Re: Hardware recommendations for compact 1U firewall
On Tue, Jan 10, 2017 at 12:58 PM, Paul Suh wrote: >> On Dec 16, 2016, at 8:32 PM, Predrag Punosevac > wrote: >> >> This is my favorite Ebay seller and they have lots of nice network >> equipment for home, small, and large business. >> >> http://stores.ebay.com/MITXPC/ > > +1 for MITXPC. I've purchased several systems from them over the years and > they've always been responsive and helpful. > > > --Paul > > [demime 1.01d removed an attachment of type application/pkcs7-signature which > had a name of smime.p7s] > I'd do this if it weren't for the fact that shipping their items to Australia costs more than their items themselves... -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hardware recommendations for compact 1U firewall
> On Dec 16, 2016, at 8:32 PM, Predrag Punosevac wrote: > > This is my favorite Ebay seller and they have lots of nice network > equipment for home, small, and large business. > > http://stores.ebay.com/MITXPC/ +1 for MITXPC. I've purchased several systems from them over the years and they've always been responsive and helpful. --Paul [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Hardware recommendations for compact 1U firewall
To answer some of my own questions, and after wise guidance from the list, I have noticed that all our firewall hardware using 'vr' ethernet ports hit a wall somewhere between 65Mbps->69Mbps. This is the case with the Geodes in a net5501 and various VIA x86 CPUs in VIA embedded systems, I am thinking of replacing the motherboard in my Net5501 system with one of the APU2 systems. If anybody has any experience with these, please feel free to share it. That will keep the price down but probably still about twice the level that I think Aaron is trying to achieve. They use an AMD GX-412TC, 1Ghz quad Jaguar core and have 3*1Gbps ethernet (Intel i210AT) ports. The GX-412TC nominally is about 5 times faster than the Geode LX in the Net5501. We need something better than the Soekris Net5501/Geode-LX on the end of an (Optus) cable internet link which we know runs at 110Mbps (raw) and on the end of two symmetric fibre links, both 100Mbps, one Optus and one Telstra. For non-Aussies, Optus and Telstra = ISPs. No, not NBN. Thanks - Damian Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037 Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here Views & opinions here are mine and not those of any past or present employer
Re: Hardware recommendations for compact 1U firewall
On Tue, Jan 10, 2017 at 1:32 AM, Stuart Henderson wrote: > Aaron Mason wrote: >> >> Torn between a Barracuda web filter or a Portwell CAR 3000. The latter >> >> is more expensive but supports 10Gbit, whereas the Barracuda may only >> >> have 10/100. Both Core2Duo based, could probably upgrade to a >> >> Core2Quad or a Xeon with a 771->775 adapter. > > btw, I found some cheap CAR 3000 (this one says "caswell" rather than > portwell and is an oem firewall box), so here's a dmesg in case it's of > interest. sysctl hw follows below. > > Handy to have so many ports for Ł25, but 4x 1u fans (including the one in > the PSU) make it rather noisy. > > OpenBSD 6.0-current (GENERIC.MP) #122: Sun Jan 8 14:53:10 MST 2017 > bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 4242145280 (4045MB) > avail mem = 4108922880 (3918MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfbcb0 (45 entries) > bios0: vendor American Megatrends Inc. version "080015" date 12/22/2010 > acpi0 at bios0: rev 0 > acpi0: sleep states S0 S1 S3 S4 S5 > acpi0: tables DSDT FACP APIC MCFG OEMB SSDT > acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, 2793.39 MHz > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM 2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR > cpu0: 3MB 64b/line 8-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 265MHz > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE > cpu1 at mainbus0: apid 1 (application processor) > cpu1: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, 2793.00 MHz > cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM 2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR > cpu1: 3MB 64b/line 8-way L2 cache > cpu1: smt 0, core 1, package 0 > ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins > acpimcfg0 at acpi0 addr 0xe000, bus 0-255 > acpiprt0 at acpi0: bus 0 (PCI0) > acpiprt1 at acpi0: bus 7 (P0P1) > acpiprt2 at acpi0: bus 1 (P0P4) > acpiprt3 at acpi0: bus 2 (P0P5) > acpiprt4 at acpi0: bus 3 (P0P6) > acpiprt5 at acpi0: bus 4 (P0P7) > acpiprt6 at acpi0: bus 5 (P0P8) > acpiprt7 at acpi0: bus 6 (P0P9) > acpicpu0 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS > acpicpu1 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS > "AWY0001" at acpi0 not configured > "PNP0501" at acpi0 not configured > "PNP0501" at acpi0 not configured > acpibtn0 at acpi0: PWRB > cpu0: Enhanced SpeedStep 2793 MHz: speeds: 2800, 2403, 2136, 1870, 1603 MHz > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03 > inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03 > drm0 at inteldrm0 > intagp0 at inteldrm0 > agp0 at intagp0: aperture at 0xd000, size 0x1000 > inteldrm0: msi > inteldrm0: 1024x768, 32bpp > wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) > wsdisplay0: screen 1-5 added (std, vt100 emulation) > ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi > pci1 at ppb0 bus 1 > em0 at pci1 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c4 > ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01: msi > pci2 at ppb1 bus 2 > em1 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c5 > ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01: msi > pci3 at ppb2 bus 3 > em2 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c6 > ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01: msi > pci4 at ppb3 bus 4 > em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c7 > ppb4 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: msi > pci5 at ppb4 bus 5 > em4 at pci5 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c8 > ppb5 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: msi > pci6 at ppb5 bus 6 > em5 at pci6 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c9 > uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 > ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23 > usb0 at ehci0: USB revision 2.0 > uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 > ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 > pci7 at
Re: Hardware recommendations for compact 1U firewall
Aaron Mason wrote: > >> Torn between a Barracuda web filter or a Portwell CAR 3000. The latter > >> is more expensive but supports 10Gbit, whereas the Barracuda may only > >> have 10/100. Both Core2Duo based, could probably upgrade to a > >> Core2Quad or a Xeon with a 771->775 adapter. btw, I found some cheap CAR 3000 (this one says "caswell" rather than portwell and is an oem firewall box), so here's a dmesg in case it's of interest. sysctl hw follows below. Handy to have so many ports for £25, but 4x 1u fans (including the one in the PSU) make it rather noisy. OpenBSD 6.0-current (GENERIC.MP) #122: Sun Jan 8 14:53:10 MST 2017 bu...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4242145280 (4045MB) avail mem = 4108922880 (3918MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfbcb0 (45 entries) bios0: vendor American Megatrends Inc. version "080015" date 12/22/2010 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB SSDT acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, 2793.39 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR cpu0: 3MB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 265MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU E7400 @ 2.80GHz, 2793.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LONG,LAHF,PERF,SENSOR cpu1: 3MB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 7 (P0P1) acpiprt2 at acpi0: bus 1 (P0P4) acpiprt3 at acpi0: bus 2 (P0P5) acpiprt4 at acpi0: bus 3 (P0P6) acpiprt5 at acpi0: bus 4 (P0P7) acpiprt6 at acpi0: bus 5 (P0P8) acpiprt7 at acpi0: bus 6 (P0P9) acpicpu0 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: !C3(100@57 mwait.3@0x30), !C2(500@1 mwait.1@0x10), C1(1000@1 mwait.1), PSS "AWY0001" at acpi0 not configured "PNP0501" at acpi0 not configured "PNP0501" at acpi0 not configured acpibtn0 at acpi0: PWRB cpu0: Enhanced SpeedStep 2793 MHz: speeds: 2800, 2403, 2136, 1870, 1603 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel G41 Host" rev 0x03 inteldrm0 at pci0 dev 2 function 0 "Intel G41 Video" rev 0x03 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0: msi inteldrm0: 1024x768, 32bpp wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c4 ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x01: msi pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c5 ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x01: msi pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c6 ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x01: msi pci4 at ppb3 bus 4 em3 at pci4 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c7 ppb4 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: msi pci5 at ppb4 bus 5 em4 at pci5 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c8 ppb5 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: msi pci6 at ppb5 bus 6 em5 at pci6 dev 0 function 0 "Intel 82574L" rev 0x00: msi, address 00:90:fb:39:8c:c9 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb6 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci7 at ppb6 bus 7 pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01 pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0
Re: Hardware recommendations for compact 1U firewall
On 22.12.2016. 2:17, Predrag Punosevac wrote: > As promissed in one of my earlier e-mails. OpenBSD 6.0 dmesg for > SYS-5018A-FTN4 thank you ...
