PC Engines apu2 experiences
-
Is anyone using the CoDel / FQ_CoDel Traffic Shaping on the APU2?
Working well? Any problems?
-
@Veldkornet said in PC Engines apu2 experiences:
Is anyone using the CoDel / FQ_CoDel Traffic Shaping on the APU2?
Working well? Any problems?
I have an APU2 box at work to provide a separate network for personal devices. It is setup with the FQ_CoDel limiter / floating rules method described towards the end of the Playing with FQ-CoDel Thread. It has been rock solid and seems to provide equal bandwidth sharing for the 30 - 50 devices connected each day and 16 - 20 GB of traffic that is passed on our 150/150 FiOS link.
-
@Veldkornet said in PC Engines apu2 experiences:
@qinn SSH into it and install flashrom. No need to boot from USB etc.
pkg install flashrom
Upload the firmware to /tmp with scp and run:
flashrom -w /tmp/apu2_v4.9.0.2.rom -p internal:boardmismatch=forceShutdown pfSense, pull the power for 10 seconds, then boot up.
I still run the original (legacy) bios that came with my apu2c4 almost 2 years ago?! (maybe 1 year I cant remember). I also run the latest stable pfsense.
Anything I need to do (regarding settings or something else) before flushing from the pfsense itself??
thanks -
@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here
https://pcengines.github.io/
then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.
...and btw you don't need the force option, this is enough
flashrom -w /tmp/apu2_v4.9.0.7.rom -p internal
-
@Qinn said in PC Engines apu2 experiences:
@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here
https://pcengines.github.io/
then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.
...and btw you don't need the force option, this is enough
flashrom -w /tmp/apu2_v4.9.0.7.rom -p internal
Thanks a lot for the quick replay!
Im do it later in the evening and hopefully Ill have internet after the reboot heheheh -
This post is deleted! -
@Qinn said in PC Engines apu2 experiences:
@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here
https://pcengines.github.io/
then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.
...and btw you don't need the force option, this is enough
flashrom -w /tmp/apu2_v4.9.0.7.rom -p internal
Done without a problem!
I had a serial link to it so I did it from there so I can see the boot sequence.Now that I have time to experiment a bit.
What are the recommended combination of settings that favour performance on a openvpn server nowadays ?BSD crypto ON/OFF? CBC/GBC algo? etc..
I get 40mbit on the apu2 hosted server. -
@daemonix said in PC Engines apu2 experiences:
BSD crypto ON/OFF? CBC/GBC algo? etc..
I get 40mbit on the apu2 hosted server.From my knowledge for the APU2-Board the settings should be AES-NI (in CPU).
Regards,
fireodo -
I agree try AES-NI (in cpu) read this please, especially the reply from "jimp" https://forum.netgate.com/topic/114212/aes-ni-cryptodev-openvpn-help-a-n00b-understand/16
The setting is in :
System/Advanced/Miscellaneous
try it and see how it performs.
-
fast-io
sndbuf 524288
rcvbuf 524288added this, changed my PIA client to GCM (my server was already GCM) and I already had just the hardware acceleration only...
Gone from 45-sih mbit to 70-70mbit in both PIA and my server!!! -
@Qinn said in PC Engines apu2 experiences:
https://pcengines.github.io/
Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.
-
@kevindd992002 said in PC Engines apu2 experiences:
Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.
Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO
-
@fireodo said in PC Engines apu2 experiences:
@kevindd992002 said in PC Engines apu2 experiences:
Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.
Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO
I see. But won't it use AES-NI anyway if the latter option is selected?
Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?
-
@kevindd992002 said in PC Engines apu2 experiences:
I see. But won't it use AES-NI anyway if the latter option is selected?
Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.
Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?
I admit I dont know. Sorry.
-
@fireodo said in PC Engines apu2 experiences:
@kevindd992002 said in PC Engines apu2 experiences:
I see. But won't it use AES-NI anyway if the latter option is selected?
Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.
Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?
I admit I dont know. Sorry.
Yes this is it. I did all the possible test combinations.
Indeed ONLY AES-NI should be selected -
Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.
Steve
-
@stephenw10 said in PC Engines apu2 experiences:
Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.
Steve
So you have to select AES-NI in pfSense and not in OpenVPN, then why is this option (Hardware crypto) present in OpenVPN config within pfSense? Could you please clarify this?
Cheers Qinn
-
I have personally never used that setting. But I have also never had a device with a specifically supported hardware crypto device which is where I would expect it to apply.
In testing I did when we went to OpenVPN 2.4 it was better to leave that set to None in every case.Steve
-
@stephenw10 kudos for clearing that one up!
-
@stephenw10 said in PC Engines apu2 experiences:
But I have also never had a device with a specifically supported hardware crypto device which ...
Don't want to crush this topic (and can't PM you) but lemme ask how far crypto in the SG-1100 has come? Last thing I know is that HW is present and waits for the software to follow. Anything changed in this regard?