Re: Router components
Hear, hear. I just built out one of these for my home firewall and the installation is bog simple. -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Sean Kamath Sent: Monday, October 04, 2010 1:28 AM To: David Higgs Cc: misc@openbsd.org Subject: Re: Router components On Oct 3, 2010, at 11:15 PM, David Higgs wrote: >> NONE OF IT WILL MATTER TO YOU. > > I'll google up some smaller systems (Soekris, ALIX, etc?) > and see how they strike me. Pointers here are even more welcome, as I > am not as familiar with this end of the spectrum and want to avoid the > aforementioned "crappy super-low-power systems." > > Thanks for the input. I just bought a Alix 2d13 board. Then ended up buying about 7 of them for work for OOB back-channel machines. Insanely straightforward, and they Just Work(tm). Sean
Re: Router components
David Higgs wrote: > I know SSDs don't require TRIM, but most benchmarks are made by > knob-twiddlers that are presumably overemphasizing the performance > degradation you get without it. Is this even noticeable in practice? I've used an inexpensive SSD (cheapest one I could find at the time) in an Intel Celeron based OpenBSD home firewall for more than a year. It works fine. Here is part of an old dmesg: wd0 at pciide1 channel 0 drive 0: wd0: 1-sector PIO, LBA, 61057MB, 125045424 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6 No noise, cool, low power. Try it for a year, then post back your experience. Brad
Re: Router components
On Mon, Oct 4, 2010 at 2:28 AM, Sean Kamath wrote: > I just bought a Alix 2d13 board. Then ended up buying about 7 of them for > work for OOB back-channel machines. > > Insanely straightforward, and they Just Work(tm). > I did exactly what Sean did myself several months ago. Purchased a 2d13 board from Netgate [1]. I boot off a 2GB CF card, and stuck a cheap USB HD off of the alix board. The thing just runs without any fuss. I use it to connect my home network to another network via OpenVPN over my home Internet connection. When I get around to it, I might throw a mini-pci 802.11b/g card in there to create a WAP. dmesg porn: OpenBSD 4.7 (GENERIC) #1: Thu Jun 3 07:32:40 EDT 2010 r...@builder47.my.domain:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 499 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX real mem = 268009472 (255MB) avail mem = 250978304 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0xa800 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33 glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES vr0 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 10, address 00:0d:b9:1b:b6:4c ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 10 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address 00:0d:b9:1b:b6:4d ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 11 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 15, address 00:0d:b9:1b:b6:4e ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 glxpcib0 at pci0 dev 15 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 15 function 4 "AMD CS5536 USB" rev 0x02: irq 12, version 1.0, legacy support ehci0 at pci0 dev 15 function 5 "AMD CS5536 USB" rev 0x02: irq 12 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 usb1 at ohci0: USB revision 1.0 uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1 biomask 73e7 netmask ffe7 ttymask mtrr: K6-family MTRR support (2 registers) nvram: invalid checksum umass0 at uhub0 port 1 configuration 1 interface 0 "Western Digital External HDD" rev 2.00/1.75 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: SCSI2 0/direct fixed sd0: 238475MB, 512 bytes/sec, 488397168 sec total vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b clock: unknown CMOS layout Cheers, Jeff [1] http://store.netgate.com/ALIX2D3-2D13-Kit-Blue-Unassembled-P173C86.aspx
Re: Router components
On Mon, Oct 4, 2010 at 3:51 PM, russell wrote: > Stuart Henderson wrote: >> >> On 2010-10-04, David Higgs wrote: >>> >>> I am building a replacement router/firewall for home use and am >>> soliciting suggestions/commentary/alternatives on the components >>> below. >> >> What sort of internet connection and what will be running over it? >> Will you be doing crypto on the firewall (ipsec/some other vpn)? Just your basic consumer-class cable connection, and practically nothing. Crypto acceleration might be nice, but in no way a requirement. >>> I was planning to use an SSD in the 32 GB size range, but the archives >>> indicate we don't have TRIM support yet. Though this obviously isn't >>> a showstopper to usage, am I better off getting an older-generation >>> SSD that doesn't require TRIM, or perhaps hold off on SSDs until the >>> tech is more mature? >> >> Newer SSDs don't *require* TRIM, it is optional. I think it's probably >> a better idea to get the newer generation. Though a 2-4GB CF might be >> quite good enough too. >> >> For what a lot of people need for a router/firewall a 2-4GB CF >> card in an IDE adapter would be fine too (smaller works too if you can >> still find them, but it's easier to have this much space). I know SSDs don't require TRIM, but most benchmarks are made by knob-twiddlers that are presumably overemphasizing the performance degradation you get without it. Is this even noticeable in practice? Good suggestion on the CF card, though I would feel dirty using it in that overpowered Atom system... >>> Finally, I want this box to act as wireless AP, and hope to have >>> out-of-the-box 802.11n support (when eventually available). I've read >>> that run(4) is a solid chipset in this regard; any other suggestions? >> >> run(4) does not support host AP. >> >> athn(4) is likely the best choice, I haven't used it