Re: Hardware recommendations for compact 1U firewall
Thanks for all of your suggestions, though some may have missed the bit where I said "on a limited budget" :) Torn between a Barracuda web filter or a Portwell CAR 3000. The latter is more expensive but supports 10Gbit, whereas the Barracuda may only have 10/100. Both Core2Duo based, could probably upgrade to a Core2Quad or a Xeon with a 771->775 adapter. On Thu, Dec 22, 2016 at 12:17 PM, Predrag Punosevac wrote: > Hrvoje Popovski wrote: >> >> On 15.12.2016. 12:30, Stuart Henderson wrote: >> > If you want to cut down on weight+noise at the expense of more cost >> > and a less powerful cpu, maybe APU2 in a 1U case or something like >> > supermicro SYS-5018A-FTN4. >> >> has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat >> >> thank you ... > > As promissed in one of my earlier e-mails. OpenBSD 6.0 dmesg for > SYS-5018A-FTN4 > > > OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016 > r...@stable-60-amd64.mtier.org:/binpatchng/work-binpatch60-amd64/src/sys/arch /amd64/compile/GENERIC.MP > real mem = 34314604544 (32724MB) > avail mem = 33270165504 (31728MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4d8000 (53 entries) > bios0: vendor American Megatrends Inc. version "1.1a" date 08/27/2015 > bios0: Silicon Mechanics CSTM: CMU - 1U Atom Server > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S5 > acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT HEST BERT ERST EINJ > acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimcfg0 at acpi0 addr 0xe000, bus 0-255 > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.46 MHz > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu0: 1MB 64b/line 16-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 100MHz > cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz > cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu1: 1MB 64b/line 16-way L2 cache > cpu1: smt 0, core 1, package 0 > cpu2 at mainbus0: apid 4 (application processor) > cpu2: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz > cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu2: 1MB 64b/line 16-way L2 cache > cpu2: smt 0, core 2, package 0 > cpu3 at mainbus0: apid 6 (application processor) > cpu3: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz > cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu3: 1MB 64b/line 16-way L2 cache > cpu3: smt 0, core 3, package 0 > cpu4 at mainbus0: apid 8 (application processor) > cpu4: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz > cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu4: 1MB 64b/line 16-way L2 cache > cpu4: smt 0, core 4, package 0 > cpu5 at mainbus0: apid 10 (application processor) > cpu5: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz > cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu5: 1MB 64b/line 16-way L2 cache > cpu5: smt 0, core 5, package 0 > cpu6 at mainbus0: apid 12 (application processor) > cpu6: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz > cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
Re: Hardware recommendations for compact 1U firewall
As promissed in one of my earlier e-mails. OpenBSD 6.0 dmesg for SYS-5018A-FTN4 FWIW, we have six of these doing firewall duty (currently running 5.9) and they perform flawlessly. We run them in CARPed pairs, and LACP across redundant switches. --lyndon
Re: Hardware recommendations for compact 1U firewall
Hrvoje Popovski wrote: > > On 15.12.2016. 12:30, Stuart Henderson wrote: > > If you want to cut down on weight+noise at the expense of more cost > > and a less powerful cpu, maybe APU2 in a 1U case or something like > > supermicro SYS-5018A-FTN4. > > has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat > > thank you ... As promissed in one of my earlier e-mails. OpenBSD 6.0 dmesg for SYS-5018A-FTN4 OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016 r...@stable-60-amd64.mtier.org:/binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34314604544 (32724MB) avail mem = 33270165504 (31728MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4d8000 (53 entries) bios0: vendor American Megatrends Inc. version "1.1a" date 08/27/2015 bios0: Silicon Mechanics CSTM: CMU - 1U Atom Server acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT HEST BERT ERST EINJ acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.46 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 8 (application processor) cpu4: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu4: 1MB 64b/line 16-way L2 cache cpu4: smt 0, core 4, package 0 cpu5 at mainbus0: apid 10 (application processor) cpu5: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu5: 1MB 64b/line 16-way L2 cache cpu5: smt 0, core 5, package 0 cpu6 at mainbus0: apid 12 (application processor) cpu6: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu6: 1MB 64b/line 16-way L2 cache cpu6: smt 0, core 6, package 0 cpu7 at mainbus0: apid 14 (application processor) cpu7: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.01 MHz cpu7: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,
Re: Hardware recommendations for compact 1U firewall
If someone hasn't already mentioned it : Lanner http://www.lannerinc.com/ On 19 December 2016 at 18:08, Aaron Mason wrote: > Thanks for some additional fleabay search terms :) > > On Sat, Dec 17, 2016 at 2:59 PM, Nick Holland > wrote: > > On 12/14/16 20:39, Aaron Mason wrote: > >> All > >> > >> I'm looking for a 1U appliance that I can re-purpose into a firewall > >> using OpenBSD. I've tried the near-free method by using an old Lacie > >> Ethernet Disk appliance I had lying around, but it turns out the > >> onboard SATA chipset is toast on this particular unit (it freezes at > >> CDBOOT when it detects hard drives and the BIOS freezes when I set it > >> to IDE mode with drives attached, plus it only has one onboard NIC and > >> one PCI slot, so I can't install another SATA card without removing > >> the other NIC I installed), so I'm looking for other options that fit > >> a limited budget. > > > > heh. Little secret: if you look in many data centers, you will find > > lots of 1U boxes with various titles -- security appliances, load > > balancing devices, etc. A lot of them, under the covers, are just PCs. > > And a lot of data centers have 'em rotting on the racks after they have > > been turned off and replaced, but no motivation to remove them. > > > > Just cleaned out some stuff from one of our data centers -- we had a > > three authentication devices and a couple "security appliances" that all > > turned out to have the same SuperMicro board on them...some with Pentium > > D, others with P4s...but both could pump a lot of packets through > > gigabit NICs (two on board). The security appliances were kinda cool in > > that they have a LCD screen that looks like it could be accessed through > > a USB serial port (better yet, when you powered up the box, the LCD > > panel put up an advertisement, not for the security appliance maker, but > > for the LCD panel...including a website. Bet there are docs there! :) > > (I once programmed the LCD panel of a Novell server to say, "WINDOWS > > SUCKS". Wasn't noticed for years, but when it was, my name was quickly > > assumed as being responsible) > > > > We also had a couple odd little "load balancers" -- five NIC ports. My > > coworkers were skeptical about it being a standard PC under the cover. > > Haven't tried to boot OpenBSD on them yet, but turns out the thing has a > > 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and > > a SATA hard disk in the box. Again, all in one U. > > > > And I'll admit there's a certain fun in bringing up another OS on > > something like that. And I HAVE to at least try to bring up OpenBSD on > > them...so I can wipe the media before the hw is disposed of. (Company > > policy says "overwrite entire disk with random data", who's got the > > fastest random number generator in town? OpenBSD, of course!) > > > > Nick. > > > > > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse
Re: Hardware recommendations for compact 1U firewall
Thanks for some additional fleabay search terms :) On Sat, Dec 17, 2016 at 2:59 PM, Nick Holland wrote: > On 12/14/16 20:39, Aaron Mason wrote: >> All >> >> I'm looking for a 1U appliance that I can re-purpose into a firewall >> using OpenBSD. I've tried the near-free method by using an old Lacie >> Ethernet Disk appliance I had lying around, but it turns out the >> onboard SATA chipset is toast on this particular unit (it freezes at >> CDBOOT when it detects hard drives and the BIOS freezes when I set it >> to IDE mode with drives attached, plus it only has one onboard NIC and >> one PCI slot, so I can't install another SATA card without removing >> the other NIC I installed), so I'm looking for other options that fit >> a limited budget. > > heh. Little secret: if you look in many data centers, you will find > lots of 1U boxes with various titles -- security appliances, load > balancing devices, etc. A lot of them, under the covers, are just PCs. > And a lot of data centers have 'em rotting on the racks after they have > been turned off and replaced, but no motivation to remove them. > > Just cleaned out some stuff from one of our data centers -- we had a > three authentication devices and a couple "security appliances" that all > turned out to have the same SuperMicro board on them...some with Pentium > D, others with P4s...but both could pump a lot of packets through > gigabit NICs (two on board). The security appliances were kinda cool in > that they have a LCD screen that looks like it could be accessed through > a USB serial port (better yet, when you powered up the box, the LCD > panel put up an advertisement, not for the security appliance maker, but > for the LCD panel...including a website. Bet there are docs there! :) > (I once programmed the LCD panel of a Novell server to say, "WINDOWS > SUCKS". Wasn't noticed for years, but when it was, my name was quickly > assumed as being responsible) > > We also had a couple odd little "load balancers" -- five NIC ports. My > coworkers were skeptical about it being a standard PC under the cover. > Haven't tried to boot OpenBSD on them yet, but turns out the thing has a > 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and > a SATA hard disk in the box. Again, all in one U. > > And I'll admit there's a certain fun in bringing up another OS on > something like that. And I HAVE to at least try to bring up OpenBSD on > them...so I can wipe the media before the hw is disposed of. (Company > policy says "overwrite entire disk with random data", who's got the > fastest random number generator in town? OpenBSD, of course!) > > Nick. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hardware recommendations for compact 1U firewall
On Sat, Dec 17, 2016 at 1:08 PM, Damian McGuckin wrote: [...] > What is the max throughput people have seen on these? > Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 > board sustain 100Mbps? I doubt it. I did some work[1] on the vr driver on a pcengines ALIX, which has very similar hardware (500MHz Geode CPUs and VT6105M ethernet chips). The most I got though it for a TCP stream was 85MBit/s routing only. It had CPU to spare, so I suspect the limitation was either the chip or the driver. The VT6105M doesn't have any receive-side interrupt mitigation (and OpenBSD doesn't have a polling mode) so I suspect it'd be easy to DoS it with tiny packets. As long as that's not happening, there's probably enough CPU to run PF. Depending on your use case and environment this may or may not be good enough. If you do try it I'd be interested in hearing the result. [1] http://undeadly.org/cgi?action=article&sid=20130201054156 -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: Hardware recommendations for compact 1U firewall
On Sat, Dec 17 2016 at 08:13, Damian McGuckin wrote: > While everybody is talking about hardware, I noticed that some of you > have flicked your Soekris Net 5501 boards. > > We are upgrading from 20Mbps links to 100Mbps links and as a result of this > discussion, I am wondering whether it would be a wise move on or part to > consider replacing them. Rock solid little units. > > What is the max throughput people have seen on these? In my $job[n-2], I had the chance to test the alix pcengines, wich is quite simmilar in terms of performance. With 4.5 on it, it started to drop packets around 70Mbps with the IMIX test. Consult https://en.wikipedia.org/wiki/Internet_Mix to know more. > Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 > board sustain 100Mbps? It will be "good enougth" if you are transferring big files, not for common web browsing (usually smaller packets). Best regards, Claer
Re: Hardware recommendations for compact 1U firewall
