://ark.intel.com/products/95597/Intel-Celeron-Processor-J3355-2M-Cache-up-to-2_5-GHz
    https://www.amazon.com/ASRock-Motherboard-Combo-Motherboards-J3355B-ITX/dp/B01M9EXCYB
    https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726

    It’s exceptional at video playback (mine plays back this 400Mbps 4k HEVC 10 bit file @ ~20% CPU http://jell.yfish.us/media/jellyfish-400-mbps-4k-uhd-hevc-10bit.mkv). I’ve personally recommended it and the J3455 over and over for most pfSense hardware applications because they are very cheap, fanless, low power with good AES-NI.
    I’ve seen 0 feedback for them in the pfSense application so hopefully this is useful!

    I only have a 150/10 connection so that’s the most I could test for.
    The network firewall is a whitelist but doesn’t have a ton of rules. The network is IPv4 only and at the time I tested it probably had <5 clients on it.
    I didn’t do any rigorous testing or benchmarking, just fired it up and tried to max out my connection.
    All of these tests are over OpenVPN

    The first test I ran was the most strenuous:
    using suricata, pfBlockerNG, DNSBL on top of OpenVPN @ AES-256-CBC
    The VPN was using a Gateway group with 2xOpenVPN clients.

    This is the only test that my connection could max the CPU out on.
    It managed about 63Mbps before it maxed out.

    The second test used the same VPN settings but without the additional packages running.
    This test maxed out my internet connection @ ~70% CPU.

    The third test was the same as the second but with only one VPN client, so it only used a single core.
    It also performed at about 70%, only very slightly higher.

    For the next tests I turned down the encryption level to a more reasonable AES-128-CBC:
    I was having a hard time getting my connection to max out while doing this test (I was using Steam downloads). So I only did a single threaded test with one client, it really makes no difference anyways since I have only one computer to test from.

    The CPU yawned at AES-128-CBC.
    The fastest I was able to get to show up on the traffic graphs was 125Mbps @ ~29% (the Steam client showed sustained 19.1MBps/152Mbps @ ~33% for a little while but it doesn’t show up on the graphs).

    Looking at CPU usage @ 59Mbps shows ~15% shows that at least in the lower speed range CPU usage is scaling in a reasonably linear fashion with VPN throughput.
    If that continues on up the curve it looks like you can expect somewhere in the ballpark of 400Mbps single-threaded AES-128-CBC OpenVPN throughput without any heavy packages running from the $55 J3355B!

    It looks like this would also work for basic home use gigabit WAN.

    Not bad at all.

    I hope this is helpful to prospective buyers out there!

    ![00 all packages, gg.png](/public/imported_attachments/1/00 all packages, gg.png)
    ![00 all packages, gg.png_thumb](/public/imported_attachments/1/00 all packages, gg.png_thumb)
    ![01 no packages, gg.png](/public/imported_attachments/1/01 no packages, gg.png)
    ![01 no packages, gg.png_thumb](/public/imported_attachments/1/01 no packages, gg.png_thumb)
    ![03 no packages, single vpn client AES-128.png](/public/imported_attachments/1/03 no packages, single vpn client AES-128.png)
    ![02 no packages, single vpn client.png](/public/imported_attachments/1/02 no packages, single vpn client.png)
    ![03 no packages, single vpn client AES-128.png_thumb](/public/imported_attachments/1/03 no packages, single vpn client AES-128.png_thumb)
    ![02 no packages, single vpn client.png_thumb](/public/imported_attachments/1/02 no packages, single vpn client.png_thumb)



  • Well, that's the value of real world testing. :) I definitely would not have expected that much a difference from switching AES-256-CBC to AES-128-CBC. Maybe there's some peculiarity of the goldmont platform that's letting one pipeline better than the other, or maybe it's an interaction with OpenVPN on that platform. At any rate, great results.



  • Yes, this is excellent testing.

    Thank you for that!


  • Banned

    Yeah I'm glad it performed so well! You're very welcome!

    The J3355 and 3455 are at a very valuable price/performance point for most home use scenarios.