with OpenBSD but it >> looks like this is the most actively developed wireless driver at the >> moment. >> I have used it with commercial APs running their embedded linux-based OS >> and the hardware itself works very well indeed. >> >> As I think you're aware we don't support 802.11n capabilities yet, also >> note we don't support clients that use power-saving mode (this is an >> absolute show-stopper for some users; some client hardware has no way >> to disable this). >> > I tend to swear by ral(4) > Mainly due to the unscientific but proven mechanisim > all my ral cards have worked, and all my ath cards end up having a > unsupported chipset. > and there was something freaky about that zyd, > almost working is worse than not working at all. > > Given half a chance stay away from usb radios. > > but ral has always been there for me. > best of luck. > I know I enjoy my k6-2(450) based firewall/nat device infinitely more than > the netgear piece of crap it replaced. Crap, missed lack of AP support in run(4). Disappointing that USB radios aren't all that great. I've been pretty happy with my ral(4) card as well, even in the face of occasional interface hangs. Thanks. --david
Re: Router components
Stuart Henderson wrote: On 2010-10-04, David Higgs wrote: I am building a replacement router/firewall for home use and am soliciting suggestions/commentary/alternatives on the components below. What sort of internet connection and what will be running over it? Will you be doing crypto on the firewall (ipsec/some other vpn)? I was planning to use an SSD in the 32 GB size range, but the archives indicate we don't have TRIM support yet. Though this obviously isn't a showstopper to usage, am I better off getting an older-generation SSD that doesn't require TRIM, or perhaps hold off on SSDs until the tech is more mature? Newer SSDs don't *require* TRIM, it is optional. I think it's probably a better idea to get the newer generation. Though a 2-4GB CF might be quite good enough too. For what a lot of people need for a router/firewall a 2-4GB CF card in an IDE adapter would be fine too (smaller works too if you can still find them, but it's easier to have this much space). Finally, I want this box to act as wireless AP, and hope to have out-of-the-box 802.11n support (when eventually available). I've read that run(4) is a solid chipset in this regard; any other suggestions? run(4) does not support host AP. athn(4) is likely the best choice, I haven't used it with OpenBSD but it looks like this is the most actively developed wireless driver at the moment. I have used it with commercial APs running their embedded linux-based OS and the hardware itself works very well indeed. As I think you're aware we don't support 802.11n capabilities yet, also note we don't support clients that use power-saving mode (this is an absolute show-stopper for some users; some client hardware has no way to disable this). I tend to swear by ral(4) Mainly due to the unscientific but proven mechanisim all my ral cards have worked, and all my ath cards end up having a unsupported chipset. and there was something freaky about that zyd, almost working is worse than not working at all. Given half a chance stay away from usb radios. but ral has always been there for me. best of luck. I know I enjoy my k6-2(450) based firewall/nat device infinitely more than the netgear piece of crap it replaced.
Re: Router components
On Oct 3, 2010, at 11:15 PM, David Higgs wrote: >> NONE OF IT WILL MATTER TO YOU. > > I'll google up some smaller systems (Soekris, ALIX, etc?) > and see how they strike me. Pointers here are even more welcome, as I > am not as familiar with this end of the spectrum and want to avoid the > aforementioned "crappy super-low-power systems." > > Thanks for the input. I just bought a Alix 2d13 board. Then ended up buying about 7 of them for work for OOB back-channel machines. Insanely straightforward, and they Just Work(tm). Sean
Re: Router components
On 2010-10-04, David Higgs wrote: > I am building a replacement router/firewall for home use and am > soliciting suggestions/commentary/alternatives on the components > below. What sort of internet connection and what will be running over it? Will you be doing crypto on the firewall (ipsec/some other vpn)? > I was planning to use an SSD in the 32 GB size range, but the archives > indicate we don't have TRIM support yet. Though this obviously isn't > a showstopper to usage, am I better off getting an older-generation > SSD that doesn't require TRIM, or perhaps hold off on SSDs until the > tech is more mature? Newer SSDs don't *require* TRIM, it is optional. I think it's probably a better idea to get the newer generation. Though a 2-4GB CF might be quite good enough too. For what a lot of people need for a router/firewall a 2-4GB CF card in an IDE adapter would be fine too (smaller works too if you can still find them, but it's easier to have this much space). > Finally, I want this box to act as wireless AP, and hope to have > out-of-the-box 802.11n support (when eventually available). I've read > that run(4) is a solid chipset in this regard; any other suggestions? run(4) does not support host AP. athn(4) is likely the best choice, I haven't used it with OpenBSD but it looks like this is the most actively developed wireless driver at the moment. I have used it with commercial APs running their embedded linux-based OS and the hardware itself works very well indeed. As I think you're aware we don't support 802.11n capabilities yet, also note we don't support clients that use power-saving mode (this is an absolute show-stopper for some users; some client hardware has no way to disable this).
