Intel Celeron J3355B SoC Benchmarks (VPN & IPS): Budget Buy Performer!

pfBasic

So I ran pfSense on my J3355B with 2x4GB RAM and an i340-t4 @PCIev2.0x1.
For those that don’t know the J3355B is a $55 Fanless Goldmont SoC Celeron @ 2x2.0GHz turbo 2.5GHz.

https://ark.intel.com/products/95597/Intel-Celeron-Processor-J3355-2M-Cache-up-to-2_5-GHz
https://www.amazon.com/ASRock-Motherboard-Combo-Motherboards-J3355B-ITX/dp/B01M9EXCYB
https://www.newegg.com/Product/Product.aspx?Item=N82E16813157726

It’s exceptional at video playback (mine plays back this 400Mbps 4k HEVC 10 bit file @ ~20% CPU http://jell.yfish.us/media/jellyfish-400-mbps-4k-uhd-hevc-10bit.mkv). I’ve personally recommended it and the J3455 over and over for most pfSense hardware applications because they are very cheap, fanless, low power with good AES-NI.
I’ve seen 0 feedback for them in the pfSense application so hopefully this is useful!

I only have a 150/10 connection so that’s the most I could test for.
The network firewall is a whitelist but doesn’t have a ton of rules. The network is IPv4 only and at the time I tested it probably had <5 clients on it.
I didn’t do any rigorous testing or benchmarking, just fired it up and tried to max out my connection.
All of these tests are over OpenVPN

The first test I ran was the most strenuous:
using suricata, pfBlockerNG, DNSBL on top of OpenVPN @ AES-256-CBC
The VPN was using a Gateway group with 2xOpenVPN clients.

This is the only test that my connection could max the CPU out on.
It managed about 63Mbps before it maxed out.

The second test used the same VPN settings but without the additional packages running.
This test maxed out my internet connection @ ~70% CPU.

The third test was the same as the second but with only one VPN client, so it only used a single core.
It also performed at about 70%, only very slightly higher.

For the next tests I turned down the encryption level to a more reasonable AES-128-CBC:
I was having a hard time getting my connection to max out while doing this test (I was using Steam downloads). So I only did a single threaded test with one client, it really makes no difference anyways since I have only one computer to test from.

The CPU yawned at AES-128-CBC.
The fastest I was able to get to show up on the traffic graphs was 125Mbps @ ~29% (the Steam client showed sustained 19.1MBps/152Mbps @ ~33% for a little while but it doesn’t show up on the graphs).

Looking at CPU usage @ 59Mbps shows ~15% shows that at least in the lower speed range CPU usage is scaling in a reasonably linear fashion with VPN throughput.
If that continues on up the curve it looks like you can expect somewhere in the ballpark of 400Mbps single-threaded AES-128-CBC OpenVPN throughput without any heavy packages running from the $55 J3355B!

It looks like this would also work for basic home use gigabit WAN.

Not bad at all.

I hope this is helpful to prospective buyers out there!


VAMike

Well, that's the value of real world testing. :) I definitely would not have expected that much a difference from switching AES-256-CBC to AES-128-CBC. Maybe there's some peculiarity of the goldmont platform that's letting one pipeline better than the other, or maybe it's an interaction with OpenVPN on that platform. At any rate, great results.

mattlach

Yes, this is excellent testing.

Thank you for that!

pfBasic

Yeah I'm glad it performed so well! You're very welcome!

The J3355 and 3455 are at a very valuable price/performance point for most home use scenarios.

pfBasic

@pfBasic:

Looking at CPU usage @ 59Mbps shows ~15% shows that at least in the lower speed range CPU usage is scaling in a reasonably linear fashion with VPN throughput.
If that continues on up the curve it looks like you can expect somewhere in the ballpark of 400Mbps AES-128-CBC OpenVPN throughput without any heavy packages running from the $55 J3355B!

@VAMike, what are your thoughts on this? Is this an accurate estimation or does OpenVPN not scale linearly up to those speeds?

VAMike

@pfBasic:

@VAMike, what are your thoughts on this? Is this an accurate estimation or does OpenVPN not scale linearly up to those speeds?

