Throughput on a Atom D510 and dual gigabit
-
Hi,
I was looking at this barebone Atom D510 rackmount as a low cost option to put as a firewall between a trusted network and a DMZ. The final option will have 4 gigs of RAM installed and have the 4GB install flashed onto a compact flash card connected through an adaptor.
I'd like to be able to handle 100mbs of traffic between the trusted network and the DMZ while running the Snort package.
My question hinges on a statement on Wikipedia that the Atom has only half as much performance per clock cycle as it's equivalent Pentium chip. Does anyone here have any experiance on how that might or might not effect sizing considering that it is also dual core with HT?
Edit: added info about dual core and HT.
-
let's assume that an atom is only half the "power" of a core 2 duo at the same speed (in reality I think this figure is more like 80%, but it really doesn't matter)
that means you have the equivalent of 2x800mhz chips in there.
is this enough for snort and your basic firewall functionality at 100 mbps? - yes. Consider that 500mhz chips (geode) will manage 50mbps without too much trouble according to the hardware sizing guide. You have more than double that to play with with a d510. (1.66ghz if you are halving performance numbers)
if you're running ipsec and so forth it is unlikely you will get 100mbps, but I am assuming you don't plan to.
-
I was pretty sure Id get 100mbits with straight firewallling, but I was wondering if it would still handle it with Snort on and running a bunch of rules for the clients behind it.
-
Atom chips are far slower than a C2D. They are, clock for clock, about half as quick as a Pentium M (which, remember, is basically an advanced Pentium 3) due to in-order execution, a relatively long pipeline, and a relatively small amount of on-clip cache. By my math, that sticks them at 30-ish percent of a C2D at the same clock speed, perhaps worse, depending on the workload.
That all said, firewall performance will be fine. With snort running I'm less sure, but the multiple cores of the D510 will help. You might get better performance by disabling HT so that pf & snort are definitely running on different physical cores, rather than just different logical ones.
-
Will pfSense automatically run it's NAT/FW function on one core and Snort on the other or do you need to specifiy?
-
Why do you want an atom? the power savings/initial cost?
(trying to work out if there's something much more powerful with the same power footprint for you)
-
I have (see http://forum.pfsense.org/index.php/topic,21981.msg139253.html#msg139253 for a complete list of hardware):
-
an Atom D510 (SuperMicro X7SPA-HF)
-
dual nic intel add-on-card (SuperMicro AOC-SG-i2 !! igb driver has a severe performance penalty bug: LRO must be disabled. Add to file and reboot /etc/sysctl.conf
dev.igb.0.enable_lro=0 and dev.igb.1.enable_lro=0 Without it PFSense couldn't even pass 500 kB/s. -
Snort with all rules enabled even emergingthreats
-
PFSense v1.2.3
-
Cable connection 90/9 Mbps (down/up)
See the screen captures I took. This is about on average what I have achieved so far. Got the system a couple of days running now. And the best of all only using 26-32 Watts! IPMI on the SuperMicro board is amazing feature. Just fantastic.
![Capture PFSense HTTP download.PNG](/public/imported_attachments/1/Capture PFSense HTTP download.PNG)
![Capture PFSense HTTP download.PNG_thumb](/public/imported_attachments/1/Capture PFSense HTTP download.PNG_thumb)
![Capture PFSense Newsgroup SSL download speed.PNG](/public/imported_attachments/1/Capture PFSense Newsgroup SSL download speed.PNG)
![Capture PFSense Newsgroup SSL download speed.PNG_thumb](/public/imported_attachments/1/Capture PFSense Newsgroup SSL download speed.PNG_thumb) -
-
Will pfSense automatically run it's NAT/FW function on one core and Snort on the other or do you need to specifiy?
Sort of. The scheduler will not try and run two processes on the same core if a different one is free. There is no simple way to set the affinity so that pf only runs on cpu0 and snort only runs on cpu1, nor would you really want to.
-
@Ibor:
-
dual nic intel (SuperMicro AOC-SG-i2 !! igb driver has a severe performance penalty bug: LRO must be disabled.
I'm confused about this statement. I just started running pfsense 2.0 on the X7SPA-H board and the Intel NICs are loaded with the em driver. How is it that you're having issues with the igb driver? Did you load it manually somehow?
-
-
@Ibor:
- igb driver has a severe performance penalty bug: LRO must be disabled. Add to file and reboot /etc/sysctl.conf
dev.igb.0.enable_lro=0 and dev.igb.1.enable_lro=0 Without it PFSense couldn't even pass 500 kB/s.
FYI- we disable TSO and LRO on all network cards by default in 2.0 now. there is a checkbox to enable them if someone really thinks they'd help.
- igb driver has a severe performance penalty bug: LRO must be disabled. Add to file and reboot /etc/sysctl.conf
-
@Ibor:
-
dual nic intel (SuperMicro AOC-SG-i2 !! igb driver has a severe performance penalty bug: LRO must be disabled.
I'm confused about this statement. I just started running pfsense 2.0 on the X7SPA-H board and the Intel NICs are loaded with the em driver. How is it that you're having issues with the igb driver? Did you load it manually somehow?
FYI - No not manually at all. I'm using the onboard 2 LAN ports as well as an add-on dual LAN port card (the SuperMicro AOC-SG-i2): I needed 4 LAN ports. The onboard LAN ports are indeed loaded with the em drivers. The add-on-card uses the igb driver, because of the newer Intel chipset.
In my speed measurements I noticed performance issues with the igb drivers. Disabling the LRO resolved that issue. I still have to check out the onboard LAN ports for performance. I figured that the latest/most recent Intel LAN chipset would perform better than the 'older' onboard LAN chipset.
-
-
I just put in an order for the X7SPA-HF-D525 yesterday. I'm currently using an old Compaq P3 800 MHz PC with 300 megs of RAM and a bunch of cheap no name gigabit nics. Its using 75 watts so I was looking to replace it with a lower energy use machine which would also gain more throughput. I'm using a 120 mbit down/10 mbit up cable internet connection at my home. This old machine manages to pull a little over 100 mbit/sec through it. Connecting my PC directly to the internet connection pulls out 122 mbit/sec, so it's not keeping up with the last 20 mbit/sec.
Ibor Daru, thank you for sharing your screenshots showing your performance ratings. I'm a bit disappointed though. You're saying you have a 90 mbits down connection and only manage to pull a sumere 50 mbits through this board? Must be more than that. What did you use to fully load your internet connection? I can recommend using www.speedtest.net or download the 1 gigabyte testfile from BBNed. If you're on a Ziggo cable connection, you could also use Ziggo's speedtest.