View Single Post
  #1   (View Single Post)  
Old 18th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default OpenBSD amd64 or i386 for firewall/router

In a discussion about OpenBSD network performance on an Atom motherboard http://www.daemonforums.org/showthread.php?t=4090
a question arose wich of the OpenBSD architectures, amd64 or i386, would be best for a firewall or router.

I finally managed to find the posts in my gmail account archive. And being in a lazy mood today I only give you the start of this long discussion on the misc mailing list.

Quote:
From Henning Brauer
to misc
date Tue, Oct 9, 2007 at 12:32 PM
subject Re: firewall is very slow, something's wrong


* Florin Andrei <florin@xxxxxx> [2007-10-05 03:55]:
> The hardware is AMD64, Tyan Transport, 2 CPUs 2 cores each. I am using the
> SMP kernel. The network card is Intel Pro/1000 PCI Express 4x dual gigabit
> port, it carries both em0 and em1.

First, you want to run 4.2 or -current, that shoudl about double your
throughput.
then, an i386 kernel should perform considerably better than amd64 for
firewalling/routing/..
.

next, you don't want SMP for such tasks. take out the second CPU and
give it to somebody who can use it, and run the uniprocessor kernel.

last, increase net.inet.ip.ifq.maxlen until you see the congestion
counter not increasing much any more under load. should not exceed 2500
by too much. as a rule of thumb, 256 per gigE interface aren't too far
off.
In the same thread: he kind of relativizes this:
Quote:
from Henning Brauer
to misc
date Tue, Oct 9, 2007 at 7:03 PM
subject Re: firewall is very slow, something's wrong

Florin Andrei <xxx> [2007-10-09 19:34]:
>> then, an i386 kernel should perform considerably better than amd64 for
>> firewalling/routing/...
>
> That is surprising. What is the reason?

we dunno really. it hasn't been benched in sometimesoit might not even
be true nay more, but last time the difference was dramatic.
The last post of Henning in this thread he still recommends i386 for a router.
Quote:
From Henning Brauer
to misc
date Wed, Oct 10, 2007 at 9:20 PM
subject Re: firewall is very slow, something's wrong


* Robert C Wittig [2007-10-10 20:45]:
> If you had to choose between, say, 2 gig RAM and a 32 bit CPU, or 1 gig RAM
> and a 64 bit CPU, which would be a better choice, in general?

for a packet filter/router/...? 32bit 2Gig and take a gig out.
for a databse server? 64bit and add ram when required.
there is no "in general".
The thread has many interesting posts , e.g. "does a 20 ton truck run faster then a 10 ton truck?", where the 20 ton truck stands for amd64 and the 10 ton one for i386.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote