On 22 aug 2011, at 07:45, Tomas Bodzar wrote: > Try OpenBSD outside of KVM on real HW and you will see where's the > bottleneck. Anyway getting 400Mbit/s under virtualization seems pretty > fine or try to compare with OpenBSD running in VMware as there's fine > support for that use. > > Of course security is around zero in this scenario, but as you said > you're doing it for fun :-) > > On Mon, Aug 22, 2011 at 2:03 AM, Per-Olov Sjvholm <p...@incedo.org> wrote: >> Hi "Misc" >> >> # Background # >> >> I have done som fun laborations with a virtual fully patched OpenBSD 4.9 >> firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual >> OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon 5504 >> (2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2 >> dedicated "Intel PRO/1000 MT (82574L)" physical nic:s via PCI passthorugh. So >> OpenBSD sees and uses the real nic:s (they are then unusable to Linux as they >> are unbound). >> >> I have not measured packets per second which of course is more relevant. But >> as I try to tweak the speed I don't care if I measure packets or Mbits as long >> as my tweaks give a higher value during the next test. Going in on one >> physcial nic and out on the other with my small ruleset that uses keep state >> everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar results >> (I copy large files, a few Gig each). I started with a lower value and after a >> few tweaks in sysctl.conf ended up with this speed of 400 Mbit. At this speed >> I can see that the interrupts in the firewall simply eat all resources. Have >> no "ip.ifq.drops" or any other drops that I am aware of... >> >> >> # Question # >> >> I now simply wonder if I can increase this speed.... I did one test and >> replaced these two physical desktop Intel Nics with a dual port server adapter >> (also Intel, 82546GB). I was interested to see if a dual port, more expensive, >> server adapter could lower my interrupt load. However... OpenBSD yelled >> something about "unable to reset PCI device". So I went back to these two >> desktop adapters. These low price dektop adapters however in a intel i7 >> desktop workstation download over SMB from my server at 119 Mbyte/s and fill >> up the Gig pipe. So they cannot be to bad... >> >> >> As PF cannot use SMP, is the only way to bump up the firewall throughput (in >> this scenario) to increase the speed of the processor core (i.e change >> server)? Or are there any other interesting configs to try ? >> >> >> Regards >> >> /Per-Olov >> -- >> GPG keyID: 5231C0C4 >> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 >> GPG key: >> http://wwwkeys.eu.pgp.net/pks/lookup?op=get&search=0x766ED29D5231C0C4 >> >>
Plz, don't top post Vmware is commercial software = avoid if I can. Also Linux guests with virtio drivers gives much better performance on the same hardware if using KVM instead of Vmware. Also, no need for vmware tools as everything is in stock Linux kernel. I cannot at this time give a fair test running it on the same hardware but as a physical server instead of a virtual one. This as the KVM host runs 10 other servers. I have however tested the OpenBSD on another hardware which ended up with similar performance. That was on a physical box with Gig Intel Nics (82541 cards) but on a weak Quad core Intel Atom 1.6GHz processor running the SMP kernel. At the bottle neck speed there was 100% interrupts at around 400Mbit (same tested files and protocols to be able to give a fair comparison). Maybe the Intel atom 1.6 can be compared to a Xeon 5504 core on 2GHz ??? I am not a processor guru. Anyone?? regarding security which you say is "around zero". Yes this is a laboration. But maybe you should say increased risk which is a more fair statement. I have not heard of anyone that managed to hack a scenario like this in VMware or KVM. Also note that the host OS itself in my case cannot even see these devices as they are unbound. From my point of view it's like the race on WiFi where people say you should use WPA2 with AES to be secure. But the real fact is that standard old WPA without AES and with a reasonable key length (20+ chars) have not been broken by anyone in the world yet (what we know). One person claims he manage to break a part of it in a lab. So... WPA = secure, better performance and better compatibility. If I was Nasa or DoD I would probable avoid WPA as someone someday of course will break it, otherwise not... So the question remains. Is it likely that a faster cpu core will give better performance (not that I need it. Just doing some laborations here). Is a faster CPU the best / only way to increase throughput. Of course we assume the OS tweak is ok and that reasonable NIC:s are used. Is there a plan to change the interrupt handling model in OpenBSD to device polling in future releases ? plz don't make this thread a security one from now on as this is not the main purpose. /Per-Olov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