  • Banned

    @pfBasic:

    Looking at CPU usage @ 59Mbps shows ~15% shows that at least in the lower speed range CPU usage is scaling in a reasonably linear fashion with VPN throughput.
    If that continues on up the curve it looks like you can expect somewhere in the ballpark of 400Mbps AES-128-CBC OpenVPN throughput without any heavy packages running from the $55 J3355B!

    @VAMike, what are your thoughts on this? Is this an accurate estimation or does OpenVPN not scale linearly up to those speeds?



  • @pfBasic:

    @VAMike, what are your thoughts on this? Is this an accurate estimation or does OpenVPN not scale linearly up to those speeds?

    In my experience it's not a linear scale because different factors dominate at different data rates.


  • Banned

    If you had to guess what would you say this CPU would max at on 128-CBC?


  • Banned

    @VAMike:

    I definitely would not have expected that much a difference from switching AES-256-CBC to AES-128-CBC. Maybe there's some peculiarity of the goldmont platform that's letting one pipeline better than the other, or maybe it's an interaction with OpenVPN on that platform.

    Yeah, that was a big difference. The results on this page show a max throughput increase of ~130% switching from 258-CBC to 128-GCM, but only about 39% switching from 256-CBC to 128-CBC. Not all CPU's see this kind of improvement, but that looks similar to the performance improvements seen here although it looks like this is seeing ~+10% improvement over the best in the article.

    @pfBasic:

    https://calomel.org/aesni_ssl_performance.html

    EDIT: Maybe the SHA-NI is helping improve the performance? I haven't generally thought of SHA being a factor for OpenVPN throughput but maybe it is?
    https://github.com/weidai11/cryptopp/issues/139#issuecomment-264283385
    https://github.com/randombit/botan/issues/807



  • @pfBasic:

    I was having a hard time getting my connection to max out while doing this test (I was using Steam downloads). So I only did a single threaded test with one client, it really makes no difference anyways since I have only one computer to test from.

    FWIW, in my experience Steam can and will use multiple clients, even from the same machine.  I did a lot of testing in the summer of last year when I was first working out performance issues with PIA and eventually settled on multiple tunnels. Again, FWIW.



  • @pfBasic:

    So I ran pfSense on my J3355B with 2x4GB RAM and an i340-t4 @PCIev2.0x1.
    For those that don’t know the J3355B is a $55 Fanless Goldmont SoC Celeron @ 2x2.0GHz turbo 2.5GHz.

    Great post and thanks for sharing.  Do you have any additional details of the build you could share?  I know it's more generic things, but the PSU/case etc if it's handy.

    On a related note with the 3455 (4 core @ 1.5ghz) vs 3355 (2 core at 2.0ghz), what are users opinions on higher core speed vs more cores?  In single threaded applications like OpenVPN (ignoring multiple tunnels here), would the 3355 be preferred with a 33% increase in core clock speed?  Not looking to handle anything like gig speed yet, but a 100/100 connection over OpenVPN seems like a non-issue for this board especially once AES-NI gets fully baked.

    Thanks!


  • Banned

    The case was a ten year old gateway desktop case haha, the PSU was a picoPSU 80 non-WI. RAM was something out of an old laptop.

    As far as the J3455 v J3355, for a 100/100 connection I think either one will push full line speed at AES-128-CBC without problems.
    Beyond that it just comes down to do you want to pay a little more for two more cores? I wouldn't unless you actually need it just because you would be buying something you'll never use.

    Keep in mind that the J3455 mini-ITX board has physical x1 PCIe slot, so you will have to cut either the back slot out of the motherboard or the pins off of your NIC to make it fit. This is totally technically acceptable and will still max out 4 gigabit ports simultaneously, but obviously you can make a bad cut and brick whichever item you decide to cut. Also, if this is for a customer you obviously don't want to do a hack job like that.

    You can get the J3455 in a micro-ATX ASUS board that has a physical x16 slot @ 1x and two more physical x1 slots which will get you up to 6 gigabit ports (i340-t4 in the x16 slot and single port intel gigabit cards in the x1 slots) without cutting anything, and up to 12 gigabit ports (3x i340-t4) if you do (the J3355 and 3455 CPU's support 6 lanes and you only need 3 to max out 12 gigabit ports simultaneously).



