Zenarmor performance @ Intel Atom C3758R

[tpf]

Hi,
does anybody have experience in running Zenarmor at Intel Atom C3758R? What internet troughput can this CPU handle? The CPU-list at Zenarmor's website give me not an clear answere.

Thank's!

[meyergru]

Since Zenarmor still is limited to one thread only, you can simply relate any known CPU's single-thread performance against the C3758R's single-thread perfomance on one of the many CPU-Performance comparison sites. The kind of work Zenarmor is doing here cannot be easily accelerated by a proprietary chip, unlike encryption.

So, choose a CPU whose performance you know and compare it.

[tpf]

I know that Zenarmor only use one core. That's the cause of my question. On their roadmap, multi-core operation would be implemented in the next 1-6 months(or so).

So badly I need experience from working devices... My personal experience: 1 GBit without TLS-inspection is nearly possible in my lab. 1 Core @100% Iperf3 with 10 parallel streams + OpenSpeedtest. But that's lab. Not repesentive for an company's Internet-Traffic-Mix.

[meyergru]

I keep hearing that multi-threading support is on the top of the priority list for some years now. Sounds like when Trump says "in two weeks".

And yes, you would be hard pressed to find a low-power (embedded) CPU with a high enough single-thread performance to run Zenarmor at >= 1 GBps speeds. Only desktop or high-performance server CPUs (many server CPUs have many cores, but low single-thread performance) would do that.

And even then, you would only use a fraction of the potential power, but have the high cost (both purchase and consumption) until multithreading will be supported.

[Greg_E]

I thought multithread was available in one of the paid versions?

The faster the clock speed, the better ZA will run, kind of the only rule of thumb we currently have. I'm looking at an n355 device for my next hardware, something with at least 6 i226 ports and maybe trade a couple for some SFP+ (10g lan to lan would be NICE). I only have gigabit out to wan, so don't need the i226, but it's what I'm finding because it's what most people want going forward.

Also looking at a different model with 8 i226 ports, not seeing anything with "cheaper" i350 ports anymore, and I'm not going to try Realtek for real work.

[dirtyfreebooter]

I thought multithread was available in one of the paid versions?

The faster the clock speed, the better ZA will run, kind of the only rule of thumb we currently have. I'm looking at an n355 device for my next hardware, something with at least 6 i226 ports and maybe trade a couple for some SFP+ (10g lan to lan would be NICE). I only have gigabit out to wan, so don't need the i226, but it's what I'm finding because it's what most people want going forward.

Also looking at a different model with 8 i226 ports, not seeing anything with "cheaper" i350 ports anymore, and I'm not going to try Realtek for real work.

the roadmap has it 90% complete and has it listed under business and higher licenses, so no paid home license.

[Seimus]

Correct, the MultiCore is still not available for ZA.
Correct, the Multicore if released will be most likely a paid feature (Higher paid tiers) per the roadmap. Even tough several times people asked ZA to clear this point they did not. and only side tracked the question. But assuming whats on the roadmap this looks like the case.

I'm looking at an n355 device for my next hardware, something with at least 6 i226 ports and maybe trade a couple for some SFP+ (10g lan to lan would be NICE).

I have one with 2x10G AQ NICs + 4x2.5G i226V, and its rock solid. Still looking for a good 10G switch option thou....

Regards,
S.

[Greg_E]

I have one with 2x10G AQ NICs + 4x2.5G i226V, and its rock solid. Still looking for a good 10G switch option thou....

Define good. I have a Mikrotik CRS 326-24s+2q+ that works well, 24 sfp+ and 2 qsfp+ ports (mine are broken out to 8 more 10g ports). I also have their smaller CRS309-1g-8s+in (or something like that) which also work very well but I outgrew it, needed more ports. Those are really the cheapest options I would personally look at. I don't have much for 10g copper, generally I don't like it due to module heat, a DAC or fiber works better for a lot of things. My NAS has an AQ copper 10g connection, so I do have a hot module in the CRS 326.

[Seimus]

Define good.

I need a 24P switch with at least 2x10G ports and with at least 8x2.5G ports.

The only switch that did fulfill this is Mikrotik CRS326-4C+20G+2Q+RM, but its expensive. But on the other hand it was QSFP support which makes it bit future proof.