2016-12-17 4:59 GMT+01:00 Nick Holland : > > heh. Little secret: if you look in many data centers, you will find > lots of 1U boxes with various titles -- security appliances, load > balancing devices, etc. A lot of them, under the covers, are just PCs. > And a lot of data centers have 'em rotting on the racks after they have > been turned off and replaced, but no motivation to remove them. My current home firewall is running 6.0 on a Cisco ACE4710 hw. Pentium 4 3.4Ghz w/ 6GB ram. It has an internal hard drive in addition to the CF but was unplugged to suck less power. It had a cavium nic which was replaced by an intel four-port gig. I previously used a Netasq F200 and a Nokia IP710 firewalls. The F200 was slow, and the IP710 used way too much power, but each time it worked, either from a cf card or a hard drive. Dmesg from the ace 4710: OpenBSD 6.0 (GENERIC) #2148: Tue Jul 26 12:55:20 MDT 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 6425608192 (6127MB) avail mem = 6226448384 (5938MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xfb2d0 (37 entries) bios0: vendor American Megatrends Inc. version "S27S1A05" date 03/19/2008 bios0: Quanta Computer Inc. S27S acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) PS2K(S1) PS2M(S1) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) 4 CPU 3.40GHz, 3400.54 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,CNXT-ID,CX16,xTPR,PDCM,NXE,LONG,LAHF cpu0: 2MB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64 cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 4 (P0P4) acpiprt3 at acpi0: bus 5 (PXHA) acpiprt4 at acpi0: bus 3 (P0P8) acpiprt5 at acpi0: bus 2 (P0P9) acpicpu0 at acpi0: C1(@1 halt!) "PNP0501" at acpi0 not configured acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi pci1 at ppb0 bus 4 ppb1 at pci1 dev 0 function 0 "Intel 6702PXH PCIE-PCIX" rev 0x09 pci2 at ppb1 bus 5 ppb2 at pci2 dev 2 function 0 "Pericom PI7C21P100 PCIX-PCIX" rev 0x01 pci3 at ppb2 bus 6 em0 at pci3 dev 4 function 0 "Intel 82546GB" rev 0x03: apic 2 int 19, address 00:1b:21:1a:e9:c0 em1 at pci3 dev 4 function 1 "Intel 82546GB" rev 0x03: apic 2 int 18, address 00:1b:21:1a:e9:c1 em2 at pci3 dev 6 function 0 "Intel 82546GB" rev 0x03: apic 2 int 17, address 00:1b:21:1a:e9:c2 em3 at pci3 dev 6 function 1 "Intel 82546GB" rev 0x03: apic 2 int 16, address 00:1b:21:1a:e9:c3 ppb3 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: msi pci4 at ppb3 bus 3 bge0 at pci4 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1 (0x4201): msi, address 00:23:8b:8a:5d:59 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01 pci5 at ppb4 bus 2 bge1 at pci5 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1 (0x4201): msi, address 00:23:8b:8a:5d:58 brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16 ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb5 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci6 at ppb5 bus 1 vga1 at pci6 dev 5 function 0 "XGI Technology Volari Z7" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01 pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 1: wd0: 2-sector PIO, LBA, 3907MB, 8003520 sectors wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, channel 0 configured
Re: Hardware recommendations for compact 1U firewall
Am 17.12.2016 02:32 schrieb Predrag Punosevac: SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was btw.. just got SYS-1028R-WMRT and the dual I350 isnt "supported", likely because of the weird PPB/riser. -- pb
Re: Hardware recommendations for compact 1U firewall
On Sat, Dec 17, 2016 at 01:08:50PM +1100, Damian McGuckin wrote: > Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 > board sustain 100Mbps? I doubt it would. One limiting factor being the number of packets per second. At some point the packets-per-second rate will trigger livelock countermeasures which deliberately slow things down to prevent an interrupt storm from locking up the system. You could do some measurements with tcpbench(1) to find exact figures. Make sure to test several sizes of packets, since smaller packets trigger more interrupts per second.
Re: Hardware recommendations for compact 1U firewall
On 12/14/16 20:39, Aaron Mason wrote: > All > > I'm looking for a 1U appliance that I can re-purpose into a firewall > using OpenBSD. I've tried the near-free method by using an old Lacie > Ethernet Disk appliance I had lying around, but it turns out the > onboard SATA chipset is toast on this particular unit (it freezes at > CDBOOT when it detects hard drives and the BIOS freezes when I set it > to IDE mode with drives attached, plus it only has one onboard NIC and > one PCI slot, so I can't install another SATA card without removing > the other NIC I installed), so I'm looking for other options that fit > a limited budget. heh. Little secret: if you look in many data centers, you will find lots of 1U boxes with various titles -- security appliances, load balancing devices, etc. A lot of them, under the covers, are just PCs. And a lot of data centers have 'em rotting on the racks after they have been turned off and replaced, but no motivation to remove them. Just cleaned out some stuff from one of our data centers -- we had a three authentication devices and a couple "security appliances" that all turned out to have the same SuperMicro board on them...some with Pentium D, others with P4s...but both could pump a lot of packets through gigabit NICs (two on board). The security appliances were kinda cool in that they have a LCD screen that looks like it could be accessed through a USB serial port (better yet, when you powered up the box, the LCD panel put up an advertisement, not for the security appliance maker, but for the LCD panel...including a website. Bet there are docs there! :) (I once programmed the LCD panel of a Novell server to say, "WINDOWS SUCKS". Wasn't noticed for years, but when it was, my name was quickly assumed as being responsible) We also had a couple odd little "load balancers" -- five NIC ports. My coworkers were skeptical about it being a standard PC under the cover. Haven't tried to boot OpenBSD on them yet, but turns out the thing has a 128M SATA DiskOnModule (flash memory on a SATA board), a 1G CF card, and a SATA hard disk in the box. Again, all in one U. And I'll admit there's a certain fun in bringing up another OS on something like that. And I HAVE to at least try to bring up OpenBSD on them...so I can wipe the media before the hw is disposed of. (Company policy says "overwrite entire disk with random data", who's got the fastest random number generator in town? OpenBSD, of course!) Nick.