  • @bsquared:

    Great post and thanks for sharing.  Do you have any additional details of the build you could share?  I know it's more generic things, but the PSU/case etc if it's handy.

    On a related note with the 3455 (4 core @ 1.5ghz) vs 3355 (2 core at 2.0ghz), what are users opinions on higher core speed vs more cores?  In single threaded applications like OpenVPN (ignoring multiple tunnels here), would the 3355 be preferred with a 33% increase in core clock speed?  Not looking to handle anything like gig speed yet, but a 100/100 connection over OpenVPN seems like a non-issue for this board especially once AES-NI gets fully baked.

    Thanks!

    I was wondering about this too, but thought that enabling speedstep and PowerD would even this out completely?



  • For this application you're probably better off with 2 slightly faster cores than 4 slightly slower cores. If there's a massive scalability improvement at the same time that you have a massive increase in bandwidth, you'll probably want a new machine at that point anyway.



  • Thanks again for the responses, seems like it's a great option and can be had for well under $300 even if you need to buy everything.  Qotom and Zotac boxes look decent, but there's something special about building :).


  • Banned

    You're welcome!

    One think I have to say about qotom is that they try to sell their stuff under the guise of it being an official pfSense product, which it is not. I think that's a pretty shitty thing to do.

    Their boxes have also never really appealed to me spec wise either. I would buy a used SFF desktop without a HDD off ebay, throw a NIC in it and install to flash drive before I bought a qotom box, but that's just my personal opinion.



  • Love the post and the possibility to build my first pfSense box on the cheap! Just ordered the board (which is rare to find in stock) and now I have to decide about the NIC's and a case. I have Intel EXPI9301CTBLK laying around, so if I use that for WAN and the board's built in NIC for LAN, would that be an acceptable solution?
    And what's the smallest case can you guys recommend? I was really hoping I could get away with M350 and PicoPSU. Thanks for any input you can provide!


  • Banned

    IDK about the M350, I've never used one. Does it support PCIe cards (even with a riser card would work)?

    Try out the NICs you have and if it doesn't work or causes problems then buy a dual+ port intel.


  • Banned

    I ran a couple more benchmarks on the J3355B

    IDS/IPS on Suricata:
    https://forum.pfsense.org/index.php?topic=128572.msg709166#msg709166
    @pfBasic:

    @pfBasic:

    I'll report back with the IDS/IPS performance.

    Well, IDS/IPS is certainly taxing but performance is greatly improved when not saturating one core with VPN.

    On my J3355B:
    I kept my 150/10 connection maxed out for a few minutes by downloading DOTA 2 on Steam.

    The max CPU I got off the 1 minute RRD's was 61.63% (this pretty well matches up to the top output). At that moment on the RRD graphs it equated to 103.58k pps.

    This was using the Open ET & Snort Free rules, paired down to eliminate FP's. It's a home network and it was pretty inactive at the time of the test other than background processes.
    Also, suricata, not snort which is single thread only.

    So IDS/IPS is definitely more CPU intensive than VPN on a modern AES-NI CPU.
    That being said, the J3355 is a very low end passively cooled CPU.

    J3455 would likely get you in the 350Mbps range on suricata.

    A G4560 will probably handle just about anything a home user can throw at it short of Gigabit WAN with all the packages or an expectation for line speed VPN.

    Synthetic OpenVPN Benchmark FWIW:
    https://forum.pfsense.org/index.php?topic=105238.msg709164#msg709164
    @pfBasic:

    FWIW, J3355B:

    AES-256-CBC : 291.2Mbps
    AES-256-GCM: 302.0Mbps

    AES-128-CBC: 293.5Mbps
    AES-128-GCM: 307.9Mbps

    
    #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
    disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    10.989u 0.015s 0:11.02 99.7%    819+178k 2+0io 0pf+0w
    #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
    disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    10.596u 0.023s 0:10.66 99.5%    817+178k 2+0io 0pf+0w
    #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc
    disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    10.902u 0.015s 0:10.99 99.2%    821+178k 2+0io 0pf+0w
    #: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
    disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    10.392u 0.015s 0:10.46 99.4%    818+177k 2+0io 0pf+0w
    
    

    This remains the go-to CPU for the majority of home-use cases and plenty of small commercial setups IMO. Really excellent performance per dollar!



