ALIX APU.2C4 Board and 1GBit Internet connection



  • I've read some posts here about the same board able to do 150/150 or 100/100 Mbits ISP connection easy peasy.
    But can it handle 1 Gigabit ISP connection in pfSense or the CPU will choke? Any real life test results would be greatly appreciated.

    Thanks,



  • Users on the pcengines forum have reported a max throughput of about 550 to 600 Mb/s with just routing and NAT.



  • @Jailer:

    Users on the pcengines forum have reported a max throughput of about 550 to 600 Mb/s with just routing and NAT.

    Good to know that, thank you. So is there a small form factor board that can handle gigabit, or its better go Intel platform for the faster stuff?



  • @jolebole:

    @Jailer:

    Users on the pcengines forum have reported a max throughput of about 550 to 600 Mb/s with just routing and NAT.

    Good to know that, thank you. So is there a small form factor board that can handle gigabit, or its better go Intel platform for the faster stuff?

    Is it possible to add another ALIX APU.2C4 board and have them work together to double the speed ? is that even possible ?
    I know it's probably not advisable in a production/mission critical environment but for home-use; to get close to 1gb, what would be the best way to go ?

    As always, thanks so much for sharing your knowledge and helping out!



  • For the added cost and complication, if it's even possible, it would make sense to get more capable hardware.

    Hardware for 1Gbit is entirely dependent on what packages you intend on running. If none and you are just going to use it as a firewall then the hardware requirements will be much less. If you want something like packet filtering it's going to be significantly more.

    My connection is so slow that my hardware needs are modest so I have no way of knowing first hand what will work for Gbit in actual usage.



  • I've read some posts here about the same board able to do 150/150 or 100/100 Mbits ISP connection easy peasy.

    Yes for sure this might be enough power for that Internet line speed! But please remember that each installed packet will more
    or less slow down a bit the entire throughput from the WAN that is offered to the LAN part! Mostly that box will be really
    sufficient, but together with PPPoE, ClamAV Scan and other packets on top of this, it might be slowing down step by step!

    As a single firewall with some (20) firewall rules it will be enough fore nearly 500 MBit/s - 700 MBit/s and some tunings
    for the network interface cards (NICs), but real 1 GBit/s you will never reach here due to the hardware system given
    horse power. Please read about that under that link here shown under the point "Hardware Requirements and Guidance CPU selection".
    üfSense hardware specs.

    10-20 Mbps We recommend a modern (less than 4 year old) Intel or AMD CPU clocked at at least 500MHz.
    21-100 Mbps We recommend a modern 1.0 GHz Intel or AMD CPU.
    101-500 Mbps No less than a modern Intel or AMD CPU clocked at 2.0 GHz. Server class hardware with PCI-e network adapters, or newer desktop hardware with PCI-e network adapters.
    501+ Mbps Multiple cores at > 2.0GHz are required. Server class hardware with PCI-e network adapters.

    In one network environment we run pfSense, Squid, SquidGuard, pfBlockerNG and Snort for ~70 users and with 100/20
    a Internet connection without any problems. But to really reach a 1 GBit/s at the WAN you will need 2GHz and higher
    pending on the installed packets and the entire network traffic.

    But can it handle 1 Gigabit ISP connection in pfSense or the CPU will choke? Any real life test results would be greatly appreciated.

    You will need a modern or server grade CPU with >2GHz and multi-core architecture.

    Users on the pcengines forum have reported a max throughput of about 550 to 600 Mb/s with just routing and NAT.

    Yep, this is right, as a firewall only with some rules it might be able to archive that speed in the real world!!! But with some installed
    packets, PPPoE and much network traffic you will be getting even less then that result!

    Is it possible to add another ALIX APU.2C4 board and have them work together to double the speed ? is that even possible ?

    No it is not able to realize! What should the second APU2C4 speeding up?

    I know it's probably not advisable in a production/mission critical environment but for home-use; to get close to 1gb, what would be the best way to go?

    If you don´t need to use PPPoE, which is actually CPU single threaded in pfSense, you will be happy with a similar hardware
    the APU2C4 will be with mSATA and WiFi card and antennas for ~260 Euro. The Jetway NF9HG-2930 will be for something
    around ~350 Euro but if you will not need PPPoE it can handle ~936 MBit/s at the WAN port.

    For the added cost and complication, if it's even possible, it would make sense to get more capable hardware.

    Jetway NF9HG-2930 ~200 Euro
    8 GB RAM DDR3-1600 ~80 Euro
    mSATA 30/60/120 GB ~40 - 60 Euro
    M3520 mini-ITX case ~40 Euro
    WiFi card & Antenna ~60 Euro
    external PSU ~15 Euro

    Silent, no turning parts, fan less, able to route 1 GBit/s at the WAN without using PPPoE, with SIM slot for adding a modem,
    but must be fiddled together, no AES-NI and ~100 Euro higher in price as the APU2C4.