Re: Hardware recommendations for compact 1U firewall
While everybody is talking about hardware, I noticed that some of you have flicked your Soekris Net 5501 boards. We are upgrading from 20Mbps links to 100Mbps links and as a result of this discussion, I am wondering whether it would be a wise move on or part to consider replacing them. Rock solid little units. What is the max throughput people have seen on these? Assuming traffic going between say 'vr0' and 'vr1', will it a Net5501 board sustain 100Mbps? Thanks - Damian
Re: Hardware recommendations for compact 1U firewall
Hrvoje Popovski wrote: > > On 15.12.2016. 12:30, Stuart Henderson wrote: > > If you want to cut down on weight+noise at the expense of more cost > > and a less powerful cpu, maybe APU2 in a 1U case or something like > > supermicro SYS-5018A-FTN4. > > has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat > > thank you ... SYS-5018A-FTN4 are really nice boxes. This one has 16GB of RAM and was hosting half-dozen of Jail instances on the top of ZFS mirror. Please see the dmesg bellow. I just got another 16 GB of RAM. You can put up to 64 GB of RAM but it is not cheap due to the size of modules. I am planning to migrate services to OpenBSD as I am in the process of purging FreeBSD from our organization. Currently we have 3 SYS-5018A-FTN4 and buying more This is my favorite Ebay seller and they have lots of nice network equipment for home, small, and large business. http://stores.ebay.com/MITXPC/ Best, Predrag Copyright (c) 1992-2016 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 10.3-RELEASE-p5 #0: Thu Jun 30 03:52:15 UTC 2016 r...@amd64-builder.pcbsd.org:/usr/obj/usr/src/sys/GENERIC amd64 FreeBSD clang version 3.4.1 (tags/RELEASE_34/dot1-final 208032) 20140512 VT(vga): resolution 640x480 KLD file ipmi.ko is missing dependencies CPU: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz (2400.06-MHz K8-class CPU) Origin="GenuineIntel" Id=0x406d8 Family=0x6 Model=0x4d Stepping=8 Features=0xbfebfbff Features2=0x43d8e3bf AMD Features=0x28100800 AMD Features2=0x101 Structured Extended Features=0x2282 VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID TSC: P-state invariant, performance statistics real memory = 19327352832 (18432 MB) avail memory = 16525938688 (15760 MB) Event timer "LAPIC" quality 600 ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 8 CPUs FreeBSD/SMP: 1 package(s) x 8 core(s) cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 2 cpu2 (AP): APIC ID: 4 cpu3 (AP): APIC ID: 6 cpu4 (AP): APIC ID: 8 cpu5 (AP): APIC ID: 10 cpu6 (AP): APIC ID: 12 cpu7 (AP): APIC ID: 14 random: initialized ioapic0 irqs 0-23 on motherboard module_register_init: MOD_LOAD (vesa, 0x80dc6500, 0) error 19 kbd1 at kbdmux0 cryptosoft0: on motherboard aesni0: on motherboard acpi0: on motherboard acpi0: Power Button (fixed) cpu0: on acpi0 cpu1: on acpi0 cpu2: on acpi0 cpu3: on acpi0 cpu4: on acpi0 cpu5: on acpi0 cpu6: on acpi0 cpu7: on acpi0 hpet0: iomem 0xfed0-0xfed003ff on acpi0 Timecounter "HPET" frequency 14318180 Hz quality 950 Event timer "HPET" frequency 14318180 Hz quality 350 Event timer "HPET1" frequency 14318180 Hz quality 340 Event timer "HPET2" frequency 14318180 Hz quality 340 atrtc0: port 0x70-0x77 irq 8 on acpi0 atrtc0: Warning: Couldn't map I/O. Event timer "RTC" frequency 32768 Hz quality 0 attimer0: port 0x40-0x43,0x50-0x53 irq 0 on acpi0 Timecounter "i8254" frequency 1193182 Hz quality 0 Event timer "i8254" frequency 1193182 Hz quality 100 Timecounter "ACPI-safe" frequency 3579545 Hz quality 850 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: mem 0xdf2e-0xdf2f irq 16 at device 1.0 on pci0 pci1: on pcib1 pcib2: at device 0.0 on pci1 pci2: on pcib2 vgapci0: port 0xd000-0xd07f mem 0xde00-0xdeff,0xdf00-0xdf01 irq 16 at device 0.0 on pci2 vgapci0: Boot video device pcib3: mem 0xdf2c-0xdf2d irq 16 at device 2.0 on pci0 pci3: on pcib3 xhci0: mem 0xdf10-0xdf101fff irq 17 at device 0.0 on pci3 xhci0: 64 bytes context size, 32-bit DMA usbus0 on xhci0 pcib4: mem 0xdf2a-0xdf2b irq 20 at device 3.0 on pci0 pci4: on pcib4 pci0: at device 11.0 (no driver attached) pci0: at device 15.0 (no driver attached) igb0: port 0xe080-0xe09f mem 0xdf26-0xdf27,0xdf30c000-0xdf30 irq 20 at device 20.0 on pci0 igb0: Using MSIX interrupts with 9 vectors igb0: Ethernet address: 0c:c4:7a:68:c9:08 igb0: Bound queue 0 to cpu 0 igb0: Bound queue 1 to cpu 1 igb0: Bound queue 2 to cpu 2 igb0: Bound queue 3 to cpu 3 igb0: Bound queue 4 to cpu 4 igb0: Bound queue 5 to cpu 5 igb0: Bound queue 6 to cpu 6 igb0: Bound queue 7 to cpu 7 igb1: port 0xe060-0xe07f mem 0xdf24-0xdf25,0xdf308000-0xdf30bfff irq 21 at device 20.1 on pci0 igb1: Using MSIX interrupts with 9 vectors igb1: Ethernet address: 0c:c4:7a:68:c9:09 igb1: Bound queue 0 to cpu 0 igb1: Bound queue 1 to cpu 1 igb1: Bound queue 2 to cpu 2 igb1: Bound queue 3 to cpu 3 igb1: Bound queue 4 to cpu 4 igb1: Bound queue 5 to cpu 5 igb1: Bound queue 6 to cpu 6 igb1: Bound queue 7 to cpu 7 igb2: port 0xe040-0xe05f mem 0xdf22-0xdf23,0xdf304000-0xdf307fff irq 22 at device 20.2 on pci0 igb2: Using MSIX interrupts with 9 vectors igb2: Ethernet address: 0c:c4:7a:68:c9:0a igb2: Bound
Re: Hardware recommendations for compact 1U firewall
On 12/15/16 12:07, Ryan Freeman wrote: On Thu, Dec 15, 2016 at 11:30:31AM +, Stuart Henderson wrote: On 2016-12-15, Aaron Mason wrote: All I'm looking for a 1U appliance that I can re-purpose into a firewall using OpenBSD. I've tried the near-free method by using an old Lacie Ethernet Disk appliance I had lying around, but it turns out the onboard SATA chipset is toast on this particular unit (it freezes at CDBOOT when it detects hard drives and the BIOS freezes when I set it to IDE mode with drives attached, plus it only has one onboard NIC and one PCI slot, so I can't install another SATA card without removing the other NIC I installed), so I'm looking for other options that fit a limited budget. The most important criteria are that it must be 1U and it must fit within a 420mm (~16.5") space (for reasons I will explain below). I have a couple of Sun Netra X1s that meet the need, but I can't push more than ~60mbps over the onboard FE ports and they run quite hot to the point of causing kernel panics. Can you get anything in your price range with a single NIC and USB? The axe driver seems to work pretty well. I bought a USB GE nic for under $30 US. It seems to work well on a USB extension cord. That's what I use for my firewall machine. I haven't tried very hard but I know it can transfer over 100mb/sec. Geoff Steckel
Re: Hardware recommendations for compact 1U firewall
