Re: OpenBSD benchmarks
On 2022-04-04, Nicolas Goy wrote: > Hello, > > I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. > > I was wondering if there was some "standard" pf ruleset I could use to > have a meaningful metric. It might be useful to have PF disabled, and PF enabled with a simple "pass" rule. More than that and it's likely to be more dependent on the actual traffic and ruleset so probably not so useful unless you are trying to hand optimize the ruleset to squeeze as much performance as possible out of a system. Make sure you do measure routing performance (packet source and sink on different machines) and not local stack performance (tcpbench/iperf/whatever on the machine itself). If you publish them somewhere please do include dmesg and description of the test setup. > Also, I'm curious if anymody is aware of such existing benchmarks. http://bluhm.genua.de/perform/results/perform.html (repeated tests over time showing some effects of changes in the kernel; the FORWARD and FORWARD6 graphs are probably what you're interested in here) https://undeadly.org/cgi?action=article;sid=20220319123157 (pps tests with a diff that is not yet committed) https://undeadly.org/cgi?action=article&sid=20160302155046 (older but some suggestions of software that can be useful for testing) -- Please keep replies on the mailing list.
Re: OpenBSD benchmarks
imho benchmarking only makes sense for your scenario, so I recommend benchmarking the ruleset you intend to use on that device. Also: what are you benchmarking against, and what is your setup (nat, bridge etc.)? On 04.04.22 21:50, Nicolas Goy wrote: Hello, I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. I was wondering if there was some "standard" pf ruleset I could use to have a meaningful metric. Also, I'm curious if anymody is aware of such existing benchmarks. Regards
OpenBSD benchmarks
Hello, I'd like to make some 10gbit/s benchmarks for an OpenBSD based router. I was wondering if there was some "standard" pf ruleset I could use to have a meaningful metric. Also, I'm curious if anymody is aware of such existing benchmarks. Regards -- Nicolas Goy https://www.kuon.ch https://www.goyman.com
Re: benchmarks
Amit Kulkarni [amitk...@gmail.com] wrote: > Chris, don't forget to mention that they are simplifying the buffer cache > (and bigmem!) so that when the attempted switch to rthreads comes, there will > be far less hassles > compared to FreeBSD or NetBSD, which literally took 2-5 years to perfect. > Read Matt Dillon's interview linked from wikipedia. Read the section on > buffer cache > > http://kerneltrap.org/node/8 > > Linux and the other BSD's with so much commercial support (not Dfly!) just > recently getting rid of Big Giant Lock, so OpenBSD is not that far behind. > Stick with OpenBSD and see how 'fast' it continues to run. > rthreads isn't going to help with kernel locking... i didn't think that much effort was going towards splitting the kernel across CPUs, is there something i'm missing here?
Re: benchmarks
Chris, don't forget to mention that they are simplifying the buffer cache (and bigmem!) so that when the attempted switch to rthreads comes, there will be far less hassles compared to FreeBSD or NetBSD, which literally took 2-5 years to perfect. Read Matt Dillon's interview linked from wikipedia. Read the section on buffer cache http://kerneltrap.org/node/8 Linux and the other BSD's with so much commercial support (not Dfly!) just recently getting rid of Big Giant Lock, so OpenBSD is not that far behind. Stick with OpenBSD and see how 'fast' it continues to run. Good luck. On Mon, 18 Apr 2011, Chris Cappuccio wrote: > Rodrigo Mosconi [open...@mosconi.mat.br] wrote: > > Hi all, > > > > I'm interested on some benchmarks, specially with network/PF. > > > > How about this...With GENERIC -current amd64 kernel, I'm getting almost > 800Mbps on a single FTP transfer between two 1Gbit-connected boxes with em > controllers and mfi RAID backed with 6xSATA on each box. This is with boxes > that are already busy with day-to-day activity. The limitation has gone from > the networking code to the mfi controller and associated disk activity, nice > to see I think. > > Removing NIC driver interrupt loops and IPL_BIO in ppb was a "big win". > > Transfers are a lot slower with my mpi two disk RAID 1 boxes, but using less > hard disks is a lot slower than 1Gbps ethernet. Need to try with mfs next. > > It "pays" to do it right, MCLGETI without loops in x_intr is proving to be a > much better idea than what FreeBSD did with the polling hacks. > > I wonder what kind of packet per second limitations people see now with bge, > em, bnx, ix, vr, the common drivers, with and without pf enabled. PF enabled > should be faster now that it doesn't recalculate IP checksums mid-stream ! > > -- > the preceding comment is my own and in no way reflects the opinion of the > Joint Chiefs of Staff
Re: benchmarks
Rodrigo Mosconi [open...@mosconi.mat.br] wrote: > Hi all, > > I'm interested on some benchmarks, specially with network/PF. > How about this...With GENERIC -current amd64 kernel, I'm getting almost 800Mbps on a single FTP transfer between two 1Gbit-connected boxes with em controllers and mfi RAID backed with 6xSATA on each box. This is with boxes that are already busy with day-to-day activity. The limitation has gone from the networking code to the mfi controller and associated disk activity, nice to see I think. Removing NIC driver interrupt loops and IPL_BIO in ppb was a "big win". Transfers are a lot slower with my mpi two disk RAID 1 boxes, but using less hard disks is a lot slower than 1Gbps ethernet. Need to try with mfs next. It "pays" to do it right, MCLGETI without loops in x_intr is proving to be a much better idea than what FreeBSD did with the polling hacks. I wonder what kind of packet per second limitations people see now with bge, em, bnx, ix, vr, the common drivers, with and without pf enabled. PF enabled should be faster now that it doesn't recalculate IP checksums mid-stream ! -- the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re: benchmarks