  • @BlueKobold:

    As a single firewall with some (20) firewall rules it will be enough fore nearly 500 MBit/s - 700 MBit/s and some tunings
    for the network interface cards (NICs), but real 1 GBit/s you will never reach here due to the hardware system given
    horse power.

    That hardware can do a gigabit just fine under linux. It's not a hardware problem, it's a system problem.



  • @VAMike:

    @BlueKobold:

    As a single firewall with some (20) firewall rules it will be enough fore nearly 500 MBit/s - 700 MBit/s and some tunings
    for the network interface cards (NICs), but real 1 GBit/s you will never reach here due to the hardware system given
    horse power.

    That hardware can do a gigabit just fine under linux. It's not a hardware problem, it's a system problem.

    What do you mean system problem like problem with pfsense ?



  • @msvuze:

    @VAMike:

    @BlueKobold:

    As a single firewall with some (20) firewall rules it will be enough fore nearly 500 MBit/s - 700 MBit/s and some tunings
    for the network interface cards (NICs), but real 1 GBit/s you will never reach here due to the hardware system given
    horse power.

    That hardware can do a gigabit just fine under linux. It's not a hardware problem, it's a system problem.

    What do you mean system problem like problem with pfsense ?

    The "system" is the combination of hardware & software. There isn't a "problem", it is a matter of matching requirements and resources. If the requirement is "pfsense at 1Gbps" then the APU2 is the wrong hardware. If the requirement is "firewalling at 1Gbps with an APU2" then pfsense is the wrong software. I just get tired of seeing people saying it's a "hardware problem" when the hardware is fine; it's reasonable to say that the hardware is the wrong choice for the application, but not reasonable to say it's the hardware's fault that the software doesn't utilize it efficiently.



  • That hardware can do a gigabit just fine under linux. It's not a hardware problem, it's a system problem.

    The entire question, from the opening post here, was not about the Linux throughput, but about pfSense and the PC Engines
    APU2C4 throughput. And under pfSense that is based on FreeBSD it ís not interesting what the same hardware will be able to
    deliver under Linux.

    What do you mean system problem like problem with pfsense ?

    1. Linux is coded more nearly to the hardware as other systems, and act sometimes more liquid then BSD based systems
    and so BSD based systems needs much more horse power then compared to a Linux based OS.
    2. The driver support and quality from the site of the hardware vendors will be more pointed to
    windows and Linux as to BSD based systems, that will changing in the last time but slowly.
    3. And on top of some things such named above pfSense is going more and more and more to change things, but this will
    be not be done so fast as we all need it or hope it! But they are on the right way, FreeBSD is going to be more multi CPU
    core usage, the version 3.0 will be totally written new, other parts will also be changing to multi-core CPU usage, such
    suricata, Snort is on its way, OpenVPN the igb(4) driver and so on, but some rarely parts such as PPPoE is, will be only
    single-core CPU threated since now, and this will all play together and not all one part for it self!

    The "system" is the combination of hardware & software. There isn't a "problem", it is a matter of matching requirements and resources. If the requirement is "pfsense at 1Gbps" then the APU2 is the wrong hardware. If the requirement is "firewalling at 1Gbps with an APU2" then pfsense is the wrong software. I just get tired of seeing people saying it's a "hardware problem" when the hardware is fine; it's reasonable to say that the hardware is the wrong choice for the application, but not reasonable to say it's the hardware's fault that the software doesn't utilize it efficiently.

    This might be right but this here is the pfSense forum and not the Linux or ClearOS, or Endian, or Untangle UTM, or Sophos UTM,
    or SmoothWall, or IPFire or the shorewall forum, and based on the entire opening post the threat opener is using pfSense or asking
    for pfSense together with the APU2C4 and 1 GBit/s at the WAN interface.



  • With 2c4 we are getting 940mbit/s here on 1gb/s Mediacom cable (which is the same directly connected to the modem with no router) on pfSense 2.3.3. As a matter of fact its only one of two routers out of many we have tested to get full throughput out of 1gb/s. An old Core2Duo E8400 with the same config only got 600mb on 2.3.3, Core2Quad the same. A Netgear R7000 with stock firmware (no thanks) pulled 940mbit/s last night but with Shibby TomatoUSB firmware only 360 down. I'd like to try a Asus RT-AC9000P with Merlin firmware. Ubiquiti Edgerouter X got 400 down, Edgerouter Lite better at 918mb/s.  So as it stands it's the APU 2C4!  ;)

    We just got 1GB/s in our area so we have been experimenting a good bit.



  • @fthomasr:

    With 2c4 we are getting 940mbit/s here on 1gb/s Mediacom cable (which is the same directly connected to the modem with no router) on pfSense 2.3.3. As a matter of fact its only one of two routers out of many we have tested to get full throughput out of 1gb/s. An old Core2Duo E8400 with the same config only got 600mb on 2.3.3, Core2Quad the same. A Netgear R7000 with stock firmware (no thanks) pulled 940mbit/s last night but with Shibby TomatoUSB firmware only 360 down. I'd like to try a Asus RT-AC9000P with Merlin firmware. Ubiquiti Edgerouter X got 400 down, Edgerouter Lite better at 918mb/s.  So as it stands it's the APU 2C4!  ;)

    We just got 1GB/s in our area so we have been experimenting a good bit.