In my experience it's not a linear scale because different factors dominate at different data rates.

pfBasic

If you had to guess what would you say this CPU would max at on 128-CBC?

pfBasic

@VAMike:

I definitely would not have expected that much a difference from switching AES-256-CBC to AES-128-CBC. Maybe there's some peculiarity of the goldmont platform that's letting one pipeline better than the other, or maybe it's an interaction with OpenVPN on that platform.

Yeah, that was a big difference. The results on this page show a max throughput increase of ~130% switching from 258-CBC to 128-GCM, but only about 39% switching from 256-CBC to 128-CBC. Not all CPU's see this kind of improvement, but that looks similar to the performance improvements seen here although it looks like this is seeing ~+10% improvement over the best in the article.

@pfBasic:

https://calomel.org/aesni_ssl_performance.html

EDIT: Maybe the SHA-NI is helping improve the performance? I haven't generally thought of SHA being a factor for OpenVPN throughput but maybe it is?
https://github.com/weidai11/cryptopp/issues/139#issuecomment-264283385
https://github.com/randombit/botan/issues/807

whosmatt

@pfBasic:

I was having a hard time getting my connection to max out while doing this test (I was using Steam downloads). So I only did a single threaded test with one client, it really makes no difference anyways since I have only one computer to test from.

FWIW, in my experience Steam can and will use multiple clients, even from the same machine.  I did a lot of testing in the summer of last year when I was first working out performance issues with PIA and eventually settled on multiple tunnels. Again, FWIW.

bsquared

@pfBasic:

So I ran pfSense on my J3355B with 2x4GB RAM and an i340-t4 @PCIev2.0x1.
For those that don’t know the J3355B is a $55 Fanless Goldmont SoC Celeron @ 2x2.0GHz turbo 2.5GHz.

Great post and thanks for sharing.  Do you have any additional details of the build you could share?  I know it's more generic things, but the PSU/case etc if it's handy.

On a related note with the 3455 (4 core @ 1.5ghz) vs 3355 (2 core at 2.0ghz), what are users opinions on higher core speed vs more cores?  In single threaded applications like OpenVPN (ignoring multiple tunnels here), would the 3355 be preferred with a 33% increase in core clock speed?  Not looking to handle anything like gig speed yet, but a 100/100 connection over OpenVPN seems like a non-issue for this board especially once AES-NI gets fully baked.

Thanks!

pfBasic

The case was a ten year old gateway desktop case haha, the PSU was a picoPSU 80 non-WI. RAM was something out of an old laptop.

As far as the J3455 v J3355, for a 100/100 connection I think either one will push full line speed at AES-128-CBC without problems.
Beyond that it just comes down to do you want to pay a little more for two more cores? I wouldn't unless you actually need it just because you would be buying something you'll never use.

Keep in mind that the J3455 mini-ITX board has physical x1 PCIe slot, so you will have to cut either the back slot out of the motherboard or the pins off of your NIC to make it fit. This is totally technically acceptable and will still max out 4 gigabit ports simultaneously, but obviously you can make a bad cut and brick whichever item you decide to cut. Also, if this is for a customer you obviously don't want to do a hack job like that.

You can get the J3455 in a micro-ATX ASUS board that has a physical x16 slot @ 1x and two more physical x1 slots which will get you up to 6 gigabit ports (i340-t4 in the x16 slot and single port intel gigabit cards in the x1 slots) without cutting anything, and up to 12 gigabit ports (3x i340-t4) if you do (the J3355 and 3455 CPU's support 6 lanes and you only need 3 to max out 12 gigabit ports simultaneously).

Runenaldo

@bsquared:

Great post and thanks for sharing.  Do you have any additional details of the build you could share?  I know it's more generic things, but the PSU/case etc if it's handy.

On a related note with the 3455 (4 core @ 1.5ghz) vs 3355 (2 core at 2.0ghz), what are users opinions on higher core speed vs more cores?  In single threaded applications like OpenVPN (ignoring multiple tunnels here), would the 3355 be preferred with a 33% increase in core clock speed?  Not looking to handle anything like gig speed yet, but a 100/100 connection over OpenVPN seems like a non-issue for this board especially once AES-NI gets fully baked.

Thanks!

I was wondering about this too, but thought that enabling speedstep and PowerD would even this out completely?