2011/4/18 Richard Toohey : > On 18/04/2011, at 1:07 PM, Rodrigo Mosconi wrote: > >> Hi all, >> >> I'm interested on some benchmarks, specially with network/PF. >> > > On the general performance: > > http://www.openbsd.org/faq/pf/perf.html > >> For example: >> >> What's the maximum bandwidth that a soekris (or alix) can handle safely as a >> firewall? (with and without ipsec, how long the rule set are) > > Why limit yourself to (low-end) machines? Budget constraints? Space constraints? Or it might to cool to play with these devices? (I thought so too, but in the end easier to whack in an old Dell Optiplex - as is often recommended on this list.) Space and noise constriants. Also can be cool to play with one ^^. > >> >> Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge >> mode. Peter, how much traffic your new firewall handle? >> >> On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall >> can handle? > > Which goes fastest? Ford or Holden? > > What NICs are in those machines? > At work (a IDC), we use Dell Rxx series. But its stuck, I think the problems are the broadcom NICs Also some customers have 200MBps or more bandwidth hired. And next, a new one (contract already signed), will use more than 1 GBps >> >> These are some questions. > > What does "traffic" mean? Is your traffic the same as mine? I will avoid to use this word... >> >> Some of these information can help me to advocate OpenBSD based solution at >> work, starting with firewall. Just as comment, some linuxes (argh) fw can't >> handle as much as 100Mbps on Dells (R200 or R400). >> > > pf is fast enough for me at my work. > > It might not be fast enough for you at your work. I agree > > What are your requirements? The biggest goal: A gigabit+ capable firewall > >> Thanks for any comments, >> > > Probably not what you were after, but that's the repeated advice I see around here - only YOU can answer this question. I know, I just want some comments and advices and opinions. > > And don't forget to read this (and buy the book) > > http://home.nuug.no/~peter/pf/en/ I already bought the book, I liked > >> Mosconi
Re: benchmarks
On Apr 17 22:07:13, Rodrigo Mosconi wrote: > Hi all, > > I'm interested on some benchmarks, specially with network/PF. > > For example: > > What's the maximum bandwidth that a soekris (or alix) can handle safely as a > firewall? (with and without ipsec, how long the rule set are) > > Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge > mode. Peter, how much traffic your new firewall handle? > > On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall > can handle? > > These are some questions. > > Some of these information can help me to advocate OpenBSD based solution at > work, starting with firewall. Just as comment, some linuxes (argh) fw can't > handle as much as 100Mbps on Dells (R200 or R400). I always save my money in the bank with the fastest safeboxes.
Re: benchmarks
On 18/04/2011, at 1:07 PM, Rodrigo Mosconi wrote: > Hi all, > > I'm interested on some benchmarks, specially with network/PF. > On the general performance: http://www.openbsd.org/faq/pf/perf.html > For example: > > What's the maximum bandwidth that a soekris (or alix) can handle safely as a > firewall? (with and without ipsec, how long the rule set are) Why limit yourself to (low-end) machines? Budget constraints? Space constraints? Or it might to cool to play with these devices? (I thought so too, but in the end easier to whack in an old Dell Optiplex - as is often recommended on this list.) > > Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge > mode. Peter, how much traffic your new firewall handle? > > On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall > can handle? Which goes fastest? Ford or Holden? What NICs are in those machines? > > These are some questions. What does "traffic" mean? Is your traffic the same as mine? > > Some of these information can help me to advocate OpenBSD based solution at > work, starting with firewall. Just as comment, some linuxes (argh) fw can't > handle as much as 100Mbps on Dells (R200 or R400). > pf is fast enough for me at my work. It might not be fast enough for you at your work. What are your requirements? > Thanks for any comments, > Probably not what you were after, but that's the repeated advice I see around here - only YOU can answer this question. And don't forget to read this (and buy the book) http://home.nuug.no/~peter/pf/en/ > Mosconi
benchmarks
Hi all, I'm interested on some benchmarks, specially with network/PF. For example: What's the maximum bandwidth that a soekris (or alix) can handle safely as a firewall? (with and without ipsec, how long the rule set are) Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge mode. Peter, how much traffic your new firewall handle? On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall can handle? These are some questions. Some of these information can help me to advocate OpenBSD based solution at work, starting with firewall. Just as comment, some linuxes (argh) fw can't handle as much as 100Mbps on Dells (R200 or R400). Thanks for any comments, Mosconi
