Choice of atom cpu for a selfbuilt pfSense firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Razvan

Member
Aug 4, 2015
31
4
8
Hello.

I need a low power pfSense firewall on a gigabit wan and most likely running extra packages like snort/suricata, pfblocker-ng, ntopng.

Are there any benchmarks comparing more models from the Denverton/Rangeley/Avoton families, besides this one? The STH slide shows Denverton having twice-ish the aes-128-gcm performance over Rangely.

Since the Denverton nics are not yet supported outside the official XG-7100, the C2750 looks like the best candidate as the non-QAT atom would benefit from the increased frequency and core count while the QAT-enabled ones (C2XX8) will likely never support acceleration.

The performance of the XG-7100 looks good but nics from other Denverton boards are not yet supported in (community) pfSense. I could go for one of the A2SDI-* boards but they are not supported for the time being.

Have you seen any statement regarding the availability of quickassist acceleration in the community edition for non-Netgate Denverton hardware?

Thanks.
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
Have you seen any statement regarding the availability of quickassist acceleration in the community edition for non-Netgate Denverton hardware?
You'd be nuts to buy something if you think you might be able to use its quickassist for pfsense because this time might be different.
 
  • Like
Reactions: Tha_14 and abq

Zuhkov

New Member
Dec 30, 2012
27
1
3
Texas
I have a C2750 running pfSense in production (still getting familiarized with it, as it's a recent addition) and I've been very happy with it.

I went ahead and ran the benchmark that was in the graphic you linked and here are the results:
Code:
Doing aes-128-gcm for 3s on 16 size blocks: 22053168 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 10711977 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 256 size blocks: 3711464 aes-128-gcm's in 2.99s
Doing aes-128-gcm for 3s on 1024 size blocks: 1047968 aes-128-gcm's in 3.02s
Doing aes-128-gcm for 3s on 8192 size blocks: 138361 aes-128-gcm's in 3.09s
OpenSSL 1.0.2m-freebsd  2 Nov 2017
built on: date not available
options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     117616.90k   227928.61k   317538.52k   355853.01k   367296.26k
Let me know if there's anything else you'd be interested in knowing.
 

Razvan

Member
Aug 4, 2015
31
4
8
I went ahead and ran the benchmark that was in the graphic you linked and here are the results:
Code:
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     117616.90k   227928.61k   317538.52k   355853.01k   367296.26k

Thank you, that mirrors my own results for a C2550 (under linux though):
Code:
# openssl speed -elapsed -evp aes-128-gcm
OpenSSL 1.0.2o  27 Mar 2018
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
aes-128-gcm     132007.21k   256574.14k   347127.55k   388915.20k   400302.08k
Absent quickassist acceleration, Avoton fares better than Rangely :)


You'd be nuts to buy something if you think you might be able to use its quickassist for pfsense because this time might be different.

I agree, people made the same... assumption with Rangely. In hindsight, I may have worded the question poorly :eek:
The question should have been "any word on QAT support in pfSense being tied to Netgate Denverton hardware?"

I am considering the C3x58 not because it may support QAT some day, but for:
- improved performance: single thread aes-128-gcm results twice over C2558;
- fresh lifecycle and future availability over the 2013 launched Avoton;
- Netgate EOLing their Rangely line and switching to Denverton;
- the X553 nics that appear be working in the devel version.

Also, there are no boards using C3xx0 yet, save for a not yet released C3750 Supermicro using a proprietary layout. This time the network sku may be the only choice available, with or without working quickassist support.
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
It's not exactly a pfsense platform, but if you want an idea of C3758 performance sans quickassist under debian stretch (currently using 4.14 bpo) then hopefully this is helpful:
Code:
openssl speed -elapsed -evp aes-128-gcm
You have chosen to measure elapsed time instead of user CPU time.
Doing aes-128-gcm for 3s on 16 size blocks: 33703704 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 64 size blocks: 21593463 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 256 size blocks: 8755357 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 1024 size blocks: 2596307 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 8192 size blocks: 338887 aes-128-gcm's in 3.00s
Doing aes-128-gcm for 3s on 16384 size blocks: 170091 aes-128-gcm's in 3.00s
OpenSSL 1.1.0f  25 May 2017
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm     179753.09k   460660.54k   747123.80k   886206.12k   925387.43k   928923.65k
 

mstone

Active Member
Mar 11, 2015
505
118
43
46
Absent quickassist acceleration, Avoton fares better than Rangely :)
Yes, the tradeoff people made for the QAT they never used was to give up turbo. That's basically the same case for denverton, you give up turbo and maybe some base frequency to get the QAT, so you'd better be sure you'll really use it.