A search on fleabay shows that, in Australia, they still fetch >$300, out of my price range. :( On Thu, Dec 15, 2016 at 10:30 PM, Stuart Henderson wrote: > On 2016-12-15, Aaron Mason wrote: >> All >> >> I'm looking for a 1U appliance that I can re-purpose into a firewall >> using OpenBSD. I've tried the near-free method by using an old Lacie >> Ethernet Disk appliance I had lying around, but it turns out the >> onboard SATA chipset is toast on this particular unit (it freezes at >> CDBOOT when it detects hard drives and the BIOS freezes when I set it >> to IDE mode with drives attached, plus it only has one onboard NIC and >> one PCI slot, so I can't install another SATA card without removing >> the other NIC I installed), so I'm looking for other options that fit >> a limited budget. >> >> The most important criteria are that it must be 1U and it must fit >> within a 420mm (~16.5") space (for reasons I will explain below). I >> have a couple of Sun Netra X1s that meet the need, but I can't push >> more than ~60mbps over the onboard FE ports and they run quite hot to >> the point of causing kernel panics. >> >> For a bit of context - I manage network and systems for a group that >> run regular LAN parties at a local university, and our network >> infrastructure lives in a 4RU flight case (with 420mm between the >> front and rear vertical rails) currently occupied by three HP >> switches. We're currently using a Sun V20Z (admittedly running >> pfSense, a decision made before I took over) but it's rather >> cumbersome to carry along with three Dell 1950s (two VM hosts and a >> Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts). We >> don't usually get more than 35 players and we don't do any complex >> filtering on the firewall. >> >> I've been considering looking at old firewall appliances like Nokias, >> Sonicwalls, Watchguards or Barracudas - has anyone had any luck with >> getting OpenBSD on any of those or other such appliances? >> >> Gigabit ports would be nice (the university finally bought gigabit PoE >> switches) but will accept Fast Ethernet if my budget says no. > > IMHO, you can get a fairly useful decent second-hand machine for a low > enough price that it's not worth the hassle repurposing or using something > from before GE was common, they're going to be more hassle to get working, > and old enough that you may well run into things failing through age. > > How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard, > if you need more ports then dual-port PCIe nics are pretty cheap. > If you want to cut down on weight+noise at the expense of more cost > and a less powerful cpu, maybe APU2 in a 1U case or something like > supermicro SYS-5018A-FTN4. > -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Re: Hardware recommendations for compact 1U firewall
On Thu, Dec 15, 2016 at 02:04:04PM -0800, OpenBSD lists wrote: > I recently replaced a pair of Soekris 6501's (BIOSes on both went blank) > with some SuperMicro X11SBA-LN4F-O boards, SATA-DOM-064s, the CSE505-203B > and 4 GB 1600 Mhz DRR3 sticks. > > Draws so little power that it looks like the Power Supply is wasting more in > the AC-DC conversion process than the system itself is using. Considering > replacing it with a 60w 12v power adapter like some of the other systems > use. > > Memory latency is very low and very consistent since the CPU cores and the > memory run at the same frequency. > > I was considering the A1SAi-2550F, but these were cheaper, lower power, had > a shorter time to ship, and don't have the Intel Management Engine in them. > > Only problem is that most of the sensors don't seem to be supported: > > # sysctl hw.sensors > hw.sensors.cpu0.temp0=39.00 degC > hw.sensors.acpitz0.temp0=26.80 degC (zone temperature) I also have three X11SBA-LN4F and two X11SBA-F boards. They also have the benefit of using mSATA SSDs which most of the Atom C2X5X boards (except for A1SRM-LN5F/LN7F) do not. They can also run direct from DC. One of my projects for the new year is get these up and running but I did notice the same with sensors. Prior to shortly before 6.0, xhci(4) would fail (I forget the message) and the machine was unusable for OpenBSD. Now that xhci(4) has been fixed, it works fine. I asked Supermicro about the 12V voltage range and they said 12V +/- 10% on A1SAi/A1SRi and 12V +/- 5% on the X11SBA. I was originally planning on hooking these direct to batteries but decided to use a DC-DC power supply from mini-box.com which allows hooking to 12V or 24V battery banks without being worried about voltage changes. I put this in the CSE-505-203B case in place of the original power supply. One of my goals is to run performance tests between the A1SAi/A1SRi boards and the X11SBA. Bryan
Re: Hardware recommendations for compact 1U firewall
Jordon wrote: About a year ago i replaced my Soekris net5501 with the following system: Supermicro A1SAi-2550F (4 core Atom with 4 NICS + IPMI) Supermicro SC505-203B (1U case where the back of the mob comes out the front) Kingston KVR16LSE11/4 (4GB SO-DIMM) I also used a SATA-DOM because I was going for low power, but a USB flash drive would work and be a lot cheaper. Under normal usage, it pulls about 15 watts. I have been running pfSense on it with no problems. I also have the 8-core version of this board (2750) in my NAS which is running FreeNAS. I’m pretty sure that at some point while testing these boards, I ran OpenBSD on them without any issues. Those last families of Atoms are a bit underrated in my book. Jordon I recently replaced a pair of Soekris 6501's (BIOSes on both went blank) with some SuperMicro X11SBA-LN4F-O boards, SATA-DOM-064s, the CSE505-203B and 4 GB 1600 Mhz DRR3 sticks. Draws so little power that it looks like the Power Supply is wasting more in the AC-DC conversion process than the system itself is using. Considering replacing it with a 60w 12v power adapter like some of the other systems use. Memory latency is very low and very consistent since the CPU cores and the memory run at the same frequency. I was considering the A1SAi-2550F, but these were cheaper, lower power, had a shorter time to ship, and don't have the Intel Management Engine in them. Only problem is that most of the sensors don't seem to be supported: # sysctl hw.sensors hw.sensors.cpu0.temp0=39.00 degC hw.sensors.acpitz0.temp0=26.80 degC (zone temperature) # dmesg / pcidump / dmidecode: OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8482304000 (8089MB) avail mem = 8220753920 (7839MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xecef0 (58 entries) bios0: vendor American Megatrends Inc. version "1.0" date 08/25/2015 bios0: Supermicro Super Server acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG SSDT SSDT SSDT UEFI LPIT CSRT acpi0: wakeup devices XHC1(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) BRCM(S0) BRC1(S0) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.46 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 79MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus 4 (BR19) acpiprt5 at acpi0: bus 5 (BR1A) acpiprt6 at acpi0: bus 6 (BR1B) acpiprt7 at acpi0: bus 7 (BR1C) acpiprt8 at acpi0: bus 9 (RP04) acpiprt9 at acpi0: bus 10 (BR16) acpiec0 at acpi0: not present acpicpu0 at acpi0 C2: state 6: substate 8 >= num 3 C3: state 7: substate 4 >= num 3: C1(1000@
Re: Hardware recommendations for compact 1U firewall
On 15.12.2016. 20:45, Bryan Vyhmeister wrote: > There is no support for Intel QAT (sometimes called Quick Assist) in > OpenBSD and that's not likely to change anytime soon. Some support is > supposedly coming to FreeBSD (by way of pfSense and some commerical > sponsorship or something) but I have not seen anything recently about > that. tnx for dmesg and info ...
