Re: pf vs mp

[Stuart Henderson]

On 2015-09-02, Dot Yet  wrote:
> Any idea if running an ipsec vpn or openvpn on the same machine will
> benefit from the second core? working remotely over VPN is quite common
> these days. so all the extra juice may help encryption etc. is it so?

Using a processor that supports AESNI (it shows up in the cpu attach
lines in dmesg) and choosing ciphers that work with this (if you have
the choice) will have a much bigger effect than multiple cores.

> On Tue, Sep 1, 2015 at 8:59 PM, Quartz  wrote:
>
>> Maybe this webpage would help you make an informed choice?
>>>
>>> https://calomel.org/pf_config.html
>>>
>>
>> That looks like a good reference for setting up pf and the right way to
>> architect your pf.conf, but it doesn't appear to address any of the cpu
>> threading issues I'm trying to figure out. Thanks though, I'll keep a copy
>> of that in my files, it might help when we finally set this system up.

That really isn't a great reference. A huge chunk (of a very long page)
deals with things that almost nobody needs to touch, the things which
actually help laying out pf.conf nicely (like tags) are only lightly
dealt with, the "match log(matches)" which is indispensible when
debugging more complex rulesets isn't mentioned at all.

Re: pf vs mp

[Janne Johansson]

OpenVPN will eat cpu in userspace mostly so that one will most certainly
find use for MP systems.
IPSec runs in the kernel and will for a while be "limited" to one core,
though for many applications, that one
core will still do more crypto than needed, unless you are pushing it hard
over the VPN.

For the secure remote management and/or monitoring things found on office
vpns, and the occasional file data
move on top of email, dns, and surfing, the limit on single core vpns when
running on modern CPUs isn't that noticeable.


2015-09-02 3:16 GMT+02:00 Dot Yet :

> Any idea if running an ipsec vpn or openvpn on the same machine will
> benefit from the second core? working remotely over VPN is quite common
> these days. so all the extra juice may help encryption etc. is it so?
>
> On Tue, Sep 1, 2015 at 8:59 PM, Quartz  wrote:
>
> > Maybe this webpage would help you make an informed choice?
> >>
> >> https://calomel.org/pf_config.html
> >>
> >
> > That looks like a good reference for setting up pf and the right way to
> > architect your pf.conf, but it doesn't appear to address any of the cpu
> > threading issues I'm trying to figure out. Thanks though, I'll keep a
> copy
> > of that in my files, it might help when we finally set this system up.
>
>


-- 
May the most significant bit of your life be positive.

Re: pf vs mp

[Giancarlo Razzolini]

Em 01-09-2015 22:40, Quartz escreveu:
> And when I say "fanless" I mean *completely* fanless, there won't even
> be any fans in the chassis or power supply, so low TDP is super
> important, and that ends up meaning low performance. It's not clear to
> me yet how close to the margin we'll end up being.

So now that you are being less vague, then we can start pointing you in
the right direction. I've built some OpenBSD firewalls using this kind
of hardware, completely fanless using CF for storage. I think you are
focusing on the thing that will probably give you less problems, the
CPU. These kind of systems tend to have problems with a lot of things,
*before* you ever get to the CPU. Don't expect top notch performance
from them, specially under heavy loads. That being said, there are lots
of options, but I believe that one of the most recommended here on this
list is soekris. But there are other options too.

P.s.: Talking about this kind of embedded system, you'll most likely end
up with a single core one. Pay attention to the RAM speed and bus speed too.

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[Giancarlo Razzolini]

Em 01-09-2015 22:26, Quartz escreveu:
> OK, so after more info you're switching to the mp side? If that's true
> then all the latest recommendations from this afternoon forwards are
> in favor of mp. 
Re-read all my emails. Just because I said I use single core, doesn't
mean I switched sides. As I said, you should try and see. But, in
general, you will benefit from mp. Yes, I'm being vague, as you were.

P.s.: Don't use anything you read on calomel.org. Want to learn pf, read
the manual or buy the book of pf.

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[bofh]

You really need to specify which chips you are looking at.  Or even which
range of chips.  Huge difference between a single core atom vs a 16 core
monster.  I know you've said embedded systems, so you should be able to
provide some idea of CPUs.

Anything else is just a waste of time because of the huge differences.
​

Re: pf vs mp

[Quartz]

I think you are
focusing on the thing that will probably give you less problems, the
CPU. These kind of systems tend to have problems with a lot of things,
*before* you ever get to the CPU.


