[Soekris] Firewall benchmarks?

Tue Nov 5 08:51:30 UTC 2002

Guillaume Filion [gfk at logidac.com] wrote:
> Hi all,
> 
> I'm interested in making a firewall-router with OpenBSD/pf on the 
> net4501. But I'm affraid that a 486 class processor won't be able to 
> do much processing while switching/routing three 100 Mbps ports.
> 

Yeah.  If you are running in a demanding environment with heavy loads
of traffic (in terms of packets per second, not just megabits per second),
this isn't the box for you.  

> The paper "Design and Performance of the OpenBSD Stateful Packet 
> Filter" (http://www.benzedrine.cx/pf-paper.html) says that when using 
> a Pentium 166 MHz with 64 MB RAM (similar to the net4501), pf max out 
> at about 3500-4000 packets/sec (100 rules config, stateless, see 
> figures 5 and 9). If we suppose that each packet is 1500 bytes long 
> (Ethernet MTU), 4000 packets/sec gives us 48 Mbps. That's not bad, 
> but we're far from 3x100 Mbps...
> 

The AMD Elan is clearly a 486-class chip from the software's point of view,
not a Pentium... 

IIRC, FreeBSD claims to max 70-100Mbps forwarding between two ports on the
Soekris, with full sized packets (and no filtering).  Real world performance
with OpenBSD is probably closer to half of that, because the kernel does not
implement a polled driver like FreeBSD does (so interrupt time takes a 
significant amount of CPU resources) and it also does not implement a more
efficient route lookup table. I think people will solve the software problems
with OpenBSD as time permits, by the time most users (ones who are working well
today) need to worry about interrupt time or route lookup time, the kernel will
be enhanced. 

I would imagine that as you add firewall rules, the performance of both
operating systems starts to become very comparable.  OpenBSD's packet filter
code is definitely fast, especially when you are using states. The net4501
obviously isn't the device to use in high traffic environments, because the
hardware itself has limitations in the processor and PCI implementation.  
As far as I can tell, the only way you can ever reach 100Mbps between two
ports is with a relatively low packet-per-second count and full-sized packets.

Just because the Soekris ports can connect to 100Mbps networks does
not mean the hardware was ever intended to route traffic between all
of them with the networks at consistently high levels of utilization!!
The to-be-released Soekris models look like they will be closer to
what you are expecting.

> I'm pretty sure that some people reading this mailing list use the 
> net4501 as a firewall, what troughput do you get?
> 

"It varies" heavily depending on your setup, including choice of operating
system, protocols, and features.  If you search the list, some people have
given bits and pieces about their setups and the speeds they have gotten.

> BTW, in the manual section 3.2 (page 6): "The net4501 dops not have 
> any video", I guess it's a typo.
> 

No, that's one of the things that makes the Soekris unique for 
inexpensive, production embedded hardware.  All it has is a serial port.
I think this is what makes the hardware elegant, features like this,
it is extremely useful for me.  No fans, compactflash, serial console bios, 
just put it in a closet and forget about it for a few years.  This
is why I buy this box rather than a more desktop-PCish "embedded" device
with a faster CPU and bus.  (I don't need the faster CPU at edge locations
with 1.5Mbps and 3Mbps connections, I hardly even warm up the AMD Elan CPU
over here!!)

-c