PC Engines APU2 2.4.0 upgrade sucess



  • Hi all just a quick message for any other users of the APU2 who might be holding off mine upgraded from 2.3.4 to 2.4 just fine pleased to see it can now show me the temps



  • Same. Have been running various 2.4 Release Candidates on APU2B4.

    Config includes dual WAN, OpenVPN (already using accelerated GCM) and NTP pool server behind FW.

    Quick & painless update to 2.4-RELEASE today. Using BIOS 4.0.7.

    Kudos to pfSense team.



  • No problems here either! Everything went great!
    BIOS 4.0.11

    *EDIT:
    Actually, I noticed that I'm not able to select Hardware Acceleration anymore in OpenVPN:

    Even though hardware acceleration is enabled in pfSense:

    Anyone else have this problem?






  • @Veldkornet:

    No problems here either! Everything went great!
    BIOS 4.0.11

    *EDIT:
    Actually, I noticed that I'm not able to select Hardware Acceleration anymore in OpenVPN:

    Even though hardware acceleration is enabled in pfSense:

    Anyone else have this problem?

    Good catch yes same thing for me its enabled in the System/Advanced



  • Well, I did fine a couple of people on Reddit etc that have the same problem in general, not specific to the APU2.

    I did also find this which pretty much says that openssl/openvpn need to have loaded both AESNI and cryptodev to accelerate AES operations.

    AESNI was already enabled for me in the GUI, so I enabled cryptodev as well.

    Now at least I can select the cryptodev in the OpenVPN gui, although back in 2.3.4 I could still select AESNI. Not sure what this all means for OpenVPN… Is it now using both or just the one? What's going on?




  • Hmm my web interface SSH and serial appears to have an issue the internet is up but I cant get HTTP access to respond so I tried both SSH and serial gets as far as the login but does show the welcome screen where you select option 8 for command line




  • After a few basic tests with OpenVPN, I was able to get around double the speed that I was getting previously by using the below settings:

    In my OpenVPN configs, under Cryptographic Settings:

    • Hardware Crypto -> None

    For my Client configurations:
    Advanced Configuration:

    • UDP Fast I/O -> Checked
    • Send/Receive Buffer -> 1.00 MiB

    For my Server configuration:
    Advanced Configuration:

    • UDP Fast I/O -> Checked
    • Send/Receive Buffer -> 512 KiB


  • @Veldkornet:

    Well, I did fine a couple of people on Reddit etc that have the same problem in general, not specific to the APU2.

    I did also find this which pretty much says that openssl/openvpn need to have loaded both AESNI and cryptodev to accelerate AES operations.

    Will this BS never die? You do not want cryptodev turned on, it will hurt performance. The openssl speed tests showing that config to be faster are simply using the wrong parameters and displaying inaccurate numbers. OpenVPN+OpenSSL use AES-NI without cryptodev by default out of the box. Turning cryptodev on adds another layer and reduces the speed. Cryptodev was specifically disabled in 2.4 because it confused people and slowed things down. The only time you want cryptodev is if you are using off-cpu crypto accelerators like the old via soekris or alix add-in cards, which are obsolete and tremedously slower than any modern AES-NI implementation.

    The openssl speed test showing 9GByte/s of single threaded crypto throughput is quite simply wrong. Unfortunately, people who don't know any better keep reposting the same errors and misleading others. In this case the error was using cryptodev with openssl speed and not using -elapsed. The real throughput number on his test with max block size is 196618 kbyte/s (819273444/3.06/1000) which is significantly slower than the non-cryptodev throughput of 298675 kbyte/s. For a more reasonable block size (1024) in an an OpenVPN context, the real throughput is 124013 kbyte/s (1024379340/3.13/1000) compared to 280000 kbyte/s for non-cryptodev. That's less than half the throughput. Congratulations, you made your system worse by overriding the defaults.

    Don't listen to randos on reddit with magic incantations to make things faster–they don't know what they're talking about. If there were a simple config change to get an order of magnitude performance improvement, don't you think it would be the default?



  • @Veldkornet

    I did also find this which pretty much says that openssl/openvpn need to have loaded both AESNI and cryptodev to accelerate AES operations.

    Ok and did you enable it? And when yes, on which version?

    AESNI was already enabled for me in the GUI, so I enabled cryptodev as well.

    Did that have any impact?

    In my OpenVPN configs, under Cryptographic Settings:

    • Hardware Crypto -> None

    For my Client configurations:
    Advanced Configuration:

    • UDP Fast I/O -> Checked
    • Send/Receive Buffer -> 1.00 MiB

    For my Server configuration:
    Advanced Configuration:

    • UDP Fast I/O -> Checked
    • Send/Receive Buffer -> 512 KiB

    Under which pfSense version?
    With both or without both or only even one activated (AES-NI, Cryptodev)



  • Having both cryptodev and AESNI didn’t seem to have any improvement or impact, only with the tests mentioned in that bug.

    In the OpenVPN config, if you actually select that you want to use cryptodev, then your performance is worse; so DON’T do that.

    Everything I’m talking about is in version 2.4.0…. that’s the thread subject.

    AES-NI is enabled in the general pfSense setup for me, but it’s not selectable anymore in the OpenVPN config like it was in the past.



