AFAIK, OpenBSD kernel is not designed accounting for any form of
virtualization toy, so don't even try figuring performance numbers out
of it. These will be plain wrong.
As http://www.openbsd.org/faq/faq6.html states, there's little you can
tweak to improve your numbers; just get a nice-clocked, good cache-sized
CPU and give it some loving.
If OBSD doesn't satisfies you as is, recode it or stay appart, as you like.
Good luck!
El 22/08/2011 2:03, Per-Olov Sjvholm escribis:
Hi "Misc"
# Background #
I have done som fun laborations with a virtual fully patched OpenBSD 4.9
firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual
OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon 5504
(2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2
dedicated "Intel PRO/1000 MT (82574L)" physical nic:s via PCI passthorugh. So
OpenBSD sees and uses the real nic:s (they are then unusable to Linux as they
are unbound).
I have not measured packets per second which of course is more relevant. But
as I try to tweak the speed I don't care if I measure packets or Mbits as long
as my tweaks give a higher value during the next test. Going in on one
physcial nic and out on the other with my small ruleset that uses keep state
everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar results
(I copy large files, a few Gig each). I started with a lower value and after a
few tweaks in sysctl.conf ended up with this speed of 400 Mbit. At this speed
I can see that the interrupts in the firewall simply eat all resources. Have
no "ip.ifq.drops" or any other drops that I am aware of...
# Question #
I now simply wonder if I can increase this speed.... I did one test and
replaced these two physical desktop Intel Nics with a dual port server adapter
(also Intel, 82546GB). I was interested to see if a dual port, more expensive,
server adapter could lower my interrupt load. However... OpenBSD yelled
something about "unable to reset PCI device". So I went back to these two
desktop adapters. These low price dektop adapters however in a intel i7
desktop workstation download over SMB from my server at 119 Mbyte/s and fill
up the Gig pipe. So they cannot be to bad...
As PF cannot use SMP, is the only way to bump up the firewall throughput (in
this scenario) to increase the speed of the processor core (i.e change
server)? Or are there any other interesting configs to try ?
Regards
/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key:
http://wwwkeys.eu.pgp.net/pks/lookup?op=get&search=0x766ED29D5231C0C4
