[Soekris] net4801 bridging firewalls benchmarks results

Giovanni Faglioni giovanni.faglioni at gmail.com
Sat Oct 8 16:34:03 UTC 2005

Hi everyone.

We have just completed a serie of benchmarks
that we think may be of iterest to this list.

We tested the capability of forwarding L2 traffic
while filtering at L3 (+) on several net4801s,
with and without the optional lan1621 and lan1641
boards. The results were not gratly affected by the
presence (or use) of the PCI ethernet vs the internal
ones. (maybe a 10% + or - in the worst cases)

We know this is NOT a very scientific presentation,
(we lack the resources to do a serious paper), but
we'll happily give all the missing information we have
if you ask it politely. :)

We definetively DO NOT WANT to start a religion war on
the merit of each (free/libre/open) OS. If you have different
results than those presented here, we'll gladly hear from

All OS (Except for the 2.4.31 linux kernel) were not
heavvily optimized for the task. (we're not _that_
good at hacking the kernel and TCP/IP configs)

OS Tested:
OpenBSD 3.7 (plain, on HD)
FreeBSD 6-BETA4 (ipSense (Packet Filter (PF) on CF)
FreeBSD 4.9 (m0n0wall (ipfilter) on CF)
Linux 2.4.20 (snapgear linux (iptables) on CF)
Linux 2.4.31+Geode patches (iptables) on CF, HD and root over NFS)
Linux 2.6.10+Geode patches (iptables) on CF, HD and root over NFS)

A Desktop P4 PC running CentOS-4.1 and netserver/netperf
(Compaq Evo DL-350)

Two Laptop PC Running Fedora Core 3 and netserver/netperf
(HP nw8000)

between the Compaq and the Laptop PCs we put the soekris
boards, configured as bridging firewalls.

The results are as follows, considering aggregate throughput.
(with 2 or 3 PCs the results were quite similar, we report the
worst number recorded, but the other was invariably quite close):

                       Throughput   CPU Util
Nothing (Cross-through cable or 3Com switch)                          
  ~94MiB/sec   N/A
OpenBSD-3.7 (pf) with 0 filtering rules (default policy = accept)    
~32Mib/sec   99% (irq)
FreeBSD 6-BETA4 with 0 filtering rules            "                   
     ~38Mib/sec   --
Linux 2.4.20 with 0 rules                                             
              ~40Mib/sec   --
Linux 2.4.31+Geode patches 0 rules                                    
      ~48Mib/sec  99% (irq)
Linux 2.6.10+Geode patches 0 rules                                    
      ~28Mib/sec. 99% (irq)
FreeBSD 4.9 with 0 ipf rules                                          
           ~94Mib/sec  ~4% (poller)
FreeBSD 4.9 with 10 ipf rules                                         
          ~93Mib/sec  ~4%
FreeBSD 4.9 with 260 rules (our complete ruleset)                     
 ~85Mib/sec  ~8%

Sometimes when we write "0 rules" we mean "a very small number of rules",
like three or four, just to see that the filtering works.

  Happy soekring,


   --Giovanni Faglioni

More information about the Soekris-tech mailing list