Re: [leaf-user] Sanity Check
Hi Charles and Andrew, thank you for the feedback - sounds very promising. Yet another reason to upgrade all of my remaining boxes Thanks Martin Am 21.07.2011 23:00, schrieb Charles Steinkuehler: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I concur. The 2.6 kernel includes a lot of TCP/IP optimizations that reduce memory copies when using newer hardware (and take advantage of multiple CPUs, but that's probably not what's helping in your case! :). The Via 6105m chipset on the Alix boards is mid-class hardware. It has bus-mastering DMA with limitations, and some hardware off-load that the 2.4 kernel probably wasn't using. With a 2.6 kernel on an Intel GigE chipset, you're likely seeing lots less memcopies (if not full zero-copy up and down through the IP stack), which cuts the CPU load pretty dramatically. Typical embedded CPUs generally don't have high performance memory interfaces (lower speed and narrower bus than on general purpose CPUs), meaning a memcopy is even worse on most single board systems than on a 'typical' desktop PC. The only time I notice network related CPU load on my firewall is when I'm pushing lots of data through my IPSec tunnel. :) On 7/21/2011 3:40 PM, Andrew wrote: Hi. I use LEAF on our border routers. I didn't use 3.x in such conditions, so I can't tell about relative speed-up. Border for world channel is AMD Phenom II x6, with 2x i82576 cards - it shows up to 10% CPU load on ~ 500/500Mbit traffic, with firewall, some NAT (for some clients that haven't white IPs) and near 70kpps in/out. On district routers which takes a bit smaller traffic (near 200Mbit) CPU load was less than 1-2% - with firewalling (with average 30-40 rules per packet). PCs are much weaker - pentium E2180, i82576 NIC. Same PCs with different NICs on 3.1 distro were loaded by 20-30% at comparable rates. 2.6 kernel works better with new hardware and uses more hardware features (for ex., MSI/MSI-X), so it is reasonable that it has better performance. 21.07.2011 22:46, Martin Hejl пишет: Hi everybody, just to get some feedback, before I go on a wild goose chase: we're running LEAF Bering-uClibc 4.0.1 as a firewall on a 100 Mbit downstream/6 MBit upstream link. It's basically an out of the box setup, with only a couple of additional shorewall rules (a couple of ports being forwarded to different computers in the DMZ, that's pretty much all). For the firewall, we're using a box with an Atom™ D510 Dual Core (1M Cache, 1.66 GHz) - the exact model we're using is this: http://www.nexcom.com/Products/network-and-communication-solutions/desktop-appliance/desktop-appliance/communication-gateway-dna-1110 (cute little box, even though it costs a bit more than an Alix box - but having a VGA and keyboard port makes the setup a lot easier). So, now for my sanity check: we managed to find some sites that could actually saturate our link doing downloads, and while doing that, top showed between 0% and 1% of CPU utilization. To me, that sounds somewhat unlikely, unless the the 2.6 kernel is _much_ more efficient at routing/firewalling than the 2.4 kernel ever was. So, before we start hunting for an issue that's not actually there - does anybody have any experience running LEAF Bering-uClibc 4.0.1 on a relatively high speed link, and has a chance to compare that to Bering uClibc 3.x? I _know_ that with 3.x, a download at 3+ megabytes per second pretty much max'd out the CPU of my Alix box at home, but trying it right now (running Bering uClibc 4.0), I'm getting this from top: CPU: 0.1% usr 0.3% sys 0.0% nic 98.8% idle 0.0% io 0.0% irq 0.5% sirq (while Firefox is telling me it's downloading at 2.9 to 3.1 Megabytes/s). Is the 2.6 kernel _that_ much more efficient, or is there an issue whith what top shows? I'm puzzled... Martin -- 5 Ways to Improve Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - -- Charles Steinkuehler char...@steinkuehler.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4ok3kACgkQLywbqEHdNFxdTwCg6NRcoyNqxMLyZ/08bdYOiOZF jPoAoN9th0ULVeUBj8nXt3EZpMW3Q/cW =MCSh -END PGP SIGNATURE- -- 5 Ways to Improve Secure Unified Communications Unified Communications promises greater
[leaf-user] Sanity Check