Re: Router components
On Sun, Oct 3, 2010 at 11:02 PM, Nick Holland wrote: > On 10/03/10 22:11, David Higgs wrote: >> I am building a replacement router/firewall for home use > > stop there. > > You aren't General Motors, Yahoo, or Google. > You are looking to spend a lot of time and money trying to optimize > performance on a super-fast-sport-car that will be only used to go to > and from work in rush hour traffic. You aren't going any faster than > the guy in front of you is going, or in this case, than your ISP is > handing you data. > > There is nothing built in the last 10 years that can't do a home > router/firewall like this for most people, with the exception of a few > crappy super-low-power systems that people like to suggest as the answer > to all questions (and then complain when the pathetic NICs and anemic > CPUs don't pump data like a ten year old machine with non-pathetic NICs > does). > > NONE OF IT WILL MATTER TO YOU. Yeah, you got me -- I know it's overkill. But give me a little credit, I don't plan on tweaking knobs or compiling custom kernels to squeeze performance. I outgrew that phase five years ago on my circa 1999 desktop-turned-router that just recently passed on. To stick with the car analogy, I just want a reliable new car with better gas mileage, that will get me through the next 10 years or more. > Realtek NICs, three digit celeron processors, the worst of the worst > will pump more data than your ISP will deliver, so what do you gain by > tweaking for the last one percent of data flow you will never see? > > Conventional stuff will cost less and run more reliably than fancy > stuff, and while you may save a few watts, you are unlikely to recoup > your investment. > > And why would you put an SSD on a firewall? so you can discover they > are a lot more expensive and less reliable than an old hard disk? If > you want fast and reliable, use an old, burned in HD, and back up your > /etc directory. If you want low power or silent, get a CF adapter and a > small CF card, or if your hw can boot from it, a USB flash drive. I was researching SSDs to make the box quieter and maybe lower power; I/O speed was just a bonus. I can just as easily use spinning platters until SSD tech improves and/or converges with OpenBSD support. I'll google up some smaller systems (Soekris, ALIX, etc?) and see how they strike me. Pointers here are even more welcome, as I am not as familiar with this end of the spectrum and want to avoid the aforementioned "crappy super-low-power systems." Thanks for the input. --david
Re: Router components
On 10/03/10 22:11, David Higgs wrote: > I am building a replacement router/firewall for home use stop there. You aren't General Motors, Yahoo, or Google. You are looking to spend a lot of time and money trying to optimize performance on a super-fast-sport-car that will be only used to go to and from work in rush hour traffic. You aren't going any faster than the guy in front of you is going, or in this case, than your ISP is handing you data. There is nothing built in the last 10 years that can't do a home router/firewall like this for most people, with the exception of a few crappy super-low-power systems that people like to suggest as the answer to all questions (and then complain when the pathetic NICs and anemic CPUs don't pump data like a ten year old machine with non-pathetic NICs does). NONE OF IT WILL MATTER TO YOU. Realtek NICs, three digit celeron processors, the worst of the worst will pump more data than your ISP will deliver, so what do you gain by tweaking for the last one percent of data flow you will never see? Conventional stuff will cost less and run more reliably than fancy stuff, and while you may save a few watts, you are unlikely to recoup your investment. And why would you put an SSD on a firewall? so you can discover they are a lot more expensive and less reliable than an old hard disk? If you want fast and reliable, use an old, burned in HD, and back up your /etc directory. If you want low power or silent, get a CF adapter and a small CF card, or if your hw can boot from it, a USB flash drive. My main firewall at home: Celeron 300, 64M RAM, couple 3G disks in a CCD mirror (it has been around a while. I picked the disks because this model unreliable in my experience, so I could see how CCD mirroring worked for me in real life...and the dang things didn't fail in who-knows-how-many years!). I see it suffers a bit (actually, a lot) when I suck data from one subnet to another through my firewall, but it still moved respectfully close to wire speed, and I really doubt the (long) planned upgrade to a PII-450 will change that a huge amount, considering the number of second-rate switches and such between here and there. I do suspect the better cache will reduce the processor utilization numbers a lot...but then, it isn't bottoming out (but close) so I suspect the end result will be a big no-change. If you aren't routing between local subnets, this machine is big overkill for you, and if you are, like I do...probably just fine. Nick.
Router components
I am building a replacement router/firewall for home use and am soliciting suggestions/commentary/alternatives on the components below. I've heard good things on the list about Supermicro boards; any surprises with their Atom D510 embedded boxes? Looks like em(4) support, which I believe is is another plus. Ignoring performance, are there any reasons not to run amd64 on a D510? I was planning to use an SSD in the 32 GB size range, but the archives indicate we don't have TRIM support yet. Though this obviously isn't a showstopper to usage, am I better off getting an older-generation SSD that doesn't require TRIM, or perhaps hold off on SSDs until the tech is more mature? Finally, I want this box to act as wireless AP, and hope to have out-of-the-box 802.11n support (when eventually available). I've read that run(4) is a solid chipset in this regard; any other suggestions? Thanks. --david