Such as? These aren't going to be doing hardly any disk IO and they 
don't need fancy graphics, so assuming they have a good quality chipset 
handling the ethernet ports I can't think of much else that will really 
get in the way. Unless you're talking plan bad build quality or something.




Don't expect top notch performance
from them, specially under heavy loads.


I'm not, that's why I was trying to sort out the single vs multi core 
issue to try to get the best out of it we could.

Re: pf vs mp

[Quartz]

Is it not possible to buy two or three representative models and test them to
find out which of celeron, atom, or amd is fastest?


Well as restrictive as our requirements are, there are still a few 
too many options for that. I kinda wanted to narrow it down some more first.

Re: pf vs mp

[Ted Unangst]

Quartz wrote:
> > On a more serious note, I don't see how one can actually buy faster
> > single-core performance for this purpose.  If the question was more
> > detailed, describing specific models of machines, we'd be able to
> > show it makes no financial sense.  The cheapest stuff is good enough.
> 
> As I said before, I think information is getting lost here in the 
> discussion. The issue is we need something that fits within certain 
> restrictive thermal/size/power/noise limits; these are all fanless 
> setups and some might even be battery powered. The sort of questions I'm 
> facing are like do we go for a single core Celeron or a multicore Atom 
> or what. I understand that the gross performance of a top of the line 
> Xeon or whatever will make this issue moot, but we can't afford 
> something like that for this project.

Is it not possible to buy two or three representative models and test them to
find out which of celeron, atom, or amd is fastest?

Re: pf vs mp

[patric conant]

Quartz,

I'm sorry I'm not familiar with either of the processor's you're
describing. In the vague terms you have given, I am 100% that the answer is
use the multicore setup.

On Tue, Sep 1, 2015 at 2:06 PM, Quartz  wrote:

> but the short answer is to use the
>> multi-processor system. The single core will perform better when you care
>> nothing about your performance, the multi-core system will perform better
>> the only time you care at all about performance.
>>
>
> I think some information is getting lost here. I'm not comparing single vs
> multi core operation in a purely mathematical sense on identical hardware.
> I'm trying to decide between a setup that uses a relatively fast single
> core vs a setup that uses slower multi cores. In aggregate the multiple
> cores have more processing power than the fast single, but in isolation are
> notably slower. The workload is mainly pf, and given that pf is currently
> single threaded, I'm trying to figure out if the other stuff on the box
> causes enough overhead that going with slower multi cores will end up being
> faster in the end or not.

Re: pf vs mp

[Giancarlo Razzolini]

Em 01-09-2015 14:21, Quartz escreveu:
> Also, does a local DNS resolver really consume that much cpu that it
> would see any notable effect from having another core? I thought that
> was more a RAM thing. 

If it will be the resolver for your entire internal LAN (and the
firewall itself), then it will consume more RAM and CPU than pf. Having
more of both in this case is better. Again, each case is different and
you should really try and see. Also, all of this might become somewhat
irrelevant when (if) the mp pf patch enters base.

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[Quartz]

A small office isn't that much different from a home server.


It's not actually a small office, that's just the best analogy I could 
think of.




I
see, that more than really wanting to know if you'd be ok with mp,
you're seeking validation to go through with a single core.


Well... that's kind of the same thing though, isn't it? Hypothetically, 
if I have a single core with a speed of "1" vs say a dual core where 
each core has a speed of ".75", I'm getting the impression that the dual 
will end up being likely slower, given that pf is currently single 
threaded and the other stuff isn't accounting for much overhead. Even 
though the total computational power of the dual core would be 50% more, 
that extra power is effectively unusable.




If you're
only using pf, dhcpd and dns server, it will work. But don't expect it
to scale too well if your small office becomes a medium sized office.


Again, it's not actually an office, and it won't need to scale, at least 
not by much.

Re: pf vs mp

[Giancarlo Razzolini]

Em 01-09-2015 14:18, Quartz escreveu:
> It's not actually a small office, that's just the best analogy I could
> think of.

My home server many times ends up having more traffic to deal with than
my small office. So an analogy not always plays in our favour.

> Well... that's kind of the same thing though, isn't it?
> Hypothetically, if I have a single core with a speed of "1" vs say a
> dual core where each core has a speed of ".75", I'm getting the
> impression that the dual will end up being likely slower, given that
> pf is currently single threaded and the other stuff isn't accounting
> for much overhead. Even though the total computational power of the
> dual core would be 50% more, that extra power is effectively unusable.

