PC Engines APU2 1Gbit traffic not achievable

[franco]

I don't want to be unfriendly, but I'm definitely going to close this thread if people keep comparing apples and oranges.


Cheers,
Franco

[cgone]

I experiment with my apu2 and opnsense-firewall and my impression is, that the most important configuration is

net.isr.dispatch=deferred

I am able to saturate a 250mbit downlink from the german Telekom with one stream.
Of couse ids/netopng is not possible, if i want to saturate the connection.

[pjdouillard]

I don't want to be unfriendly, but I'm definitely going to close this thread if people keep comparing apples and oranges.


Cheers,
Franco

Hello Franco,

I disagree as this isn't apples to oranges comparison, but as this thread is going on (started in July 2018 and still no resolution), comparing other firewalls with OPNsense running on the SAME hardware and saying what we are trying to solve the issue is the only thing we can do "on our side".  And up to now, not a single dev produced some help in this thread as to why we might be having the issue or some path of resolution/explanation.

The PCEngine hardware is used by a lots of people around the world (privately and commercialy) since many years (before OPNsense was forked) and it provides a lot and fills a segment on the market that other commercial brands can't even achieve for the same price (reliability and low power usage).  So we want to maximize our investment AND also use OPNsense because we like/prefer it over other firewalls.  Trying to muzzle or threathened us by closing the thread isn't the right direction imo and isn't what I am expecting from the OPNsense forum - and is a reason many of us left "that other well known firewall" for OPNsense.  We are not bitching but we are kind of fed up (in a way) by the lack of help or feedback by the guys who are making OPNsense.

So to be back on the thread itself, since other firewalls (Linux-based firewalls) are able to max the gigabit speed on any of the NIC of the APU2 from PCengine, we are all puzzled as to why OPNsense isn't capable of doing it.  FreeBSD has the best TCP/IP stack of the *NIX out there so what is the problem? 

We are not all Operating System developpers and thus are not equipped to check what's going on when a transfer is occuring on the APU2's NICs.  Is there an issue with FreeBSD/HardenedBSD and the Intel's NIC of the APU2?  Is there some other issue with FreeBSD/HardenedBSD not being able to turbo the AMD cpu at 1.4Ghz? Anything else?

We post on these forums to get (we hope) some answers from the devs themselves on some of the issues we encounters - like this one.  So please, dont turn into that other company but instead maybe forward the questions to the dev team so they can take a look.

Thank you for your comprehension.

[franco]

For the community the "X is faster than Y, I just checked" is a waste of time if you don't say how "Y" goes from slower to faster. Even if you post OPNsense is faster than Z, I'm going to close this topic because just like in real life:

You measure your progress from where you were to where you are, you must not compare yourself to others because it is pointless and shallow.


Cheers,
Franco

[mimugmail]

Hello Franco,

I disagree as this isn't apples to oranges comparison, but as this thread is going on (started in July 2018 and still no resolution), comparing other firewalls with OPNsense running on the SAME hardware and saying what we are trying to solve the issue is the only thing we can do "on our side".  And up to now, not a single dev produced some help in this thread as to why we might be having the issue or some path of resolution/explanation.

The PCEngine hardware is used by a lots of people around the world (privately and commercialy) since many years (before OPNsense was forked) and it provides a lot and fills a segment on the market that other commercial brands can't even achieve for the same price (reliability and low power usage).  So we want to maximize our investment AND also use OPNsense because we like/prefer it over other firewalls.  Trying to muzzle or threathened us by closing the thread isn't the right direction imo and isn't what I am expecting from the OPNsense forum - and is a reason many of us left "that other well known firewall" for OPNsense.  We are not bitching but we are kind of fed up (in a way) by the lack of help or feedback by the guys who are making OPNsense.

So to be back on the thread itself, since other firewalls (Linux-based firewalls) are able to max the gigabit speed on any of the NIC of the APU2 from PCengine, we are all puzzled as to why OPNsense isn't capable of doing it.  FreeBSD has the best TCP/IP stack of the *NIX out there so what is the problem? 

We are not all Operating System developpers and thus are not equipped to check what's going on when a transfer is occuring on the APU2's NICs.  Is there an issue with FreeBSD/HardenedBSD and the Intel's NIC of the APU2?  Is there some other issue with FreeBSD/HardenedBSD not being able to turbo the AMD cpu at 1.4Ghz? Anything else?

