Re: Relative Firewall Performance: 3.7 and 4.0
How 'bout the Commell EMB-564VG then, as an alternative to Soekris? I've seen a few postings that seem to show high regard. Billl On Feb 24, 2007, at 3:49, Stuart Henderson wrote: On 2007/02/23 18:58, William Bloom wrote: Hmm, I'm rereading the product description for the Soekris lan1621, which would go into my 4801's PCI slot and give me 2 enet ports. It claims 'High performance PCI busmaster interface with large buffers and interrupt holdoff'. Would you have higher hopes for this than the on-board enet ports? No, sorry. lan1621 and onboard use the same chip. Do you know whether the OpenBSD 4.0 sis driver would support the interrupt holdoff feature? You can modify it to fairly easily, but I didn't find it helping very much and it increases latency a bit when traffic is low. Has anyone on this list actually tried a lan1621 on a Soekris 4801 in an effort to boost performance, and were you satisfied with the results? Not 1621, but using a half-decent gig nic doesn't improve performance, I doubt it would help very much. (mind you the gig nic is designed for a standard system and is unlikely to do very much interrupt mitigation at such low traffic levels as max out the Geode cpu so there may be some tuning that could be done, nothing one-size-fits-all though). I think if you have sufficient traffic that this is a problem, you could really do with something faster to leave yourself some headroom to cater for 'unusual' situations (worm activity, etc) too. There are quite a few single-board computers to choose from that might be suitable. -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado Computing 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com
Relative Firewall Performance: 3.7 and 4.0
I recently upgraded a Soekris 4801 firewall from OpenBSD 3.7 to 4.0. The configuration for firewalling (pf.conf) is unchanged. On 3.7, at peak throughput I normally saw maybe 65% - 76% interrupt mode and little or no congestion. However, on 4.0 with similar traffic levels I see 85% - 95% interrupt mode and the congestion counter increments fairly rapidly. Of course, one cannot expect best performance from a Soekris due to the Ethernet chipsets, but it was -adequate- on 3.7. I've spent a little time google'ing for any observations on a difference in performance between 3.7 and 4.0 and have found nothing useful so far. Have other list members had this experience or know of anyone else who has? If so, has anyone had any favorable performance tuning experiences that might help me out? So far, the only tuning change I've made for 4.0 was to increase net.inet.ip.ifq.maxlen from 50 to 150, but this appears to have had negligible impact. Bill -- William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | MphasiS Healthcare Solutions 5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 | Fax: +11-602-604-3115| http://www.eldocomp.com -- CONFIDENTIALITY NOTICE -- Information transmitted by thisB e-mail is proprietary to MphasiS and/or its Customers and is intended for use only by the individual or entity to which it is addressed, and may contain information that isB privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this e-mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please notify us immediately at [EMAIL PROTECTED] and delete this mail from your records.
Re: Relative Firewall Performance: 3.7 and 4.0
On 2007/02/23 16:27, William Bloom wrote: I recently upgraded a Soekris 4801 firewall from OpenBSD 3.7 to 4.0. The configuration for firewalling (pf.conf) is unchanged. On 3.7, at peak throughput I normally saw maybe 65% - 76% interrupt mode and little or no congestion. However, on 4.0 with similar traffic levels I see 85% - 95% interrupt mode and the congestion counter increments fairly rapidly. you might get a small improvement if you optimize the pf ruleset. Of course, one cannot expect best performance from a Soekris due to the Ethernet chipsets, but it was -adequate- on 3.7. ethernet chipsets make little difference, plug an em(4) in and you'll see pretty much the same. it's the PCI controller (or lack thereof) that's the problem. fwiw, WRAP manage about a 1/3 more throughput from a similar processor, but I'm not quite sure how.