Not exactly. In your case, you are using only a dhcp server and a dns
server, along with pf. I'm confident that in most cases you will perform
better having the single core at 100% speed than two cores at 75% speed.
But don't expect consistent performance through peaks and heavy loads.
Again, it all depends on your use case. As other people mentioned, if
you are that concerned about pf performance (you shouldn't be), them run
only pf, with no other daemons or process with it.

> Again, it's not actually an office, and it won't need to scale, at
> least not by much.

If you expect consistent traffic, it perhaps would be better to actually
measure it, and only then decide. pflow(4) and nfsen come to mind. symon
is another good candidate. With that, you can deploy only the amount of
hardware needed.

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[Quartz]

Dhcp, no. DNS, yes.


Also, does a local DNS resolver really consume that much cpu that it 
would see any notable effect from having another core? I thought that 
was more a RAM thing.

Re: pf vs mp

[Quartz]

not
paying a context-switching tax during these simultaneous load events will
make a bigger difference than any other single factor.


I guess that's what I was getting at in my original poorly worded 
question: at what point do context switches negate the benefit of a 
faster single core (given a situation where the machine is only running 
a handful of services). I realize that's hard to answer without first 
providing extensive hardware and use case details though.

Re: pf vs mp

[Quartz]

but the short answer is to use the
multi-processor system. The single core will perform better when you care
nothing about your performance, the multi-core system will perform better
the only time you care at all about performance.


I think some information is getting lost here. I'm not comparing single 
vs multi core operation in a purely mathematical sense on identical 
hardware. I'm trying to decide between a setup that uses a relatively 
fast single core vs a setup that uses slower multi cores. In aggregate 
the multiple cores have more processing power than the fast single, but 
in isolation are notably slower. The workload is mainly pf, and given 
that pf is currently single threaded, I'm trying to figure out if the 
other stuff on the box causes enough overhead that going with slower 
multi cores will end up being faster in the end or not.

Re: pf vs mp

[patric conant]

On Tue, Sep 1, 2015 at 12:41 PM, Giancarlo Razzolini 
wrote:

> Em 01-09-2015 14:21, Quartz escreveu:
> > Also, does a local DNS resolver really consume that much cpu that it
> > would see any notable effect from having another core? I thought that
> > was more a RAM thing.
>
> If it will be the resolver for your entire internal LAN (and the
> firewall itself), then it will consume more RAM and CPU than pf. Having
> more of both in this case is better. Again, each case is different and
> you should really try and see. Also, all of this might become somewhat
> irrelevant when (if) the mp pf patch enters base.
>
> Cheers,
> Giancarlo Razzolini
>
>
Quartz,

This becomes a complex question, but the short answer is to use the
multi-processor system. The single core will perform better when you care
nothing about your performance, the multi-core system will perform better
the only time you care at all about performance. The issue here is that you
aren't actually interested in being faster when you're not under some sort
of load, just being adequate. However, when approaching the event of the
firewall being your bottleneck, you'll be under load, or you won't be
approaching it, at that moment, simultaneously serving out DNS requests,
and continuing to service packet forwarding is the desired effect, and not
paying a context-switching tax during these simultaneous load events will
make a bigger difference than any other single factor. The single-core
approach achieves instead being most efficient under the least load, while
that might make up the largest percentage of the system's life, who cares
how fast you are when you aren't doing anything.

Re: pf vs mp

[Peter Hessler]

Are you doing anything above 5Gbps?  Or above 500k pps?

if not, get whichever.

If you are, then higher frequency cores are better; today.

If you are running dhcp server, then you are likely not.



On 2015 Aug 31 (Mon) at 22:38:47 -0400 (-0400), Quartz wrote:
:Quick question: I need to make a decision between a faster single core and a
:slower multicore. The faq currently states that pf gets no improvement from
:mp. Is this still correct/current information? Presumably it would see no
:benefit from hyperthreading either, right?
:
:For an OpenBSD machine acting as a gateway/firewall/router with a handful of
:related tasks (pf, dhcp server, etc) would mp yield anything?
:

-- 
Even if you're on the right track, you'll get run over if you just sit there.
-- Will Rogers

Re: pf vs mp

[Dot Yet]

Any idea if running an ipsec vpn or openvpn on the same machine will
benefit from the second core? working remotely over VPN is quite common
these days. so all the extra juice may help encryption etc. is it so?