Re: Hardware recommendations for compact 1U firewall
About a year ago i replaced my Soekris net5501 with the following system: Supermicro A1SAi-2550F (4 core Atom with 4 NICS + IPMI) Supermicro SC505-203B (1U case where the back of the mob comes out the front) Kingston KVR16LSE11/4 (4GB SO-DIMM) I also used a SATA-DOM because I was going for low power, but a USB flash drive would work and be a lot cheaper. Under normal usage, it pulls about 15 watts. I have been running pfSense on it with no problems. I also have the 8-core version of this board (2750) in my NAS which is running FreeNAS. I’m pretty sure that at some point while testing these boards, I ran OpenBSD on them without any issues. Those last families of Atoms are a bit underrated in my book. Jordon > On Dec 15, 2016, at 1:45 PM, Bryan Vyhmeister wrote: > > On Thu, Dec 15, 2016 at 07:51:40PM +0100, Hrvoje Popovski wrote: >> On 15.12.2016. 12:30, Stuart Henderson wrote: >>> If you want to cut down on weight+noise at the expense of more cost >>> and a less powerful cpu, maybe APU2 in a 1U case or something like >>> supermicro SYS-5018A-FTN4. >> >> has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat > > There is no support for Intel QAT (sometimes called Quick Assist) in > OpenBSD and that's not likely to change anytime soon. Some support is > supposedly coming to FreeBSD (by way of pfSense and some commerical > sponsorship or something) but I have not seen anything recently about > that. > > Because Intel QAT is not supported, it is better to use one of the > Supermicro A1SAi boards (for the slight speed increase) rather than the > A1SRi-2758F that comes in the SYS-5018A-FTN4. The A1SRi boards do work > fine though. > > I put together my own systems like this which only takes a few minutes > with Supermicro parts. I use the same case which is the Supermicro > CSE-505-203B, a few Noctua 40mm fans (which are much quieter and > probably not necessary), and then one of the A1SAi-2750F, A1SAi-2550F, > A1SRM-LN7F-2758F, A1SRM-LN7F-2358F, A1SRi-2758F, or A1SRi-2558F. I also > have a few A1SAM-2550F boards but those are not booting from USB sticks > for some reason. All of the others above work just fine. All that's left > is some sort of storage (like a 64GB SanDisk SSD, Supermicro SuperDom, > or USB stick with resflash) and memory (I use Kingston ECC SO-DIMMs) and > it works great. I have quite a few of these at tower sites, datacenter > installations, and as home and business routers. As a bonus, all of the > above can be powered directly from 12V if you want to wire them up that > way. I have started doing that at DC sites and to run from batteries. > > Where portability is needed, the CSE-505-203B fits great in any of the > SKB short depth cases like hte SKB R4S or R6S. > > Below is a dmesg for the A1SRi-2758F. This particular router is running > BGP, OSPF, and CARP on the inside as well as DNS and DHCP. It is running > 5.8 so not the most recent (it is due to be upgraded in the next week) > but Intel QAT does show up as: > > vendor "Intel", unknown product 0x1f18 (class processor subclass Co-processor, rev 0x02) at pci0 dev 11 function 0 not configured > > Bryan > > > > OpenBSD 5.8-stable (GENERIC.MP) #9: Thu May 26 22:05:56 PDT 2016 >r...@amd64.example.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 17134739456 (16340MB) > avail mem = 16611545088 (15842MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4ee000 (53 entries) > bios0: vendor American Megatrends Inc. version "1.1" date 01/09/2015 > bios0: Supermicro A1SAi > acpi0 at bios0: rev 2 > acpi0: sleep states S0 S5 > acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT > acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimcfg0 at acpi0 addr 0xe000, bus 0-255 > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.45 MHz > cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu0: 1MB 64b/line 16-way L2 cache > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 99MHz > cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE > cpu1 at mainbus0: apid 2 (application processor) > cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz > cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND, NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT > cpu1: 1MB 64b/line 1
Re: Hardware recommendations for compact 1U firewall
On Thu, Dec 15, 2016 at 07:51:40PM +0100, Hrvoje Popovski wrote: > On 15.12.2016. 12:30, Stuart Henderson wrote: > > If you want to cut down on weight+noise at the expense of more cost > > and a less powerful cpu, maybe APU2 in a 1U case or something like > > supermicro SYS-5018A-FTN4. > > has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat There is no support for Intel QAT (sometimes called Quick Assist) in OpenBSD and that's not likely to change anytime soon. Some support is supposedly coming to FreeBSD (by way of pfSense and some commerical sponsorship or something) but I have not seen anything recently about that. Because Intel QAT is not supported, it is better to use one of the Supermicro A1SAi boards (for the slight speed increase) rather than the A1SRi-2758F that comes in the SYS-5018A-FTN4. The A1SRi boards do work fine though. I put together my own systems like this which only takes a few minutes with Supermicro parts. I use the same case which is the Supermicro CSE-505-203B, a few Noctua 40mm fans (which are much quieter and probably not necessary), and then one of the A1SAi-2750F, A1SAi-2550F, A1SRM-LN7F-2758F, A1SRM-LN7F-2358F, A1SRi-2758F, or A1SRi-2558F. I also have a few A1SAM-2550F boards but those are not booting from USB sticks for some reason. All of the others above work just fine. All that's left is some sort of storage (like a 64GB SanDisk SSD, Supermicro SuperDom, or USB stick with resflash) and memory (I use Kingston ECC SO-DIMMs) and it works great. I have quite a few of these at tower sites, datacenter installations, and as home and business routers. As a bonus, all of the above can be powered directly from 12V if you want to wire them up that way. I have started doing that at DC sites and to run from batteries. Where portability is needed, the CSE-505-203B fits great in any of the SKB short depth cases like hte SKB R4S or R6S. Below is a dmesg for the A1SRi-2758F. This particular router is running BGP, OSPF, and CARP on the inside as well as DNS and DHCP. It is running 5.8 so not the most recent (it is due to be upgraded in the next week) but Intel QAT does show up as: vendor "Intel", unknown product 0x1f18 (class processor subclass Co-processor, rev 0x02) at pci0 dev 11 function 0 not configured Bryan OpenBSD 5.8-stable (GENERIC.MP) #9: Thu May 26 22:05:56 PDT 2016 r...@amd64.example.com:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17134739456 (16340MB) avail mem = 16611545088 (15842MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f4ee000 (53 entries) bios0: vendor American Megatrends Inc. version "1.1" date 01/09/2015 bios0: Supermicro A1SAi acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT FIDT SPMI MCFG WDAT UEFI APIC BDAT HPET SSDT acpi0: wakeup devices PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2400.45 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 2399.99 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu3: 1MB 64b/line
Re: Hardware recommendations for compact 1U firewall
On 15.12.2016. 12:30, Stuart Henderson wrote: > If you want to cut down on weight+noise at the expense of more cost > and a less powerful cpu, maybe APU2 in a 1U case or something like > supermicro SYS-5018A-FTN4. has anyone dmesg from SYS-5018A-FTN4 box? i'm interesting in intel qat thank you ...