Hi everybody, just to get some feedback, before I go on a wild goose chase: we're running LEAF Bering-uClibc 4.0.1 as a firewall on a 100 Mbit downstream/6 MBit upstream link. It's basically an out of the box setup, with only a couple of additional shorewall rules (a couple of ports being forwarded to different computers in the DMZ, that's pretty much all). For the firewall, we're using a box with an Atom™ D510 Dual Core (1M Cache, 1.66 GHz) - the exact model we're using is this: http://www.nexcom.com/Products/network-and-communication-solutions/desktop-appliance/desktop-appliance/communication-gateway-dna-1110 (cute little box, even though it costs a bit more than an Alix box - but having a VGA and keyboard port makes the setup a lot easier). So, now for my sanity check: we managed to find some sites that could actually saturate our link doing downloads, and while doing that, top showed between 0% and 1% of CPU utilization. To me, that sounds somewhat unlikely, unless the the 2.6 kernel is _much_ more efficient at routing/firewalling than the 2.4 kernel ever was. So, before we start hunting for an issue that's not actually there - does anybody have any experience running LEAF Bering-uClibc 4.0.1 on a relatively high speed link, and has a chance to compare that to Bering uClibc 3.x? I _know_ that with 3.x, a download at 3+ megabytes per second pretty much max'd out the CPU of my Alix box at home, but trying it right now (running Bering uClibc 4.0), I'm getting this from top: CPU: 0.1% usr 0.3% sys 0.0% nic 98.8% idle 0.0% io 0.0% irq 0.5% sirq (while Firefox is telling me it's downloading at 2.9 to 3.1 Megabytes/s). Is the 2.6 kernel _that_ much more efficient, or is there an issue whith what top shows? I'm puzzled... Martin -- 5 Ways to Improve Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Sanity Check
Hi. I use LEAF on our border routers. I didn't use 3.x in such conditions, so I can't tell about relative speed-up. Border for world channel is AMD Phenom II x6, with 2x i82576 cards - it shows up to 10% CPU load on ~ 500/500Mbit traffic, with firewall, some NAT (for some clients that haven't white IPs) and near 70kpps in/out. On district routers which takes a bit smaller traffic (near 200Mbit) CPU load was less than 1-2% - with firewalling (with average 30-40 rules per packet). PCs are much weaker - pentium E2180, i82576 NIC. Same PCs with different NICs on 3.1 distro were loaded by 20-30% at comparable rates. 2.6 kernel works better with new hardware and uses more hardware features (for ex., MSI/MSI-X), so it is reasonable that it has better performance. 21.07.2011 22:46, Martin Hejl пишет: Hi everybody, just to get some feedback, before I go on a wild goose chase: we're running LEAF Bering-uClibc 4.0.1 as a firewall on a 100 Mbit downstream/6 MBit upstream link. It's basically an out of the box setup, with only a couple of additional shorewall rules (a couple of ports being forwarded to different computers in the DMZ, that's pretty much all). For the firewall, we're using a box with an Atom™ D510 Dual Core (1M Cache, 1.66 GHz) - the exact model we're using is this: http://www.nexcom.com/Products/network-and-communication-solutions/desktop-appliance/desktop-appliance/communication-gateway-dna-1110 (cute little box, even though it costs a bit more than an Alix box - but having a VGA and keyboard port makes the setup a lot easier). So, now for my sanity check: we managed to find some sites that could actually saturate our link doing downloads, and while doing that, top showed between 0% and 1% of CPU utilization. To me, that sounds somewhat unlikely, unless the the 2.6 kernel is _much_ more efficient at routing/firewalling than the 2.4 kernel ever was. So, before we start hunting for an issue that's not actually there - does anybody have any experience running LEAF Bering-uClibc 4.0.1 on a relatively high speed link, and has a chance to compare that to Bering uClibc 3.x? I _know_ that with 3.x, a download at 3+ megabytes per second pretty much max'd out the CPU of my Alix box at home, but trying it right now (running Bering uClibc 4.0), I'm getting this from top: CPU: 0.1% usr 0.3% sys 0.0% nic 98.8% idle 0.0% io 0.0% irq 0.5% sirq (while Firefox is telling me it's downloading at 2.9 to 3.1 Megabytes/s). Is the 2.6 kernel _that_ much more efficient, or is there an issue whith what top shows? I'm puzzled... Martin -- 5 Ways to Improve Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Sanity Check