On Tue, Sep 1, 2015 at 8:59 PM, Quartz  wrote:

> Maybe this webpage would help you make an informed choice?
>>
>> https://calomel.org/pf_config.html
>>
>
> That looks like a good reference for setting up pf and the right way to
> architect your pf.conf, but it doesn't appear to address any of the cpu
> threading issues I'm trying to figure out. Thanks though, I'll keep a copy
> of that in my files, it might help when we finally set this system up.

Re: pf vs mp

[Theo de Raadt]

> Quartz [qua...@sneakertech.com] wrote:
> > Quick question: I need to make a decision between a faster single core and a
> > slower multicore. The faq currently states that pf gets no improvement from
> > mp. Is this still correct/current information? Presumably it would see no
> > benefit from hyperthreading either, right?
> > 
> > For an OpenBSD machine acting as a gateway/firewall/router with a handful of
> > related tasks (pf, dhcp server, etc) would mp yield anything?
> 
> While it was true up until 2012 or 2013 that MP kernels had worse
> networking performance than the SP, that is no longer the case. There
> were problems in the MP kernel that made latency higher and throughput
> lower than SP kernel, especially as traffic levels incrased. This 
> hasn't been an issue for at least two years. The recommendation
> that people use SP kernels for networking is no longer valid.
> 
> In fact, under -current, my myx routers now make use of two cores,
> today. There is a lot of work going into this area right now.

I think the OP should buy a single processor machine.

Then, in a year or two, he can provide uplift for the stalling global
economy by purchasing a replacement.

On a more serious note, I don't see how one can actually buy faster
single-core performance for this purpose.  If the question was more
detailed, describing specific models of machines, we'd be able to
show it makes no financial sense.  The cheapest stuff is good enough.

Re: pf vs mp

[Quartz]

I red all thoughts till now and my advice is if you are going to buy
a new hardware now (year 2015) take multi core CPU. The OpenBSD just
get better every day and if you follow tech@, source-changes@ and
misc@ you already know that our beloved OS soon or later will spread
load on all CPU/CORES (device drivers, TCP/IP stack, pf and so on).


That's a good point in general, but this is an embedded project and it's 
pretty much set once made, so future expansion or upgrades aren't really 
a selling point.

Re: pf vs mp

[Quartz]

I'm sorry I'm not familiar with either of the processor's you're
describing. In the vague terms you have given,


I haven't described any specific models yet, I'm being a little vague 
because I was looking more for general guidance than having the list 
debate the pros and cons of dozens of different specific motherboards. 
The sort of stuff we're looking at are various Intel Atoms, Celerons, 
modern Pentium lines (eg, N3700), and a variety of things from AMD. 
There's a wide range here, so I'm trying to figure out where we should 
start looking first.




I am 100% that the answer is
use the multicore setup.


OK

Re: pf vs mp

[Quartz]

On a more serious note, I don't see how one can actually buy faster
single-core performance for this purpose.  If the question was more
detailed, describing specific models of machines, we'd be able to
show it makes no financial sense.  The cheapest stuff is good enough.


As I said before, I think information is getting lost here in the 
discussion. The issue is we need something that fits within certain 
restrictive thermal/size/power/noise limits; these are all fanless 
setups and some might even be battery powered. The sort of questions I'm 
facing are like do we go for a single core Celeron or a multicore Atom 
or what. I understand that the gross performance of a top of the line 
Xeon or whatever will make this issue moot, but we can't afford 
something like that for this project.

Re: pf vs mp

[Quartz]

The recommendation
that people use SP kernels for networking is no longer valid.


Ah, thank you for mentioning this explicitly. I had a memory of this 
kicking around at the bottom of my subconscious. I knew there was 
something else about this issue but couldn't put my finger on it.

Re: pf vs mp

[Quartz]

Maybe this webpage would help you make an informed choice?

https://calomel.org/pf_config.html


That looks like a good reference for setting up pf and the right way to 
architect your pf.conf, but it doesn't appear to address any of the cpu 
threading issues I'm trying to figure out. Thanks though, I'll keep a 
copy of that in my files, it might help when we finally set this system up.

Re: pf vs mp

[Quartz]

The short answer is, unless you can guarantee that pf will have its own
core and no other process will race against it (you can't), then go for
the mp.


