On 02/18/15 17:30, ML mail wrote:
Hi,
Stupid question but if you would have to choose between two different
Intel CPUs for an OpenBSD firewall using 4 to 6 Intel NICs with all
/24 networks behind and around 50-60 Mbit/s average traffic would you
rather choose the CPU with higher Frequency and less cores or for a
CPU with lower frequency but more cores?
...
actually, I'd ask more useful questions.
Realistically, most modern "fast" CPUs (let's leave out "special cases"
like the Intel Atom, though even that might do it for you) will do the
job just fine.
Or asked differently, which are the importants criteria to look at
first for a CPU intended to be used in an OpenBSD firewall?
Discussing the merits of a CPU that's 95% idle vs. one that's 90% idle
really misses a few points. If I were looking for a box, I'd look at
more important issues:
(in no particular order. And your criteria WILL differ from mine)
* How fast a machine boots.
* Availability of repair and upgrade parts
* Low cost, so I can get a second machine and CARP 'em together.
* General usability of the system and support by OpenBSD
* Good bus structure for application
* Well-supported NICs
* Power consumption.
* Quiet
* Simple
The last one probably deserves comment (and should probably be ranked at
the top of my list): Simple wins out in reliability over complex. For a
firewall, I'd rather have two non-RAIDed systems in a CARP setup over
one machine with multiple power supplies, RAID controllers and other
fluff that really does nothing for you IN THIS APPLICATION. If
something takes your firewall down, you will lose more packets waiting
for a "super server" to do its Power-on Self-test than you will because
your processor is not the latest and greatest or theoretical "best".
I'd rather a couple few-year-old desktops that can reboot in 60 seconds
over a super-server that spends two minutes showing you the wonderful
RAID controller you don't care about.
Yes, OpenBSD's filtering and packet moving system uses only one
processor, so if you are pushing the limits, you will want more
power-per-core over more cores, but you probably won't be pushing the
limits. You will have N-1 cores all but completely idle, and one that
is not very busy, On board cache could matter too, but again, all it
will do in your case is reduce the load on the CPU even more, but it
won't pump any more packets.
Nick.