  • Sorry to bump an old thread, but in regards to your final recommendation of the G4560…

    I found this: https://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.3514464

    And am on the verge of pulling the trigger, is there anything that jumps out to you outside of price on why it may be wise to avoid this particular combo?

    Thanks in advance!



  • @ECSJay:

    Sorry to bump an old thread, but in regards to your final recommendation of the G4560…

    I found this: https://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.3514464

    And am on the verge of pulling the trigger, is there anything that jumps out to you outside of price on why it may be wise to avoid this particular combo?

    Thanks in advance!

    This link gives me: Sorry, the combo deal is no longer available.



  • https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=g4560&ignorear=0&N=-1&isNodeId=1

    What about that?

    It's the "CPU INTEL PENTIUM G4560 3.5GHz, ASROCK B250M mATX, 8G CORSAIR DDR4 2400" combo package.



  • @ECSJay:

    https://www.newegg.com/Product/ProductList.aspx?Submit=ENE&DEPA=0&Order=BESTMATCH&Description=g4560&ignorear=0&N=-1&isNodeId=1

    What about that?

    It's the "CPU INTEL PENTIUM G4560 3.5GHz, ASROCK B250M mATX, 8G CORSAIR DDR4 2400" combo package.

    Will work fine.



  • I'm looking to go from a tired asus rtac66u to a pfsense build which is not too expensive. this sort of setup looks appealing if I can keep the cost down.

    I'm hoping someone can point me too a genuine new or used intel nic on ebay uk. The prices im seeing are like £150+



  • "I'm hoping someone can point me too a genuine new or used intel nic on ebay uk. The prices im seeing are like £150+"

    I'm in Australia, and finding the occasionally cheap Intel based NIC isnt too hard (search for the something like "i219 dual nic" or "i211 dual nic"), but that is the only easy part about a self build.  J3355 and J3455 boards are as rare as hens teeth around here it would seem, and frankly I'm not even sure most PC shops here have even heard of the ITX format.

    I really want to build my own, but considering the J3x55 boards need a NIC card, the smallest case I can find is still about 6 times larger then either a Netgate option or a Qotom option, it just seems such a bulky waste of space and money from my end.

    I looked at getting a ASRock H370M-ITX/ac (which has dual intel nics built in) but its $185 AU and I still need to add a $70  G4900 CPU ontop of that, plus case, RAM PSU etc…  Its just stupidly expensive, and bulky.

    If anyone has a line on a SMALL itx case that can take a NIC card I would be most interested to hear (the Coolmaster Elite M110 is the smallest I can get round here, and it can fit graphic cards in it :(  ).



  • The SilverStone SST-ML09B is relatively small, but you need a low profile NIC for it.



  • @Grimson:

    The SilverStone SST-ML09B is relatively small, but you need a low profile NIC for it.

    Thanks. I had looked at that one a couple of times, the desktop profile is certainly a better fit in my workspace then the m110 cube/square profile, but it is still the size of a fat DVD player.  Its just hard to justify going that route when the alternative is a device that I can sit on my book case like the netgates or qotoms (which is a pity as I like building).

    Its probably the smallest case available though if I do talk myself into building :)



  • @glint.bladesong:

    @Grimson:

    The SilverStone SST-ML09B is relatively small, but you need a low profile NIC for it.

    Thanks. I had looked at that one a couple of times, the desktop profile is certainly a better fit in my workspace then the m110 cube/square profile, but it is still the size of a fat DVD player.  Its just hard to justify going that route when the alternative is a device that I can sit on my book case like the netgates or qotoms (which is a pity as I like building).

    Its probably the smallest case available though if I do talk myself into building :)

    http://www.mini-box.com/M300-Enclosure-w-Bootable-CF-Reader_2
    http://www.travla.com/business/index.php?id_product=87&controller=product
    There are others, but you tend to be limited less by the expansion card than by the fact that anything that small doesn't use a standard power supply. If you go up a little in width there are more options using sff ps's. For keywords use "mitx case pcie riser" to get one that has the slot horizontal instead of vertical.