OK, so after more info you're switching to the mp side? If that's true 
then all the latest recommendations from this afternoon forwards are in 
favor of mp.

Re: pf vs mp

[Quartz]

As I said before, I think information is getting lost here in the
discussion. The issue is we need something that fits within certain
restrictive thermal/size/power/noise limits; these are all fanless
setups and some might even be battery powered.


And when I say "fanless" I mean *completely* fanless, there won't even 
be any fans in the chassis or power supply, so low TDP is super 
important, and that ends up meaning low performance. It's not clear to 
me yet how close to the margin we'll end up being.

Re: pf vs mp

[Chris Cappuccio]

Quartz [qua...@sneakertech.com] wrote:
> Quick question: I need to make a decision between a faster single core and a
> slower multicore. The faq currently states that pf gets no improvement from
> mp. Is this still correct/current information? Presumably it would see no
> benefit from hyperthreading either, right?
> 
> For an OpenBSD machine acting as a gateway/firewall/router with a handful of
> related tasks (pf, dhcp server, etc) would mp yield anything?

While it was true up until 2012 or 2013 that MP kernels had worse
networking performance than the SP, that is no longer the case. There
were problems in the MP kernel that made latency higher and throughput
lower than SP kernel, especially as traffic levels incrased. This 
hasn't been an issue for at least two years. The recommendation
that people use SP kernels for networking is no longer valid.

In fact, under -current, my myx routers now make use of two cores,
today. There is a lot of work going into this area right now.

Chris

Re: pf vs mp

[Patrick Dohman]

> On Sep 1, 2015, at 8:40 PM, Quartz  wrote:
>
> there won't even be any fans in the chassis or power supply, so low TDP is
super important, and that ends up meaning low performance

Embedded systems can often benefit from efficient power design & inefficiency
can unduly impact WLAN etc..

Regards
Patrick

Re: pf vs mp

[Giancarlo Razzolini]

Em 01-09-2015 16:06, Quartz escreveu:
> I think some information is getting lost here. I'm not comparing
> single vs multi core operation in a purely mathematical sense on
> identical hardware. I'm trying to decide between a setup that uses a
> relatively fast single core vs a setup that uses slower multi cores.
> In aggregate the multiple cores have more processing power than the
> fast single, but in isolation are notably slower. The workload is
> mainly pf, and given that pf is currently single threaded, I'm trying
> to figure out if the other stuff on the box causes enough overhead
> that going with slower multi cores will end up being faster in the end
> or not. 

The short answer is, unless you can guarantee that pf will have its own
core and no other process will race against it (you can't), then go for
the mp. Truth is, that pf is so fast, that the bottleneck almost never
is it. If you ever reach a point where pf is giving you trouble, than
I'm guessing you're a backbone with tons of GB/s of traffic. And even
then it can adjusted to not give you trouble. Clearer now?

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[Joseph Borg]

Maybe this webpage would help you make an informed choice?

https://calomel.org/pf_config.html

Sent from my iPod

> On 01 Sep 2015, at 04:38, Quartz  wrote:
> 
> Quick question: I need to make a decision between a faster single core and a 
> slower multicore. The faq currently states that pf gets no improvement from 
> mp. Is this still correct/current information? Presumably it would see no 
> benefit from hyperthreading either, right?
> 
> For an OpenBSD machine acting as a gateway/firewall/router with a handful of 
> related tasks (pf, dhcp server, etc) would mp yield anything?

Re: pf vs mp

[Atanas Vladimirov]

On 01.09.2015 22:06, Quartz wrote:

but the short answer is to use the
multi-processor system. The single core will perform better when you 
care
nothing about your performance, the multi-core system will perform 
better

the only time you care at all about performance.


I think some information is getting lost here. I'm not comparing
single vs multi core operation in a purely mathematical sense on
identical hardware. I'm trying to decide between a setup that uses a
relatively fast single core vs a setup that uses slower multi cores.
In aggregate the multiple cores have more processing power than the
fast single, but in isolation are notably slower. The workload is
mainly pf, and given that pf is currently single threaded, I'm trying
to figure out if the other stuff on the box causes enough overhead
that going with slower multi cores will end up being faster in the end
or not.


 I red all thoughts till now and my advice is if you are going to buy
 a new hardware now (year 2015) take multi core CPU.
 The OpenBSD just get better every day and if you follow tech@, 
source-changes@
 and misc@ you already know that our beloved OS soon or later will 
spread load

 on all CPU/CORES (device drivers, TCP/IP stack, pf and so on).

