PCEngines APU2/APU3/APU4 running on 20.7

amichel · November 18, 2020, 08:30:58 PM

Hi,
just an idea here:

Quote from: l8gravely on November 16, 2020, 05:43:57 PM
Any suggestions on how to debug this better? Can I reset the WAN DHCP from the console so I can watch for errors? It's driving me nuts since a reboot tends to fix up the problem right away.

Why don't you use monit to check for the connection?
You could for example create a connection test to any IP available from the firewall and in case it is not reachable you could initiate a reload afer let's say 5 missed attemts and initiate a reboot afer 15 attempts.
Thats the way I monitor my internet connection.
amichelf

almodovaris · November 19, 2020, 07:02:47 AM

I have an APU2 4 GB. I always update to latest mainline BIOS and latest Opnsense, at most with one week delay. I have Ziggo 500 down 40 up. The APU2 is in the DMZ of my modem/router.

I have installed Sensei. No big problems that I could report.

l8gravely · December 02, 2020, 04:19:47 AM

I just recently upgraded my old APU1 running 20.7.<recent> to an APU4d4 because I keep getting drops of my WAN connection, it's like the DCHP times out and the router can't renew it properly. I'm working along and suddenly things freeze and I can't work, or my kids come yelling that the Wifi is down. Heh.

So I goto Interfaces -> Overview -> igb3 and hit the 'renew' button. Which usually works, but not always. I might have to hit it multiple times.

I log via syslog to my main home system which is on 24x7, so can anyone give good suggestions for what to look for in the logs to help diagnose this problem? It's really frustrating when the kids are in school, or us parent's are on conference calls.

Here's a snippet from my log:

opnsense[32236]: /usr/local/etc/rc.configure_interface: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igb3.pid' 'igb3'' returned exit code '15', the output was 'dhclient 41052 - - Starting delete_old_states() dhclient 44642 - - Comparing IPs: Old: 66.189.75.104 New: dhclient 47831 - - Removing states from old IP '66.189.75.104' (new IP '') 0 states cleared killed 0 src nodes from 1 sources and 0 destinations DHCPREQUEST on igb3 to 255.255.255.255 port 67 DHCPREQUEST on igb3 to 255.255.255.255 port 67 DHCPREQUEST on igb3 to 255.255.255.255 port 67 DHCPDISCOVER on igb3 to 255.255.255.255 port 67 interval 2 DHCPDISCOVER on igb3 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on igb3 to 255.255.255.255 port 67 interval 3 DHCPDISCOVER on igb3 to 255.255.255.255 port 67 interval 6 DHCPDISCOVER on igb3 to 255.255.255.255 port 67 interval 8 DHCPDISCOVER on igb3 to 255.255.255.255 port 67 interval 19'
Dec 1 11:50:30 gw dhclient[3571]: Starting delete_old_states()

It looks like it's a failure to properly renew the WAN DHCP client IP address for some reason. Has anyone else seen this issue? Any suggestions on what I can do to make it work better?

almodovaris · December 03, 2020, 04:47:43 AM

Yup, give it a static lease. That means no bridge mode for your modem, use DMZ.

Ricardo · December 03, 2020, 02:44:02 PM

Has anyone experienced lower than expected AES / VPN troughput recently?

I did a measurement on my APU2, and it performs significantly worse, than 2 years earlier:

openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 11056362 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 5231233 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 1850707 aes-128-cbc's in 3.05s
Doing aes-128-cbc for 3s on 1024 size blocks: 505589 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 64769 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 32500 aes-128-cbc's in 3.01s
OpenSSL 1.1.1d-freebsd 10 Sep 2019
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 58967.26k 111599.64k 155497.35k 172574.38k 176862.55k 177032.31k

--> approx. 172Mbit/sec traffic using 1024bytes blocks (measurement repeated multiple times, router is lightly loaded, 80+% idle)

Earlier (Opnsense 18.x, OpenSSL 1.0.2k-freebsd 26 Jan 2017): it was higher:

openssl speed -elapsed -evp aes-128-cbc

type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128-cbc 109850.66k 157501.93k 194130.64k 205928.11k 210187.46k

--> around 205-210 Mbit/sec

Thats quite a big steady 20% degradation.

franco · December 03, 2020, 07:56:48 PM

The correct binary to check is (and always was) /usr/local/bin/openssl

Cheers,
Franco

Ricardo · December 04, 2020, 08:06:30 AM

Quote from: franco on December 03, 2020, 07:56:48 PM
The correct binary to check is (and always was) /usr/local/bin/openssl

Cheers,
Franco

Did you spot any mistake?

hushcoden · December 04, 2020, 08:24:47 AM

This is what I get with my apu2e4:

Code Select

root@hush:~ # openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 15080231 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 7226969 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2525328 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 570466 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 73644 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 36643 aes-128-cbc's in 3.00s
OpenSSL 1.1.1d-freebsd  10 Sep 2019
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      80427.90k   154175.34k   215494.66k   194719.06k   201097.22k   200119.64k

franco · December 04, 2020, 08:31:25 AM

Guys, for the love of the Gods please use /usr/local/bin/openssl ;)

# which openssl
/usr/bin/openssl

Cheers,
Franco

hushcoden · December 04, 2020, 09:00:55 AM

Slightly better:

Code Select

root@hush:~ # /usr/local/bin/openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 11289033 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 5595084 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 256 size blocks: 2235362 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 690092 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 89374 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 44699 aes-128-cbc's in 3.00s
OpenSSL 1.1.1h  22 Sep 2020
built on: Tue Oct 20 22:46:58 2020 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
compiler: cc -fPIC -pthread -Wa,--noexecstack -Qunused-arguments -O2 -pipe  -DHARDENEDBSD -fPIE -fPIC -fstack-protector-all -fno-strict-aliasing -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_THREAD_SAFE -D_REENTRANT -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-cbc      60208.18k   119051.76k   190750.89k   235551.40k   244050.60k   244116.14k

Ricardo · December 04, 2020, 09:30:12 PM

Quote from: franco on December 04, 2020, 08:31:25 AM
Guys, for the love of the Gods please use /usr/local/bin/openssl ;)

# which openssl
/usr/bin/openssl

Cheers,
Franco

1) For the love of god, why do you guys deploy 2 different openssl versions on the same opnsense without describing this trapmine?