I agree, people made the same... assumption with Rangely. In hindsight, I may have worded the question poorly :eek:
The question should have been "any word on QAT support in pfSense being tied to Netgate Denverton hardware?"

I am considering the C3x58 not because it may support QAT some day, but for:
- improved performance: single thread aes-128-gcm results twice over C2558;
- fresh lifecycle and future availability over the 2013 launched Avoton;
- Netgate EOLing their Rangely line and switching to Denverton;
- the X553 nics that appear be working in the devel version.

Also, there are no boards using C3xx0 yet, save for a not yet released C3750 Supermicro using a proprietary layout. This time the network sku may be the only choice available, with or without working quickassist support.
Honestly, I've been so disappointed in denverton I'd ask why go that route at all. Something like a kaby lake celeron will perform significantly better and cost less. (Since you brought up performance.) Or for low power applications, something based on apollo lake is generally cheaper. With the availability and pricing on the street, intel managed to turn denverton from something that should have been really interesting into something that just isn't attractive.
 

Razvan

Member
Aug 4, 2015
31
4
8
Thanks for the benchmarks and ideas.

Yesterday Netgate announced that 2.4.4 will have C3000 support out of the box.

Code:
openssl speed -elapsed -evp aes-128-gcm
OpenSSL 1.1.0f  25 May 2017
...
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-128-gcm     179753.09k   460660.54k   747123.80k   886206.12k   925387.43k   928923.65k
Looks like openssl 1.1 yielded better results than the original STH benchmark (using 1.02g).


Something like a kaby lake celeron will perform significantly better and cost less. (Since you brought up performance.) Or for low power applications, something based on apollo lake is generally cheaper.

Rounding up available data for the previously mentioned cpus and posting it to help others looking for the same thing:
Code:
CPU         Family     Core name      Cores Thrds TDP   Freq   Turbo  Single  Multi
                                                  W     GHz    GHz    PMark   PMark
C2550       Atom       Avoton         4     4     14    2.4    2.6    596     2329
C2750       Atom       Avoton         8     8     20    2.4    2.6    582     3850
C2538       Atom       Rangely        4     4     15    2.4    -      558     2085
C2558       Atom       Rangely        4     4     15    2.4    -      551     2169
C2758       Atom       Rangely        8     8     20    2.4    -      513     3162
C3538       Atom       Denverton      4     4     15    2.1    -      831     2455
C3558       Atom       Denverton      4     4     16    2.2    -      876     2538
C3758       Atom       Denverton      8     8     25    2.2    -      ?       ?
C3858       Atom       Denverton      12    12    25    2.0    -      771     4852
C3955       Atom       Denverton      16    16    32    2.1    2.4    918     5803
E3950       Atom       Apollo Lake    4     4     12    1.6    2      637     1804
N4200       Pentium    Apollo Lake    4     4     6     1.1    2.5    836     2023
J3355       Celeron    Apollo Lake    2     2     10    2.0    2.5    853     1229
J3455       Celeron    Apollo Lake    4     4     10    1.5    2.2    777     2145
J5005       Celeron    Gemini Lake    4     4     10    1.5    2.8    1182    2987
G3950       Celeron    Kaby Lake-S    2     2     51    3      -      1745    3334
3865u       Celeron    Kaby Lake-U    2     2     15    1.8    -      1030    1906
3965u       Celeron    Kaby Lake-U    2     2     15    2.2    -      1279    2462
i3-7100u    Core i3    Kaby Lake-U    2     4     15    2.4    -      1376    3823
i5-7200u    Core i5    Kaby Lake-U    2     4     15    2.5    3.1    1732    4638
i5-7300u    Core i5    Kaby Lake-U    2     4     15    2.6    3.5    1949    5116
i7-7600u    Core i7    Kaby Lake-U    2     4     15    2.8    3.9    2109    5538
Has anyone used or at least seen :) these up close? Running pfSense?
If not, can you recommend other fanless appliances using those cpus?
- Pentium N4200 - Supermicro SuperServer E100-9APP
- Core i3-7100u - Supermicro SuperServer E100-9S-L
- Core i5-7300u - Supermicro SuperServer E100-9S-E