Re: pf vs mp

[James Shupe]

On 9/1/2015 3:40 PM, Joseph Borg wrote:
> Maybe this webpage would help you make an informed choice?
> 
> https://calomel.org/pf_config.html
> 

You must be new around here.

-- 
James Shupe

Re: pf vs mp

[lists]

> Quick question: I need to make a decision between a faster single core 
> and a slower multicore.

Quick answer: faster multiple cores within similar thermal envelope,
i.e. newer lithography.

Re: pf vs mp

[Quartz]

For an OpenBSD machine acting as a gateway/firewall/router with a
handful of related tasks (pf, dhcp server, etc) would mp yield anything?


Of course, yes. Just because PF doesn't get any benefits (yet) from MP,
it doesn't mean these other programs won't.


Sorry that was unclear wording on my part. This machine is 95% pf 
routing with some dhcp/dns on the side- AFAIK those won't account for 
much so if there's nothing else there wouldn't really be a benefit going 
multicore, right?

Re: pf vs mp

[Giancarlo Razzolini]

Em 01-09-2015 10:21, Quartz escreveu:
>
> Sorry that was unclear wording on my part. This machine is 95% pf
> routing with some dhcp/dns on the side- AFAIK those won't account for
> much so if there's nothing else there wouldn't really be a benefit
> going multicore, right?

Dhcp, no. DNS, yes. As I mentioned, I have a small home server which is
single core that has a lot more daemons running and it doesn't break a
sweat. A small office isn't that much different from a home server. I
see, that more than really wanting to know if you'd be ok with mp,
you're seeking validation to go through with a single core. If you're
only using pf, dhcpd and dns server, it will work. But don't expect it
to scale too well if your small office becomes a medium sized office.

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[Quartz]

are we talking home router here or something more specialized?


A little more specialized. It's a sort of embedded system and it needs 
to fit within some size/thermal/watts/noise constraints. It needs to 
serve something roughly equivalent to a small office.



now if i needed a gateway/firewall for say 50 machines it would be different.
dns, ntp, dhcp would all be moved to other machines on the network


This has to be one physical box.

pf vs mp

[Quartz]

Quick question: I need to make a decision between a faster single core 
and a slower multicore. The faq currently states that pf gets no 
improvement from mp. Is this still correct/current information? 
Presumably it would see no benefit from hyperthreading either, right?


For an OpenBSD machine acting as a gateway/firewall/router with a 
handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Re: pf vs mp

[Giancarlo Razzolini]

Em 31-08-2015 23:38, Quartz escreveu:
> Quick question: I need to make a decision between a faster single core
> and a slower multicore. The faq currently states that pf gets no
> improvement from mp. Is this still correct/current information?

Not anymore. There has been some work on mp support, although I don't
think it made 5.8. Nor that it will make 5.9, for that matter.

> For an OpenBSD machine acting as a gateway/firewall/router with a
> handful of related tasks (pf, dhcp server, etc) would mp yield anything?

Of course, yes. Just because PF doesn't get any benefits (yet) from MP,
it doesn't mean these other programs won't. That being said, you'll
probably be ok with a single core. But, if you machine have no problems
with it, using MP won't hurt, and will definitely improve your performance.

Cheers,
Giancarlo Razzolini

Re: pf vs mp

[fwsoucy]

On 2015.08.31, Quartz wrote:
> For an OpenBSD machine acting as a gateway/firewall/router with a handful of
> related tasks (pf, dhcp server, etc) would mp yield anything?

are we talking home router here or something more specialized? 

there is not really any *negative* to mp besides maybe cost/power consumption.
the use of multi core vs single core is going to come down to your
specific needs and expected use/load for the machine. ex:

my home router is an intel atom d2550(dual core/ht 1.8ghz) gbe 
running pf, ntpd, dns, dhcpd and wifi for ~12 machines and doesnt
break a sweat. my rig spends most of its time scaled down to 224mhz.
this is fine. i don't loose anything by using a mp system and i woudn't
gain any more performance with a single core machine.

now if i needed a gateway/firewall for say 50 machines it would be different.
dns, ntp, dhcp would all be moved to other machines on the network and a
faster single core cpu would be preferable. after all its only job is to
route packets as fast as it can.

if your need is high performance routing go single core.
if you need something more general purpose go multi core.
if you want to future proof for smp pf go multi core.