We post on these forums to get (we hope) some answers from the devs themselves on some of the issues we encounters - like this one.  So please, dont turn into that other company but instead maybe forward the questions to the dev team so they can take a look.

Thank you for your comprehension.

The reason why probably no dev answerd is that maybe none of the devs have either an APU or such a high bandwidth. Keep in mind that this is a community project. I for myself have only VDSL100 .. I have no idea how to help because I can't reproduce.

Maybe you can start with installing fresh pfsense, do a sysctl -a, output to file, do same for opnsense, and the diff them. Maybe pf has some other defaults.

Keep in mind that pfsense has about 100x bigger community, so the chance that one guy with an APU and enought knowledge to solve this and report the fix (not the problem) to upstream is 100x higher.

[pjdouillard]

The reason why probably no dev answerd is that maybe none of the devs have either an APU or such a high bandwidth. Keep in mind that this is a community project. I for myself have only VDSL100 .. I have no idea how to help because I can't reproduce.

Maybe you can start with installing fresh pfsense, do a sysctl -a, output to file, do same for opnsense, and the diff them. Maybe pf has some other defaults.

Keep in mind that pfsense has about 100x bigger community, so the chance that one guy with an APU and enought knowledge to solve this and report the fix (not the problem) to upstream is 100x higher.

Since you didn't read the whole thread, I will make it short for you:
-pfSense has the same problem on the same APU and no one in that community has found a fix - anything that is posted elsewhere has been tested and doesn't provide any REAL single-thread / single-stream solution.
-You don't need 1+ Gbps ISP bandwidth to recreate the problem: a local network with CAT5E ethernet cables will do the job between 2 physical PCs.
-If the devs don't have access to a PCEngine APU, I can send them one for free if they care to fix the problem.

[mimugmail]

https://www.max-it.de/kontakt/
Michael Muenz
Address above ...

[pjdouillard]

https://www.max-it.de/kontakt/
Michael Muenz
Address above ...

Will pm you.

[johnsmi]

First of all: I have absolutely no clue. Please Ignore this if I'm completely wrong.

Is it perhaps HardenedBSD related?
It might be tuning away from performance by using different defaults than other OS?


e.g.
https://bsdrp.net/documentation/technical_docs/performance#entropy_harvest_impact
Suggestts reducing kern.random.harvest.mask from 511 to 351 for performance gain.

OPNsense default seems to be 2047.

Now i take a look and see:

# sysctl kern.random
kern.random.harvest.mask: 67583

2^16+2047=67583
Some different Byte is set.
Tho i never tested 66047 nor 65887 nor 351.

And this thread almost a year ago:
https://forum.opnsense.org/index.php?topic=12058.0

more recently
https://forum.opnsense.org/index.php?topic=15686.msg71923#msg71923


Perhaps someone who understands this stuff can give advice how to tune?

[Ricardo]

First of all: I have absolutely no clue. Please Ignore this if I'm completely wrong.

Is it perhaps HardenedBSD related?
It might be tuning away from performance by using different defaults than other OS?


e.g.
https://bsdrp.net/documentation/technical_docs/performance#entropy_harvest_impact
Suggestts reducing kern.random.harvest.mask from 511 to 351 for performance gain.

OPNsense default seems to be 2047.

Now i take a look and see:

# sysctl kern.random
kern.random.harvest.mask: 67583

2^16+2047=67583
Some different Byte is set.
Tho i never tested 66047 nor 65887 nor 351.

And this thread almost a year ago:
https://forum.opnsense.org/index.php?topic=12058.0

more recently
https://forum.opnsense.org/index.php?topic=15686.msg71923#msg71923


Perhaps someone who understands this stuff can give advice how to tune?

I am confident, nobody has the 100% reliably working solution for this problem.

[iam]

Hi, has someone tested this with 20.7? Before the upgrade the results of various speed tests has shown nearly 270 MBit/s. After the upgrade it's 200 MBit/s only.

I have a 300 MBit/s FTTH PPPoE connection.

[banym]

Are you using IPS/IDS?

[iam]

No I've disabled it. But I use VLANs and PPPoE.

[telefonmann]

Recommended reading:
APU2 performance is insufficient for Gigabit if WAN is PPPoE
http://www.pcengines.info/forums/?page=post&id=E801CA38-8CD5-4854-95A7-99B67B5DB281&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A&pageindex=1

[iam]

Thanks. Has someone experiences with this?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203856#c11