2) In my case, it didnt give better results:

~ # /usr/local/bin/openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 10431991 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 5030317 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 1792666 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 505478 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 8192 size blocks: 64928 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 32502 aes-128-cbc's in 3.00s
OpenSSL 1.1.1h 22 Sep 2020
built on: Tue Oct 20 22:46:58 2020 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
compiler: cc -fPIC -pthread -Wa,--noexecstack -Qunused-arguments -O2 -pipe -DHARDENEDBSD -fPIE -fPIC -fstack-protector-all -fno-strict-aliasing -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_THREAD_SAFE -D_REENTRANT -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 55637.29k 107313.43k 152974.17k 171642.52k 177296.73k 177504.26k

almodovaris · December 05, 2020, 03:39:39 AM

Well, you should know that APUs are now considered low-end hardware. So be content with that it offers. For the home user (hobbyist) it is a perfect box. But it is not suitable for very demanding tasks.

Gary7 · December 05, 2020, 04:23:50 AM

FWIW, I ran the same command on my APU2D4
~ # /usr/local/bin/openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 16220482 aes-128-cbc's in 3.01s
Doing aes-128-cbc for 3s on 64 size blocks: 7941393 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2918949 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 1024 size blocks: 816008 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 8192 size blocks: 105686 aes-128-cbc's in 3.02s
Doing aes-128-cbc for 3s on 16384 size blocks: 52871 aes-128-cbc's in 3.02s
OpenSSL 1.1.1h 22 Sep 2020
built on: Tue Oct 20 22:46:58 2020 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
compiler: cc -fPIC -pthread -Wa,--noexecstack -Qunused-arguments -O2 -pipe -DHARDENEDBSD -fPIE -fPIC -fstack-protector-all -fno-strict-aliasing -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_THREAD_SAFE -D_REENTRANT -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 86284.54k 169416.38k 247793.06k 277087.57k 286356.08k 286507.81k

Coreboot: v4.13.0.1
Core Performance Boost - Currently Enabled
I'm the only one on the system so I set:
vm.pmap.pti = 0
hw.ibrs_disable = 0
among some other optimization settings

Gary7 · December 05, 2020, 05:48:40 PM

I don't remember when Meltdown mitigation and Spectre V2 mitigation was introduced.
We know that mitigating these issues in the O/S causes a performance "hit". I just don't know how much.

My APU2D4 is for my home network and all inbound traffic is disabled. So, disabling the mitigation was an acceptable risk for me in order to get best performance.

According to AMD, their CPUs are not vulnerable to the Meltdown vulnerability. So, it should be safe to disable Meltdown mitigation, vm.pmap.pti = 0

almodovaris · December 06, 2020, 06:23:29 AM

Yup, on my APU2C4:

/usr/local/bin/openssl speed -elapsed -evp aes-128-cbc
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-cbc for 3s on 16 size blocks: 13947948 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 64 size blocks: 7114424 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 256 size blocks: 2589608 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 1024 size blocks: 733300 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 8192 size blocks: 93373 aes-128-cbc's in 3.00s
Doing aes-128-cbc for 3s on 16384 size blocks: 45467 aes-128-cbc's in 3.00s
OpenSSL 1.1.1h 22 Sep 2020
built on: Tue Oct 20 22:46:58 2020 UTC
options:bn(64,64) rc4(8x,int) des(int) aes(partial) blowfish(ptr)
compiler: cc -fPIC -pthread -Wa,--noexecstack -Qunused-arguments -O2 -pipe -DHARDENEDBSD -fPIE -fPIC -fstack-protector-all -fno-strict-aliasing -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_THREAD_SAFE -D_REENTRANT -DNDEBUG
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-cbc 74389.06k 151774.38k 220979.88k 250299.73k 254970.54k 248310.44k

PCEngines APU2/APU3/APU4 running on 20.7

amichel

November 18, 2020, 08:30:58 PM #30

almodovaris

November 19, 2020, 07:02:47 AM #31

l8gravely

December 02, 2020, 04:19:47 AM #32

almodovaris

December 03, 2020, 04:47:43 AM #33

Ricardo

December 03, 2020, 02:44:02 PM #34

franco

December 03, 2020, 07:56:48 PM #35

Ricardo

December 04, 2020, 08:06:30 AM #36

hushcoden

December 04, 2020, 08:24:47 AM #37

franco

December 04, 2020, 08:31:25 AM #38

hushcoden

December 04, 2020, 09:00:55 AM #39 Last Edit: December 04, 2020, 09:05:55 AM by hushcoden

Ricardo

December 04, 2020, 09:30:12 PM #40

almodovaris

December 05, 2020, 03:39:39 AM #41

Gary7

December 05, 2020, 04:23:50 AM #42

Gary7

December 05, 2020, 05:48:40 PM #43 Last Edit: December 05, 2020, 06:37:05 PM by Gary7

almodovaris

December 06, 2020, 06:23:29 AM #44