On 22 aug 2011, at 12:09, Daniel Gracia wrote: > AFAIK, OpenBSD kernel is not designed accounting for any form of virtualization toy, so don't even try figuring performance numbers out of it. These will be plain wrong. > > As http://www.openbsd.org/faq/faq6.html states, there's little you can tweak to improve your numbers; just get a nice-clocked, good cache-sized CPU and give it some loving. > > If OBSD doesn't satisfies you as is, recode it or stay appart, as you like. > > Good luck! > > El 22/08/2011 2:03, Per-Olov Sjvholm escribis: >> Hi "Misc" >> >> # Background # >> >> I have done som fun laborations with a virtual fully patched OpenBSD 4.9 >> firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual >> OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon 5504 >> (2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2 >> dedicated "Intel PRO/1000 MT (82574L)" physical nic:s via PCI passthorugh. So >> OpenBSD sees and uses the real nic:s (they are then unusable to Linux as they >> are unbound). >> >> I have not measured packets per second which of course is more relevant. But >> as I try to tweak the speed I don't care if I measure packets or Mbits as long >> as my tweaks give a higher value during the next test. Going in on one >> physcial nic and out on the other with my small ruleset that uses keep state >> everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar results >> (I copy large files, a few Gig each). I started with a lower value and after a >> few tweaks in sysctl.conf ended up with this speed of 400 Mbit. At this speed >> I can see that the interrupts in the firewall simply eat all resources. Have >> no "ip.ifq.drops" or any other drops that I am aware of... >> >> >> # Question # >> >> I now simply wonder if I can increase this speed.... I did one test and >> replaced these two physical desktop Intel Nics with a dual port server adapter >> (also Intel, 82546GB). I was interested to see if a dual port, more expensive, >> server adapter could lower my interrupt load. However... OpenBSD yelled >> something about "unable to reset PCI device". So I went back to these two >> desktop adapters. These low price dektop adapters however in a intel i7 >> desktop workstation download over SMB from my server at 119 Mbyte/s and fill >> up the Gig pipe. So they cannot be to bad... >> >> >> As PF cannot use SMP, is the only way to bump up the firewall throughput (in >> this scenario) to increase the speed of the processor core (i.e change >> server)? Or are there any other interesting configs to try ? >> >> >> Regards >> >> /Per-Olov >> -- >> GPG keyID: 5231C0C4 >> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 >> GPG key: >> http://wwwkeys.eu.pgp.net/pks/lookup?op=get&search=0x766ED29D5231C0C4 >
> AFAIK, OpenBSD kernel is not designed accounting for any form of virtualization toy, so don't even try figuring performance numbers out of it. These will be plain wrong. Why is that? The speed so far seems good enough for a virtual fw with this 2Ghz CPU core. No matter if you use a virtual of physical server, you always want to get the most out of it. I do NOT compare with a physical server at all. I want to try to maximize the throughput and se what I can get out of it as a virtual FW test. The same applies if you use a physical server. You can hit the limit and get 100% interrupts with both a physical and virtual server, right? I didn't ask for a comparison with a physical server... I asked what I can do more with it under these circumstances... > As http://www.openbsd.org/faq/faq6.html states, there's little you can tweak to improve your numbers; just get a nice-clocked, good cache-sized CPU and give it some loving. The FAQ you refer to seems to be of no use at all and is totally unrelated to this post. But if you can give hints of how to decrease the interrupt load I am all ears. As I see it, if the interrupt handling model i OpenBSD would change to a polling one u could maybe increase the throughput at the same processor speed (just me guessing though). But now the fact is that it is not polling. So what can I do with what we have.... Is pure cpu speed the only way? Or is it possible to decrease the interrupt load with even better NIC:s? Regards /Per-Olov
