Try OpenBSD outside of KVM on real HW and you will see where's the bottleneck. Anyway getting 400Mbit/s under virtualization seems pretty fine or try to compare with OpenBSD running in VMware as there's fine support for that use.
Of course security is around zero in this scenario, but as you said you're doing it for fun :-) On Mon, Aug 22, 2011 at 2:03 AM, Per-Olov SjC6holm <p...@incedo.org> wrote: > Hi "Misc" > > # Background # > > I have done som fun laborations with a virtual fully patched OpenBSD 4.9 > firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual > OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon 5504 > (2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2 > dedicated "Intel PRO/1000 MT (82574L)" physical nic:s via PCI passthorugh. So > OpenBSD sees and uses the real nic:s (they are then unusable to Linux as they > are unbound). > > I have not measured packets per second which of course is more relevant. But > as I try to tweak the speed I don't care if I measure packets or Mbits as long > as my tweaks give a higher value during the next test. Going in on one > physcial nic and out on the other with my small ruleset that uses keep state > everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar results > (I copy large files, a few Gig each). I started with a lower value and after a > few tweaks in sysctl.conf B ended up with this speed of 400 Mbit. At this speed > I can see that the interrupts in the firewall simply eat all resources. Have > no "ip.ifq.drops" or any other drops that I am aware of... > > > # Question # > > I now simply wonder if I can increase this speed.... I did one test and > replaced these two physical desktop Intel Nics with a dual port server adapter > (also Intel, 82546GB). I was interested to see if a dual port, more expensive, > server adapter could lower my interrupt load. However... OpenBSD yelled > something about "unable to reset PCI device". So I went back to these two > desktop adapters. These low price dektop adapters however in a intel i7 > desktop workstation download over SMB from my server at 119 Mbyte/s and fill > up the Gig pipe. So they cannot be to bad... > > > As PF cannot use SMP, is the only way to bump up the firewall throughput (in > this scenario) to increase the speed of the processor core (i.e change > server)? Or are there any other interesting configs to try ? > > > Regards > > /Per-Olov > -- > GPG keyID: 5231C0C4 > GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 > GPG key: > http://wwwkeys.eu.pgp.net/pks/lookup?op=get&search=0x766ED29D5231C0C4
