Not a good x86 device? (realtek nics), Power Packed Little Dynamite?


#1

looking at

or

I am looking for thee most beef cake CPU i can get. Something with about 5k to 7k passmark capable CPU for lots of routing power. For SQM @ 200mbps to 1000 mbps while running other features like VLANs, VPN and possible.

i know 4k passmark CPU like this, https://www.servethehome.com/hp-t620-plus-thin-client-and-firewall-vpn-appliance/

can't do full speed with VPN and maybe bogged down with certain other things. i know SQM isn't a feather either.

The catch here is the first zbox has realtek NICs and plent of reports that pfsense has issues. some same due to unix/BSD drivers for it's realtek NICs, some say that's jsut the realtek quality. i know Level1Techs have praised or mentioned Intel NICs to superior than realtek in someway weather it be driver or hardware.

HOWEVER, LEDE OpenWRT is not PFsense/OPNsense, maybe it's not issue with LEDE? I need a very small NUC sized device with dual NICs and some processing power for at least SQM @ 200mbps and for this kind of money it needs to do more and be future proof, especially if i get deal on 400mbps or 1000mbps internet service and or want to make used of VPN, VLAN or possibly even IPS IDS. (for all know at that level you DO need dual xeons.)


#2

At that $400 price point, I’d consider an ITX board. Better cooling and more options. Nothing is “future proof”. I figure about 5 years at best before demands outstrip hardware that was at the sweet spot where you started to have to spend a lot more to get a little more performance.

Yeah, discrete Intel NICs are still a better bet than Realtek when pushed hard, in my experience.

Any new “Intel” PCI card that seems to be “such a good deal” is quite likely a counterfeit. Some work well, others give you what you paid for. Includes Amazon sellers, not just eBay.

Think quad-core, or more for mixed-traffic IDS at 1 gbps, in my experience.


#3

I handle gigabit shaping with a j1900. Biggest thing is to have aes-ni for encryption.

I think either of those boxes would do what you want but the realtek NICs are maybe an issue. I have some lower powered zotac boxes, they work with Debian fine but don't do routing just desktop or media box stuff. NICs work but not sure if they'd have issues under high load


#4

For gigabit routing you might try what I do which is bond both NICs and use vlans through a smart switch.


#5

I have been looking at an ITX build, it think it ends up closer to or above $600 BUT, you get an i7 7700 @ 35watts (or was it 45watts) and on board dual NICs but, with a big enough case you could also do a PCIe intel NIC.

so would AES-NI also help for encrypted DNS?


#6

Dual, bonded Realtek NICs are probably OK at 1 Gbps, aggregate.

Edit: Look at the boards with mobile processors, either soldered or socketed. Should be able to get an ITX case with PS for $40-60 or even less.


#7

Bonded? do you mean a total of 4 ports, as in LAG? I assumed 1 port to go to the modem and the second port to the switch?


#8

Yes a 2 port lag group, put your modem on one vlan and the LAN on another, put the two NICs on a bond and lag them together in the switch, join the lag group tagged for both modem and LAN vlans


#9

..huh... i guess it would be lagged, in less it has 3 nics that sounds like an old school modem on stick but, with VLANs and LAG? i guess so/so 1gig traffic wouldn't really be saturated, so do a LAG router on a stick?


#10

Not quite sure what you mean, but the point is to spread the load between the two Realtek NICs so that neither one is saturated. The big problem with RT NICs is when they are under heavy load. Also you will have a better chance of spreading the interrupt load among cores this way. Even at 1Gb/s neither NIC will be saturated and no single core will be swamped with interrupts.


#11

i assume with a top tier CPU and Intel NICs this wouldn't much of problem?


#12

Encryption of 1 Gbps is never "not much of a problem", but yes, an Intel / AMD 64-bit CPU with good single-core performance that supports AES is likely to be a much better candidate for accomplishing the task than a home-router SoC. It's not that a single-core processor is sufficient, more that encryption tends to be single-threaded so, for example, a two-core, two thread CPU with a given all-core benchmark may outperform a two-core, four-thread CPU with a comparable all-core benchmark for encryption. (Edit: @slh clarifies below and I agree, a multi-core CPU is crucial for the application.)


#13

There is one issue with maxing out single core routers (with encryption or otherwise), once you are maxed out, there really isn't any performance left - but PPPoE, routing, NAT, servicing IRQs from ethernet, wlan, etc. also need their share of CPU cycles. With a multi-core router, encryption might bog down one core at 100% (thereby limiting the encrypted throughput), but there is still another (or more) core left to do the other essential tasks below the encrypted channel.

These days I'd personally prefer a lower performance (in terms of single task performance) multi-core router over a faster single-core one, to avoid the starvation risks.

That said, r8168 (PCIe based 1 GBit/s Realtek ethernet cards) aren't as bad as you paint them, yes, there are differences in terms of performance and CPU utilization, but they are not as bad as with rtl8139.


#14

I definitely agree with this, the zotac zbox ci327 which has a 4 core Celeron 3450 with aes-ni is probably a better use of money, also power consumption is only a few watts, like 4 to 6


#15

it can't do do SQM @ 300mpbs and do encrypted DNS with out slowing down my connection, let alone start heaping on other features.


#16

That shouldn't be the case. If you have issues they should happen around 500Mbps or more. I route and shape 700+Mbps on J1900 with squid proxy and file-server running on the same hardware


#17

Neither sqm nor encrypted DNS performance should be influenced by the performance of the ethernet chipset and its driver (only indirectly, due to potentially higher CPU utilization or IRQ load), 300 MBit/s sounds very low for your hardware.


#18

THe Ubuiqiti Edge Router X nor UNifi router can do 300mbps with SQM. additionally a quad core x86 with 4000 passmarks can't do gigabit

Miniknight August 20, 2018 at 5:02 am
BW I got this to replace a Supermicro C2358 pfSense with that AVR54 bug. These aren’t susceptible to AVR54 which the article didn’t mention. These also have 4 cores instead of 2 and a higher clock speed. I have a few now in the lab and they can NAT between two networks at gigabit. They can’t VPN at gigabit and I’m sure if you had crazy FW rules and other packages like Snort doing a lot you’d want something faster. People in the forums are getting the T730 that cost $100 more but have way faster CPUs.

So i either choose to never VPN etc etc OR get something that can handle it and pay a little more at least as far i my possibly flawed logic can tell.


#19

I'm telling you, with just routing, a j1900 will route a gigabit with shaping. With running squid it'll do about 700Mbps down and 900+ up, with shaping. This is using intel NICs in a bonded config.


#20

I have a ci327 for my router running OpenWRT and it runs great. Granted my internet speed is only 200/20, but it runs fine with shaping and snort active and handles OpenVPN just fine too.