X86 for 1Gb with cake

I am running an OpenWRT x86 19.07.4 Guest on ESXi.
Hardware is a Pentium G4560 with 2400 MHz dual channel ram and dual Intel nics. 250 Mbit bandwidth layer_cake shaped consumes ~22% total cpu. Software flow offloading is enabled.

So Gigabit could be doable using that hardware when you don't have the virtualization overhead. Just to give you some ballpark numbers.

I would also be interested in any recommendations for a small x86 box that can:

  • route/NAT 1Gbps symmetric with traffic shaping
  • supports AES-NI to speed up SSL VPN
  • just a WAN and LAN port, ideally Intel
  • small and easy to mount on a wall
  • ideally has a fan as it will be mounted in a spot that can get pretty hot in the summer; a bit of noise is not an issue.
  • no other features needed, e.g. USB, HDMI, ... it will just act as a router

The H2+ is worth a look, 2.5 gig nics(realtek though), some threads to be found.

1 Like

The H2+ does look interesting, but it can get expensive quickly once you start adding everything you need. Does anyone sell a cheap kit with everything included? I don't think you need more than 1GB RAM and 8GB SSD to run it as a router.

Not sure, I am not in the US, but use ameridroid for things hardkernel in NA. If I was to use the device as a router I would stuff it with a single 4GB RAM (minimum that can be used), and an eMMC skipping the NVMe. If this is seen to fruition the device becomes even more interesting.

Zotac makes (a lot of!) boxes... not all of them have all the required features, like more than one eth ports, etc. But popular ones are the now extinct CI327, which I have and currently run, and the CI329 which has a faster processor.

Features: small box, fanless, 2 ethernet ports, external SD card slot (also internal SSD) AES-NI capable CPU (4 core N4???), 5-10W power consumption. Maybe it wont need a fan, and you could add one nearby if needed, they have lots of ventilation holes.

I have done real live experiments with a PC engines apu2e4 with the firmware patch to allow for 1.4ghz (quad) cores using ver 19.07.4 using cake, unfortunately it was only able to handle between 600-700mbps both in lab with iperf3 and on a gigabit cable internet connection. I was able to reach line rate with a tuned fq_codel / simple script setup though.

I am currently looking into ways to make this device more efficient.

how many cores use sqm ? / fq_codel ? if You look at passmark singlecore performance You will know is not so fast cpu sadly

all cores (4) with all NIC ques for one "wan" port (NAT was on) and one "lan" port in use.

what about sirq with maxed out speed ? You have i210 nic's ? how much they have queues ? 4+4 ?

I'm searching such a device too: which network chip is inside Zotac mini PCs? I cannot find the specs on the website.

Intel Celeron N4100 (quad-core 1.1GHz, up to 2.4GHz)

Doesn't the RPI 4 allow 1Gb and cake?

1 Like

Just about any x86 from J1900 era or later is going to let you do Cake at 1Gbps, and yes the RPi4 will do it too: RPi4 routing performance numbers

1 Like

I don't know where i read that the J1900 can only do like 600-700 with cake. Good to know that it can handle it.

I was able to do over 700 with HFSC through a squid proxy so it's gotta be possible to do more than that if it's straight routing and shaping. I don't have actual benchmarks to prove it, but there's no reason to buy a J1900 anymore, there are plenty of later models, so basically think "anything after the J1900" is pretty much guaranteed to do it and J1900 does at least 700 if not the full 980 (max real-world bandwidth through a gigE port).

What I've found is that it's hard to use speedtest sites to test a gigabit, the speed test sites aren't really set up for it. To do definitive benchmarks effectively you need 3 machines, a server, a client, and a router on a test network, with iperf3 or something.

This is what is in the CI327, the Realtek R8169. AFAIK, the CI329 has the same one, but I'm not 100% sure of that.

[    9.021173] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k
[    9.027321] e1000e: Copyright(c) 1999 - 2015 Intel Corporation.
[    9.034465] ip_tables: (C) 2000-2006 Netfilter Core Team
[    9.049847] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[    9.081636] r8169 0000:02:00.0 eth0: RTL8168g/8111g at 0xffffc90000039000, 00:01:2e:83:5a:da, XID 0c000800 IRQ 123
[    9.092793] r8169 0000:02:00.0 eth0: jumbo features [frames: 9200 bytes, tx checksumming: ko]
[    9.101893] r8169 Gigabit Ethernet driver 2.3LK-NAPI loaded
[    9.131449] r8169 0000:03:00.0 eth1: RTL8168g/8111g at 0xffffc90000061000, 00:01:2e:83:5a:db, XID 0c000800 IRQ 124
[    9.142376] r8169 0000:03:00.0 eth1: jumbo features [frames: 9200 bytes, tx checksumming: ko]

I have never tried Squid. Is it worth it?

Did you set up squid as guided in https://openwrt.org/docs/guide-user/services/proxy/proxy.squid ?

For me squid is a huge help in parental control. I block outgoing traffic to ports 80 and 443, and then manually set proxies on my machines at home. It works well, and it lets me do things like set times of the day when kids can access play sites vs only school and work stuff. It also lets me tag packets with priority based on the site being visited and therefore make some changes to the QoS (so for example people watching streaming TV don't get garbled video or audio or changing back and forth between different resolutions etc)

1 Like

also btw transparent mode is useless in the modern web. There's no such thing as "transparent https proxy" and almost all websites have moved to https so you need an explicit proxy. With explicit proxy the software knows to connect to the proxy and ask the proxy to set up a tunnel to the final device... the proxy can't understand the traffic, but it knows where to set up the tunnel.