On Mon, Aug 22, 2011 at 10:59 AM, Per-Olov SjC6holm <p...@incedo.org> wrote: > On 22 aug 2011, at 07:45, Tomas Bodzar wrote: >> Try OpenBSD outside of KVM on real HW and you will see where's the >> bottleneck. Anyway getting 400Mbit/s under virtualization seems pretty >> fine or try to compare with OpenBSD running in VMware as there's fine >> support for that use. >> >> Of course security is around zero in this scenario, but as you said >> you're doing it for fun :-) >> >> On Mon, Aug 22, 2011 at 2:03 AM, Per-Olov Sjvholm <p...@incedo.org> wrote: >>> Hi "Misc" >>> >>> # Background # >>> >>> I have done som fun laborations with a virtual fully patched OpenBSD 4.9 >>> firewall on top of SuSE Enterprise Linux 11 SP1 running KVM. The Virtual >>> OpenBSD got 512MB RAM and one core from a system with two quadcore Xeon > 5504 >>> (2Ghz) sitting in a Dell T410 Tower Server. I have given the OpenBSD FW 2 >>> dedicated "Intel PRO/1000 MT (82574L)" physical nic:s via PCI passthorugh. > So >>> OpenBSD sees and uses the real nic:s (they are then unusable to Linux as > they >>> are unbound). >>> >>> I have not measured packets per second which of course is more relevant. > But >>> as I try to tweak the speed I don't care if I measure packets or Mbits as > long >>> as my tweaks give a higher value during the next test. Going in on one >>> physcial nic and out on the other with my small ruleset that uses keep > state >>> everywhere give me about 400 Mbit. AFP, SMB, SCP or NFS give similar > results >>> (I copy large files, a few Gig each). I started with a lower value and > after a >>> few tweaks in sysctl.conf B ended up with this speed of 400 Mbit. At this > speed >>> I can see that the interrupts in the firewall simply eat all resources. > Have >>> no "ip.ifq.drops" or any other drops that I am aware of... >>> >>> >>> # Question # >>> >>> I now simply wonder if I can increase this speed.... I did one test and >>> replaced these two physical desktop Intel Nics with a dual port server > adapter >>> (also Intel, 82546GB). I was interested to see if a dual port, more > expensive, >>> server adapter could lower my interrupt load. However... OpenBSD yelled >>> something about "unable to reset PCI device". So I went back to these two >>> desktop adapters. These low price dektop adapters however in a intel i7 >>> desktop workstation download over SMB from my server at 119 Mbyte/s and > fill >>> up the Gig pipe. So they cannot be to bad... >>> >>> >>> As PF cannot use SMP, is the only way to bump up the firewall throughput > (in >>> this scenario) to increase the speed of the processor core (i.e change >>> server)? Or are there any other interesting configs to try ? >>> >>> >>> Regards >>> >>> /Per-Olov >>> -- >>> GPG keyID: 5231C0C4 >>> GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4 >>> GPG key: >>> http://wwwkeys.eu.pgp.net/pks/lookup?op=get&search=0x766ED29D5231C0C4 >>> >>> > > > > Plz, don't top post
sorry. Sometimes I forgot because here are different rules. > > Vmware is commercial software = avoid if I can. Also Linux guests with virtio > drivers gives much better performance on the same hardware if using KVM > instead of Vmware. Also, no need for vmware tools as everything is in stock > Linux kernel. > > I cannot at this time give a fair test running it on the same hardware but as > a physical server instead of a virtual one. This as the KVM host runs 10 other > servers. I have however tested the OpenBSD on another hardware which ended up > with similar performance. That was on a physical box with Gig Intel Nics > (82541 cards) but on a weak Quad core Intel Atom 1.6GHz processor running the > SMP kernel. At the bottle neck speed there was 100% interrupts at around > 400Mbit (same tested files and protocols to be able to give a fair > comparison). Maybe the Intel atom 1.6 can be compared to a Xeon 5504 core on > 2GHz ??? I am not a processor guru. Anyone?? http://marc.info/?l=openbsd-misc&m=126204017310569&w=2 > > > regarding security which you say is "around zero". Yes this is a laboration. > But maybe you should say increased risk which is a more fair statement. I have > not heard of anyone that managed to hack a scenario like this in VMware or > KVM. Also note that the host OS itself in my case cannot even see these > devices as they are unbound. From my point of view it's like the race on WiFi > where people say you should use WPA2 with AES to be secure. But the real fact > is that standard old WPA without AES and with a reasonable key length (20+ > chars) have not been broken by anyone in the world yet (what we know). One > person claims he manage to break a part of it in a lab. So... WPA = secure, > better performance and better compatibility. If I was Nasa or DoD I would > probable avoid WPA as someone someday of course will break it, otherwise > not... > > > > So the question remains. Is it likely that a faster cpu core will give better > performance (not that I need it. Just doing some laborations here). Is a > faster CPU the best / only way to increase throughput. Of course we assume the > OS tweak is ok and that reasonable NIC:s are used. Is there a plan to change > the B interrupt handling model in OpenBSD to device polling in future releases > ? Intel cards are probably best option on OpenBSD regarding uses a lot of people here. Better bus and CPU will help for sure. You may find this thread useful too http://marc.info/?l=openbsd-misc&m=129839483317022&w=2 > > > > > plz don't make this thread a security one from now on as this is not the main > purpose. > > > /Per-Olov > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > A: Top-posting. > Q: What is the most annoying thing in e-mail?