Re: Hardware recommendations for compact 1U firewall
On 2016-12-15, Stuart Henderson wrote: > If you want to cut down on weight+noise at the expense of more cost > and a less powerful cpu, maybe APU2 in a 1U case or something like > supermicro SYS-5018A-FTN4. I can second this recommendation, it's what I use at home.
Re: Hardware recommendations for compact 1U firewall
On Thu, Dec 15, 2016 at 11:30:31AM +, Stuart Henderson wrote: > On 2016-12-15, Aaron Mason wrote: > > All > > > > I'm looking for a 1U appliance that I can re-purpose into a firewall > > using OpenBSD. I've tried the near-free method by using an old Lacie > > Ethernet Disk appliance I had lying around, but it turns out the > > onboard SATA chipset is toast on this particular unit (it freezes at > > CDBOOT when it detects hard drives and the BIOS freezes when I set it > > to IDE mode with drives attached, plus it only has one onboard NIC and > > one PCI slot, so I can't install another SATA card without removing > > the other NIC I installed), so I'm looking for other options that fit > > a limited budget. > > > > The most important criteria are that it must be 1U and it must fit > > within a 420mm (~16.5") space (for reasons I will explain below). I > > have a couple of Sun Netra X1s that meet the need, but I can't push > > more than ~60mbps over the onboard FE ports and they run quite hot to > > the point of causing kernel panics. > > > > For a bit of context - I manage network and systems for a group that > > run regular LAN parties at a local university, and our network > > infrastructure lives in a 4RU flight case (with 420mm between the > > front and rear vertical rails) currently occupied by three HP > > switches. We're currently using a Sun V20Z (admittedly running > > pfSense, a decision made before I took over) but it's rather > > cumbersome to carry along with three Dell 1950s (two VM hosts and a > > Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts). We > > don't usually get more than 35 players and we don't do any complex > > filtering on the firewall. > > > > I've been considering looking at old firewall appliances like Nokias, > > Sonicwalls, Watchguards or Barracudas - has anyone had any luck with > > getting OpenBSD on any of those or other such appliances? > > > > Gigabit ports would be nice (the university finally bought gigabit PoE > > switches) but will accept Fast Ethernet if my budget says no. > > IMHO, you can get a fairly useful decent second-hand machine for a low > enough price that it's not worth the hassle repurposing or using something > from before GE was common, they're going to be more hassle to get working, > and old enough that you may well run into things failing through age. > > How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard, > if you need more ports then dual-port PCIe nics are pretty cheap. > If you want to cut down on weight+noise at the expense of more cost > and a less powerful cpu, maybe APU2 in a 1U case or something like > supermicro SYS-5018A-FTN4. I can second that :-). I have a Sunfire v120 w/dual 100mbit nics, but had to stop using it as large amounts of throughput was causing panics I couldn't figure out + keep housemates happy. I ended up with a Dell R210 and couldn't be happier. It has been 100% stable since installation almost exactly a year ago now. FWIW -- noise was almost unbearable with the sunfire v120, but the r210 is actually nicely quiet. The fans spin down and I rarely hear it, it blends in with the 24 port gigabit poe switch I have. Cheers, -ryan
Re: Hardware recommendations for compact 1U firewall
On 2016-12-15, Aaron Mason wrote: > All > > I'm looking for a 1U appliance that I can re-purpose into a firewall > using OpenBSD. I've tried the near-free method by using an old Lacie > Ethernet Disk appliance I had lying around, but it turns out the > onboard SATA chipset is toast on this particular unit (it freezes at > CDBOOT when it detects hard drives and the BIOS freezes when I set it > to IDE mode with drives attached, plus it only has one onboard NIC and > one PCI slot, so I can't install another SATA card without removing > the other NIC I installed), so I'm looking for other options that fit > a limited budget. > > The most important criteria are that it must be 1U and it must fit > within a 420mm (~16.5") space (for reasons I will explain below). I > have a couple of Sun Netra X1s that meet the need, but I can't push > more than ~60mbps over the onboard FE ports and they run quite hot to > the point of causing kernel panics. > > For a bit of context - I manage network and systems for a group that > run regular LAN parties at a local university, and our network > infrastructure lives in a 4RU flight case (with 420mm between the > front and rear vertical rails) currently occupied by three HP > switches. We're currently using a Sun V20Z (admittedly running > pfSense, a decision made before I took over) but it's rather > cumbersome to carry along with three Dell 1950s (two VM hosts and a > Steam cache) and a Dell 2950 (NAS, provides iSCSI to VM hosts). We > don't usually get more than 35 players and we don't do any complex > filtering on the firewall. > > I've been considering looking at old firewall appliances like Nokias, > Sonicwalls, Watchguards or Barracudas - has anyone had any luck with > getting OpenBSD on any of those or other such appliances? > > Gigabit ports would be nice (the university finally bought gigabit PoE > switches) but will accept Fast Ethernet if my budget says no. IMHO, you can get a fairly useful decent second-hand machine for a low enough price that it's not worth the hassle repurposing or using something from before GE was common, they're going to be more hassle to get working, and old enough that you may well run into things failing through age. How about a Dell R210 or an R210 II off ebay? 400mm deep, 2 nics onboard, if you need more ports then dual-port PCIe nics are pretty cheap. If you want to cut down on weight+noise at the expense of more cost and a less powerful cpu, maybe APU2 in a 1U case or something like supermicro SYS-5018A-FTN4.
Re: Hardware recommendations for compact 1U firewall
I've had good luck with Sun Netra X1's. I use them for pretty much every firewall / router I need. I prefer the 500mhz model as it seems to be able to handle a full 100mbit link on both nics simultaneously.
