PC Engines apu2 experiences

stephenw10

@dugeem Ah, true! That was referring to the original APU, my mistake.

Veldkornet

Is anyone using the CoDel / FQ_CoDel Traffic Shaping on the APU2?

Working well? Any problems?

cwagz

@Veldkornet said in PC Engines apu2 experiences:

Is anyone using the CoDel / FQ_CoDel Traffic Shaping on the APU2?

Working well? Any problems?

I have an APU2 box at work to provide a separate network for personal devices. It is setup with the FQ_CoDel limiter / floating rules method described towards the end of the Playing with FQ-CoDel Thread. It has been rock solid and seems to provide equal bandwidth sharing for the 30 - 50 devices connected each day and 16 - 20 GB of traffic that is passed on our 150/150 FiOS link.

daemonix

@Veldkornet said in PC Engines apu2 experiences:

@qinn SSH into it and install flashrom. No need to boot from USB etc.

pkg install flashrom

Upload the firmware to /tmp with scp and run:
flashrom -w /tmp/apu2_v4.9.0.2.rom -p internal:boardmismatch=force

Shutdown pfSense, pull the power for 10 seconds, then boot up.

I still run the original (legacy) bios that came with my apu2c4 almost 2 years ago?! (maybe 1 year I cant remember). I also run the latest stable pfsense.

Anything I need to do (regarding settings or something else) before flushing from the pfsense itself??
thanks

Qinn

@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here

https://pcengines.github.io/

then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.

...and btw you don't need the force option, this is enough

flashrom -w /tmp/apu2_v4.9.0.7.rom -p internal

daemonix

@Qinn said in PC Engines apu2 experiences:

@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here

https://pcengines.github.io/

then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.

...and btw you don't need the force option, this is enough

flashrom -w /tmp/apu2_v4.9.0.7.rom -p internal

Thanks a lot for the quick replay!
Im do it later in the evening and hopefully Ill have internet after the reboot heheheh

daemonix

This post is deleted!

daemonix

@Qinn said in PC Engines apu2 experiences:

@daemonix Nope, just install the flashrom like above, then download the latest Mainline from here

https://pcengines.github.io/

then flash it and reboot, I have switched from Legacy to Mainline months ago and everything works still fine.

...and btw you don't need the force option, this is enough

flashrom -w /tmp/apu2_v4.9.0.7.rom -p internal

Done without a problem!
I had a serial link to it so I did it from there so I can see the boot sequence.

Now that I have time to experiment a bit.
What are the recommended combination of settings that favour performance on a openvpn server nowadays ?

BSD crypto ON/OFF? CBC/GBC algo? etc..
I get 40mbit on the apu2 hosted server.

fireodo

@daemonix said in PC Engines apu2 experiences:

BSD crypto ON/OFF? CBC/GBC algo? etc..
I get 40mbit on the apu2 hosted server.

From my knowledge for the APU2-Board the settings should be AES-NI (in CPU).

Regards,
fireodo

Qinn

I agree try AES-NI (in cpu) read this please, especially the reply from "jimp" https://forum.netgate.com/topic/114212/aes-ni-cryptodev-openvpn-help-a-n00b-understand/16

The setting is in :

System/Advanced/Miscellaneous

try it and see how it performs.

daemonix

fast-io
sndbuf 524288
rcvbuf 524288

added this, changed my PIA client to GCM (my server was already GCM) and I already had just the hardware acceleration only...
Gone from 45-sih mbit to 70-70mbit in both PIA and my server!!!

kevindd992002

@Qinn said in PC Engines apu2 experiences:

https://pcengines.github.io/

Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.

fireodo

@kevindd992002 said in PC Engines apu2 experiences:

Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.

Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO

kevindd992002

@fireodo said in PC Engines apu2 experiences:

@kevindd992002 said in PC Engines apu2 experiences:

Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.

Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO

I see. But won't it use AES-NI anyway if the latter option is selected?

Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?

fireodo

@kevindd992002 said in PC Engines apu2 experiences:

I see. But won't it use AES-NI anyway if the latter option is selected?

Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.

Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?

I admit I dont know. Sorry.

daemonix

@fireodo said in PC Engines apu2 experiences:

@kevindd992002 said in PC Engines apu2 experiences:

I see. But won't it use AES-NI anyway if the latter option is selected?

Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.

Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?

I admit I dont know. Sorry.

Yes this is it. I did all the possible test combinations.
Indeed ONLY AES-NI should be selected

stephenw10

Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.

Steve

Qinn

@stephenw10 said in PC Engines apu2 experiences:

Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.

Steve

So you have to select AES-NI in pfSense and not in OpenVPN, then why is this option (Hardware crypto) present in OpenVPN config within pfSense? Could you please clarify this?

Cheers Qinn

stephenw10

I have personally never used that setting. But I have also never had a device with a specifically supported hardware crypto device which is where I would expect it to apply.
In testing I did when we went to OpenVPN 2.4 it was better to leave that set to None in every case.

Steve

Qinn

@stephenw10 kudos for clearing that one up!