Regards,
S.

[meyergru]

I have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.

There are smaller offerings available as well, with and without PoE:

https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist

[Seimus]

I have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.

There are smaller offerings available as well, with and without PoE:

https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist

Woo thanks for the link! I will look thru it.

The CRS326-4C+20G+2Q+RM compared to yours USW-Pro-HD-24-PoE, has the same amount of ports 20+4 Combo, but it has extra 2xQSFP minus the PoE. From my point of view this Mikrotik switch is more targeted as a CORE/Aggregation where the Unifi is more of an access switch.

I will not lie, I did look on the Unifi switches, they have good performance/cost ratio and lot of variations.
But the main beef I have, and I know this is sounding stupid, is the central management/orchestration. I do not own any other Unifi product, thus I would have to run the Management platform for only one device which sounds to me unreasonable.

So basically I am bit torn apart between getting Mikrotik or getting Unify.

Regards,
S.

[meyergru]

I got hooked by their APs many years ago, so adding their switches is a no-brainer. The management is more "prosumer" than what Cisco or Mikrotik offer, but quite effective and easy to manage. Of course it depends on if you already have one of their router-type appliances or can use all of that on a VM.

Matter-of-fact, the network controller is also available on iOS and Android as standalone apps, because apart from the guest portal, you do not need it running 24/7. I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.

My main gripes about them are:

1. The dream boxes are crap.
2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.
3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.

[Seimus]

@meyergru many thanks for all of this awesome info.

Personally I use OpenWRT for APs.

If I already had some Unifi HW the decision would be simpler :D.
Anyway, I will consider all the great info you provided into my decision making.

Regards,
S.

[nero355]

I like the centralised management for Unifi Gear.

To be honest I am more and more leaning towards getting rid of it in the future when something needs replacing!

Maybe by then OpenWRT in combination with my In Wall Accesspoints will actually keep all functionality instead of break half of it :)

I got hooked by their APs many years ago

Same here with the old 2.4 GHz UAP models :)

Matter-of-fact, the network controller is also available on iOS and Android as standalone apps

It's missing soo much Settings that it's basically hopeless and not something I would recommend !!

I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.

That's what I keep telling people :

Ditch the stupid app/phone/tablet and grab a PC or Laptop with a nice big screen and a regular browser to manage your UniFi Controller !!

My main gripes about them are:

1. The dream boxes are crap.

Their routers are crap

I DOUBLE AGREE !!! ;)

2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.

There were some workarounds by stealing the Containers it ran and moving it to standalone DIY solutions, but not something I would completely trust...

DIY Server + ONVIF Protocol based products are IMHO the way to go for now.
#NeedsMoreReading and stuff...

3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.

100% TRUE !!!

Personally I use OpenWRT for APs.

Keep it that way if you are happy with the performance and stability ;)

If I already had some Unifi HW the decision would be simpler :D

The UniFi Controller has the following needs and issues :
- AVX/AVX2 compatible CPU
This puts older Intel NUCs and Raspberry Pi models in a weird corner where you need to do really weird things to keep it all running !!
- Linux OS
Which is not an issue.
But in certain situations you need to install old unsupported libraries that are no longer available in newer distors and thus also no longer patched/maintained and have open CVE's and that sucks!
- Java such as OpenJDK.
Now the crap starts...
- Mongo Database
This is linked to the AVX/AVX2 story above and gets even weirder :
Certain versions of the UniFi Controller are linked to certain versions of MongoDB that you need.

So the more we move into the future and use newer UniFi hardware the more chance you have got to run into the AVX/AVX2 issue !!


So think about this VERY CAREFULLY before you buy anything... ;)

[Patrick M. Hausen]

To be honest I am more and more leaning towards getting rid of it in the future when something needs replacing!

Mikrotik is great, IMHO. Cheaper, and very feature rich. And reliable, at least in my environment - using only layer 2, switches and APs. It's still called "Router OS" but I only use the layer 2 features. Plus, if you happen to live in the EU ... they are from Europe, too. Sovereignty, customer protection, GDPR, something something ...

They lack a central management solution but if you actively seek to get rid of something like that ... SNMP works great and RANCID supports Mikrotik so you can automatically pull and version configurations in e.g. git.