  • Tried the upgrade this morning, killed my firewall.  Need to reload from scratch. :(



  • @acascianelli:

    Tried the upgrade this morning, killed my firewall.  Need to reload from scratch. :(

    Killed it in what way ? can it boot



  • Lots of broken packages. It was still booting, I tried to recover I by repairing the packages but it looked like some packages from the previous version of pfSense/FreeBSD were causing problem.

    I spent like 60 minutes trying to repair it and 10 minutes reinstalling from scratch and recovering a backup.

    It was a pretty old install of pfSense, so maybe that had something to do with it too.



  • It was a pretty old install of pfSense, so maybe that had something to do with it too.

    It is likes you said.

    pfSense 2.4.0 release available
    Upgrading from Older Releases (2.2.x or earlier)

    _There is no direct upgrade path from pfSense software version 2.2.x or earlier to pfSense 2.4.0-RELEASE as we no longer generate the required update archives. A firewall running an older release can still be upgraded by making a stop at pfSense 2.3.x first. First, upgrade the firewall to pfSense 2.3.4 and then perform an update to pfSense 2.4.0 afterward. Performing an automatic update twice will accomplish this, as it will first upgrade to the latest pfSense 2.3.x and then to pfSense 2.4.x.

    Alternately, reinstall pfSense 2.4.0 directly and restore the configuration._



  • Sorry, let me clarify what I meat by that…

    It was built on a pretty old version of pfSense and it has been through at least 2 major upgrades of pfSense.  I think it started on version 2.1.  I was running 2.3.4 before the upgrade attempt.



  • Has anyone tried a clean install to APU2 (serial console)?

    Everything I read leads me to believe that it is not possible… is there a workaround? I am running 2.3.5 and in-place upgrade is available, but since 2.4.x. is a major update, I'd rather install it clean. I did try to load from amd64 memstick and it did boot, landing on the guided installer, but I'm guessing this won't work beyond this point.

    Is there a better way, or is it even possible? I have an older Alix board and able to run an older release while I work on this.

    Thanks!!



  • Not possible?

    Ah, misread your post, if the Alix board is 32 bit, and I'm pretty sure it is, then the answer is no, not possible. If it's an APU2, then It certainly is possible.



  • Has anyone tried a clean install to APU2 (serial console)?

    It is a must do and not a could do in my eyes, because this is a serial console only device without any VGA interface
    or port and so it must be a serial console install! The right installer is a the serial amd64 memstick version or image
    tp write it down on an USB pen drive and install it from there!

    Everything I read leads me to believe that it is not possible… is there a workaround?

    You can do this on a mSATA from 4 or 8 GB over 16 GB to xyz GB if you want. You can use a SD card,
    a mSATA or a small SATA DOM unit like you want it will be running without any hassle as I know it right!

    Three are problem based on the following points and set ups;

    • from 32Bit to 64Bit
    • from NanoBSD to full install
    • IGMPv3 Proxy is broken again in 2.4.1 (IPTV)
    • from 2.2.x to 2.4.x without a stop at version 2..3.x
    • IPSec VPN failing due to the VLAN labeling, name length or at the WAN Port over PPP
    • with VLANs from earlier installation to 2.4.0 with problems based on the VLAN labeling
    • with VLANs at the WAN port over PPP and upgrade to the version 2.4.1 that has problems with it!
    • without ZFS installation changing or upgrading to 2.4.x with ZFS file system and nothing goes really on then

    I am pretty sure you read something about that named above problems not more and not less

    I am running 2.3.5 and in-place upgrade is available, but since 2.4.x. is a major update,

    Do a configuration backup and then do a fresh install and full installation on a HDD, SSD or mSATA.
    That´s it! AES-NI will be automatically activated and the TRIM support by choosing ZFS too.

    So if you have not VLANs in usage with to long names, VLANs at the WAN port over PPP and nothing
    else named above it is done in 10 - 30 minutes for you and then you play back your config backup and will be fine.

    For sure you should be able to debate all you config here before you are doing so, but in normal I do consider to
    @marjohn56 that there is nothing false with it.

    I'd rather install it clean. I did try to load from amd64 memstick and it did boot, landing on the guided installer, but I'm guessing this won't work beyond this point.

    At what number are your APU2C4 BIOS?

    Is there a better way, or is it even possible?

    From USB pen drive to mSATA works without any problems, if you will have some, you could try also out
    to install the version 2.4.0 and upgrade then to the version 2.4.1

    I have an older Alix board and able to run an older release while I work on this.

    Since version 2.4.x there will be no support for NanoBSD and 32Bit, then you must go with version 2.3.5



  • @BlueKobold:

    Has anyone tried a clean install to APU2 (serial console)?

    It is a must do and not a could do in my eyes, because this is a serial console only device without any VGA interface
    or port and so it must be a serial console install! The right installer is a the serial amd64 memstick version or image
    tp write it down on an USB pen drive and install it from there!….

    Super! Thank you… I will give it another go. I only have the 8GB SD card at the moment, so will use that. I will boot with the USB stick and install to SD. I keep the Alix with an older PF Sense on it just for days like today. My SLA with the kids is brutal, and penalties severe. ;)

    UPDATE:

    Successfully installed using "pfSense-CE-memstick-serial-2.4.1-RELEASE-amd64.img" using USB, onto SD card. Alix goes back in the box and all is good. Thanks again for your help.


Log in to reply