VAMike

For this application you're probably better off with 2 slightly faster cores than 4 slightly slower cores. If there's a massive scalability improvement at the same time that you have a massive increase in bandwidth, you'll probably want a new machine at that point anyway.

bsquared

Thanks again for the responses, seems like it's a great option and can be had for well under $300 even if you need to buy everything.  Qotom and Zotac boxes look decent, but there's something special about building :).

pfBasic

You're welcome!

One think I have to say about qotom is that they try to sell their stuff under the guise of it being an official pfSense product, which it is not. I think that's a pretty shitty thing to do.

Their boxes have also never really appealed to me spec wise either. I would buy a used SFF desktop without a HDD off ebay, throw a NIC in it and install to flash drive before I bought a qotom box, but that's just my personal opinion.

mimino

Love the post and the possibility to build my first pfSense box on the cheap! Just ordered the board (which is rare to find in stock) and now I have to decide about the NIC's and a case. I have Intel EXPI9301CTBLK laying around, so if I use that for WAN and the board's built in NIC for LAN, would that be an acceptable solution?
And what's the smallest case can you guys recommend? I was really hoping I could get away with M350 and PicoPSU. Thanks for any input you can provide!

pfBasic

IDK about the M350, I've never used one. Does it support PCIe cards (even with a riser card would work)?

Try out the NICs you have and if it doesn't work or causes problems then buy a dual+ port intel.

pfBasic

I ran a couple more benchmarks on the J3355B

IDS/IPS on Suricata:
https://forum.pfsense.org/index.php?topic=128572.msg709166#msg709166
@pfBasic:

@pfBasic:

I'll report back with the IDS/IPS performance.

Well, IDS/IPS is certainly taxing but performance is greatly improved when not saturating one core with VPN.

On my J3355B:
I kept my 150/10 connection maxed out for a few minutes by downloading DOTA 2 on Steam.

The max CPU I got off the 1 minute RRD's was 61.63% (this pretty well matches up to the top output). At that moment on the RRD graphs it equated to 103.58k pps.

This was using the Open ET & Snort Free rules, paired down to eliminate FP's. It's a home network and it was pretty inactive at the time of the test other than background processes.
Also, suricata, not snort which is single thread only.

So IDS/IPS is definitely more CPU intensive than VPN on a modern AES-NI CPU.
That being said, the J3355 is a very low end passively cooled CPU.

J3455 would likely get you in the 350Mbps range on suricata.

A G4560 will probably handle just about anything a home user can throw at it short of Gigabit WAN with all the packages or an expectation for line speed VPN.

Synthetic OpenVPN Benchmark FWIW:
https://forum.pfsense.org/index.php?topic=105238.msg709164#msg709164
@pfBasic:

FWIW, J3355B:

AES-256-CBC : 291.2Mbps
AES-256-GCM: 302.0Mbps

AES-128-CBC: 293.5Mbps
AES-128-GCM: 307.9Mbps

#: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-cbc
disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.989u 0.015s 0:11.02 99.7%    819+178k 2+0io 0pf+0w
#: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-256-gcm
disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.596u 0.023s 0:10.66 99.5%    817+178k 2+0io 0pf+0w
#: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-cbc
disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.902u 0.015s 0:10.99 99.2%    821+178k 2+0io 0pf+0w
#: time openvpn --test-crypto --secret /tmp/secret --verb 0 --tun-mtu 20000 --cipher aes-128-gcm
disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
10.392u 0.015s 0:10.46 99.4%    818+177k 2+0io 0pf+0w

This remains the go-to CPU for the majority of home-use cases and plenty of small commercial setups IMO. Really excellent performance per dollar!

ECSJay

Sorry to bump an old thread, but in regards to your final recommendation of the G4560…

I found this: https://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.3514464

And am on the verge of pulling the trigger, is there anything that jumps out to you outside of price on why it may be wise to avoid this particular combo?

Thanks in advance!

Guest

@ECSJay:

Sorry to bump an old thread, but in regards to your final recommendation of the G4560…

I found this: https://www.newegg.com/Product/ComboBundleDetails.aspx?ItemList=Combo.3514464

And am on the verge of pulling the trigger, is there anything that jumps out to you outside of price on why it may be wise to avoid this particular combo?

Thanks in advance!

This link gives me: Sorry, the combo deal is no longer available.