OPNsense Forum
English Forums => Hardware and Performance => Topic started by: Samplex on May 23, 2021, 03:03:37 pm
-
Hi,
I got a Yanlink FW4B Celeron J3160 and installed OPNsene on it with a 600/40Mbit cable internet line. Cable modem is in Bridge mode. Update the bios the latest fw (not coreboot), enabled UEFI.
Did some tests while and find out when using the full bandwith of 600Mbit the CPU goes to 30%.
Remove the checkbox from Disable Hardware CRC, TSO, LRO but the cpu use doesnt go down.
Any recommendations?
-
This seems about average for this level of CPU. Especially if you are using traffic shaping.
For reference, I run a J3455B with an Intel I340 quad port NIC and a 500/500 fiber line. With FQ_Codel traffic shaping enabled on in/out traffic, I see between 25-30% CPU usage measure in top at the console when I am running speed tests on clients behind the router. I've also run this same system on a 1000/1000 line in the past and CPU usage only increased slightly, it scales pretty well and uses very little power.
On mine I have all of the hardware and VLAN offloading disabled. I've also enabled PowerD and set it to "hiadaptive" on all of the drop down selections.
-
I have not enabled any package yet. I cheap Edgerouter lite does 2% cpu when downloading with 600Mbit and has 880mhz cpu.
I dont understand why this is happening, seems opnsense does not support hardware offloading even if the nic i210 supports it.
-
The EdgeRouter Lite only does this with hardware offloading enabled (which also removes the ability to do traffic shaping).
In this case this is also comparing a linux-based router to a BSD based one. Linux will be able to scale throughput much easily with less CPU power required when compared to the available BSD-based routers. Hopefully with FreeBSD 13 we'll see more optimization in this regard and maybe close the gap a bit compared to what Linux can do.
What you're gaining with OPNsense compared to a fixed, dedicated appliance is the ability to customize and easily scale your network. DNS DoT, extensive logging and graphing, realtime firewall logging, all of these are easily done in OPNsense and either unavailable or require more customization on the Linux side of the house right now. All of the Linux based routers are either aging out or do not have the extensive customization that OPNsense has.
As long as you can max your bandwidth, I wouldn't be concerned with the 30% CPU, you still have plenty of overhead. Apply packages/customizations that you require, then do a final test and see where the actual usage is.
-
Oke thanks for the explanation. I dont need traffic shapping so i hoped for lower cpu usage. So have to wait for the new freebsd version or switch to Sophos XG or Untangle which are linux based?
-
Obviously, you own the hardware and I would encourage you to try as many firewall distros as you like. :)
I don't want to stray too far off since this is an OPNsense forum. However, I have used many distros over the years and I always keep coming back to *sense (BSD) based routers. I used pfSense way back when it was in alpha, and before that m0n0wall. I haven't found a good Linux based replacement yet.
Untangle and Sophos are more closed development, and require paid upgrades to fully utilize many of the apps (or they limit the number of clients in the "free" version). I'm not sure if either one of those will do DoT yet or not? It's been over a year since I tried them so they may have added that.
If you want something that is very fast and efficient and Linux based, I would suggest OpenWRT X86-64. However, the upgrade process to a new version can be quite clunky (it wipes the partition and all installed packages). Compare this to OPNsense, which will upgrade in place and save all your packages and settings, and upgrade those too. However, OpenWRT can push a lot of bandwidth with smaller CPU usage. So it depends on your requirements. The downside to OpenWRT is that it is heavily biased towards consumer grade routers, so most of the development (and lack thereof) is because of this.
If you enjoy tinkering with this stuff, it doesn't hurt to try it. But in my experience, I haven't found a better out of the box solution to OPNsense.