    Thanks for your reply.

    How much did you get for the upload on the 2c4 ?

    Please keep us updated on your findings THANKS AGAIN!!



  • With 2c4 we are getting 940mbit/s here on 1gb/s Mediacom cable (which is the same directly connected to the modem with no router) on pfSense 2.3.3.

    Are you using PPPoE, at this Internet connection?


  • Banned

    I believe there are some very SFF Intel n series Celeron boards out there that could do basic gigabit.



  • @BlueKobold:

    With 2c4 we are getting 940mbit/s here on 1gb/s Mediacom cable (which is the same directly connected to the modem with no router) on pfSense 2.3.3.

    Are you using PPPoE, at this Internet connection?

    No, Mediacom Cable. DHCP WAN.



  • @pfBasic:

    I believe there are some very SFF Intel n series Celeron boards out there that could do basic gigabit.

    We also tried an Atom D510 and got 209Mb/s (pfSense 2.3.3) :(



  • @msvuze:

    How much did you get for the upload on the 2c4 ?

    Our download/upload is not asymmetrical unfortunately. It's supposed to be a 1gb/50mbs plan. Our upload max has been 78mb/s.


  • Banned

    @fthomasr:

    @pfBasic:

    I believe there are some very SFF Intel n series Celeron boards out there that could do basic gigabit.

    We also tried an Atom D510 and got 209Mb/s (pfSense 2.3.3) :(

    Atom



  • @fthomasr:

    With 2c4 we are getting 940mbit/s here on 1gb/s Mediacom cable (which is the same directly connected to the modem with no router) on pfSense 2.3.3. As a matter of fact its only one of two routers out of many we have tested to get full throughput out of 1gb/s. An old Core2Duo E8400 with the same config only got 600mb on 2.3.3, Core2Quad the same. A Netgear R7000 with stock firmware (no thanks) pulled 940mbit/s last night but with Shibby TomatoUSB firmware only 360 down. I'd like to try a Asus RT-AC9000P with Merlin firmware. Ubiquiti Edgerouter X got 400 down, Edgerouter Lite better at 918mb/s.  So as it stands it's the APU 2C4!  ;)

    We just got 1GB/s in our area so we have been experimenting a good bit.

    fthomasr and I are doing the testing. I tested an ASUS RT-68u last night with latest stock firmware, Merlin latest, and Tomato latest. Stock pulled 948, Merlin pulled 949, and tomato 360. I was confused how stock and merlin firmware could be outperforming tomato firmware. After some research, I found a little know setting under the advanced-> miscellaneous tab to enable CTF (Cut-Through Forwarding).  Now the tomato flashed router does 949. I'm sure that setting wasn't enabled on the netgear R7000 when we tested it with tomato firmware, but hey not a Netgear fan so we sent it back.
    I must mention the AC68U we are testing is the older version with only an 800MHZ processor. The current revision includes a 1GHZ processor. I'd love to test the difference between these two revisions.



  • @pfBasic:

    Atom

    Ok first of all I posted that just for information.

    But…... Same generation Atom



  • No, Mediacom Cable. DHCP WAN.

    Ah ok that was not clear to me, thanks.


  • Banned

    @fthomasr:

    @pfBasic:

    Atom

    Ok first of all I posted that just for information.

    But…... Same generation Atom

    Yeah, just saying you could probably get gigabit with a SFF modern n series Celeron.


  • Banned

    @VAMike:

    That hardware can do a gigabit just fine under linux. It's not a hardware problem, it's a system problem.

    It sure is.

    I've been testing pfSense throughput vs some GNU/Linux router distros, and the results are a little shocking, TBH.

    Even without any routing (LAN interface to LAN client), I get ~600-650 Mbit out of pfSense, apparently CPU bound (one core at 100%).

    I haven't found a GNU/Linux router that can't saturate the gigabit link (~950Mbit) in the same situation. With minimal CPU use (<15%).

    I love the features of pfSense, but that's one hell of a performance tax we're paying for them :(



  • I've been testing pfSense throughput vs some GNU/Linux router distros, and the results are a little shocking, TBH.

    Please try out iPerf from client to server and set it up to use 8 streams or more, then you will perhaps seeing other results
    and you may get other numbers, because the LAN line will be saturated.

    I love the features of pfSense, but that's one hell of a performance tax we're paying for them :(

    As above told, the hardware requirements for reaching 1 GBit/s at the WAN are given by the pfSense team shown
    under the link named some posts above by me, so there will be not really a need to complain about, because the
    APU is only serving ~1.0GHz at the CPU and > 2.0GHz are needed. For sure in the near future this can be really
    differ, by using multi-core CPU for the igb(4) driver, the entire pfSense system it self and perhaps more or less
    one of the forwarding (netmap-fwd, try-fwd, fast-fwd) methods that can change this.


Log in to reply