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I concur. The 2.6 kernel includes a lot of TCP/IP optimizations that reduce memory copies when using newer hardware (and take advantage of multiple CPUs, but that's probably not what's helping in your case! :). The Via 6105m chipset on the Alix boards is mid-class hardware. It has bus-mastering DMA with limitations, and some hardware off-load that the 2.4 kernel probably wasn't using. With a 2.6 kernel on an Intel GigE chipset, you're likely seeing lots less memcopies (if not full zero-copy up and down through the IP stack), which cuts the CPU load pretty dramatically. Typical embedded CPUs generally don't have high performance memory interfaces (lower speed and narrower bus than on general purpose CPUs), meaning a memcopy is even worse on most single board systems than on a 'typical' desktop PC. The only time I notice network related CPU load on my firewall is when I'm pushing lots of data through my IPSec tunnel. :) On 7/21/2011 3:40 PM, Andrew wrote: Hi. I use LEAF on our border routers. I didn't use 3.x in such conditions, so I can't tell about relative speed-up. Border for world channel is AMD Phenom II x6, with 2x i82576 cards - it shows up to 10% CPU load on ~ 500/500Mbit traffic, with firewall, some NAT (for some clients that haven't white IPs) and near 70kpps in/out. On district routers which takes a bit smaller traffic (near 200Mbit) CPU load was less than 1-2% - with firewalling (with average 30-40 rules per packet). PCs are much weaker - pentium E2180, i82576 NIC. Same PCs with different NICs on 3.1 distro were loaded by 20-30% at comparable rates. 2.6 kernel works better with new hardware and uses more hardware features (for ex., MSI/MSI-X), so it is reasonable that it has better performance. 21.07.2011 22:46, Martin Hejl пишет: Hi everybody, just to get some feedback, before I go on a wild goose chase: we're running LEAF Bering-uClibc 4.0.1 as a firewall on a 100 Mbit downstream/6 MBit upstream link. It's basically an out of the box setup, with only a couple of additional shorewall rules (a couple of ports being forwarded to different computers in the DMZ, that's pretty much all). For the firewall, we're using a box with an Atom™ D510 Dual Core (1M Cache, 1.66 GHz) - the exact model we're using is this: http://www.nexcom.com/Products/network-and-communication-solutions/desktop-appliance/desktop-appliance/communication-gateway-dna-1110 (cute little box, even though it costs a bit more than an Alix box - but having a VGA and keyboard port makes the setup a lot easier). So, now for my sanity check: we managed to find some sites that could actually saturate our link doing downloads, and while doing that, top showed between 0% and 1% of CPU utilization. To me, that sounds somewhat unlikely, unless the the 2.6 kernel is _much_ more efficient at routing/firewalling than the 2.4 kernel ever was. So, before we start hunting for an issue that's not actually there - does anybody have any experience running LEAF Bering-uClibc 4.0.1 on a relatively high speed link, and has a chance to compare that to Bering uClibc 3.x? I _know_ that with 3.x, a download at 3+ megabytes per second pretty much max'd out the CPU of my Alix box at home, but trying it right now (running Bering uClibc 4.0), I'm getting this from top: CPU: 0.1% usr 0.3% sys 0.0% nic 98.8% idle 0.0% io 0.0% irq 0.5% sirq (while Firefox is telling me it's downloading at 2.9 to 3.1 Megabytes/s). Is the 2.6 kernel _that_ much more efficient, or is there an issue whith what top shows? I'm puzzled... Martin -- 5 Ways to Improve Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more! http://www.accelacomm.com/jaw/sfnl/114/51426253/ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/ - -- Charles Steinkuehler char...@steinkuehler.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4ok3kACgkQLywbqEHdNFxdTwCg6NRcoyNqxMLyZ/08bdYOiOZF jPoAoN9th0ULVeUBj8nXt3EZpMW3Q/cW =MCSh -END PGP SIGNATURE- -- 5 Ways to Improve Secure Unified Communications Unified Communications promises greater efficiencies for business. UC can improve internal communications as well as offer faster, more efficient ways to interact with customers and streamline customer service. Learn more!
