To saturate 10 GbE lines, it will require some serious horsepower from the entire chain (including good quality RJ45 cables that actually are manufactured to spec). And a fast CPU, which is a problem with most of the “router” type boxes that ship with Celerons and Atoms. Also see https://marc.info/?l=openbsd-misc&m=167665861931266&w=2. With right hardware and a good amount of tweaking/optimization, you may, in theory reach those speeds, but remember speed is not a primary goal for OpenBSD, so the correctness and security involve tradeoffs that may sacrifice speed that is taken for granted with other *BSD firewalls.
I have a stock OpenBSD router/firewall with pf enabled, on a Gigabit internet connection, and can only push like 800 Mbit/s or thereabouts. This is with Protectli VP2420. Not optimized, but does the job reliably and I am very happy with it.
just for comparison’s sake, I have a gigabit symmetrical fiber connection and was using a protectli device with an Atom CPU to run OpenBSD+pf on the router and saw similar max throughput. I replaced that box with an older Dell Optiplex SFF PC with an i5-6500 and now have no issues saturating the connection.
Do you use vanilla OpenBSD on your router? What has been your experience so far regarding hardware support and performance?
Yes, you have to make sure you have a device with properly and well performing NICs. In my case I have an older APU2 with 3x Intel I210. I’ve read about tests that claim to come close to 900 Mbit/sec (but not sure if it was on OpenBSD), but in my case my ISP uses PPPoE which makes that receive side scaling and other forms of TCP/UDP offloading that the I210 offers, can’t be utilized. So only one of the four CPU’s is the bottleneck and I don’t come much further than 480 Mb/sec. But this is an older and passively cooled/low power device.
I’m running an OpenBSD Kettop router in the office, and it’s been performing really well so far. After the initial setup, it’s needed almost no intervention on my part. I’m happy with the choice. Configuring it has been much simpler compared to a Linux-based router.
My personal favorite: “Introduced dhcp6leased(8), a daemon to acquire IPv6 prefix delegations from DHCPv6 servers.”
It allowed me to delete dhcpcd, the one and only third-party package on my router.
Do you use vanilla OpenBSD on your router? What has been your experience so far regarding hardware support and performance?
I am wondering if it is already possible to set up an OpenBSD router for a 10 GbE home network.
To saturate 10 GbE lines, it will require some serious horsepower from the entire chain (including good quality RJ45 cables that actually are manufactured to spec). And a fast CPU, which is a problem with most of the “router” type boxes that ship with Celerons and Atoms. Also see https://marc.info/?l=openbsd-misc&m=167665861931266&w=2. With right hardware and a good amount of tweaking/optimization, you may, in theory reach those speeds, but remember speed is not a primary goal for OpenBSD, so the correctness and security involve tradeoffs that may sacrifice speed that is taken for granted with other *BSD firewalls.
I have a stock OpenBSD router/firewall with pf enabled, on a Gigabit internet connection, and can only push like 800 Mbit/s or thereabouts. This is with Protectli VP2420. Not optimized, but does the job reliably and I am very happy with it.
Thank you very much for taking your time to write this down. This all goes on my reading list! :)
just for comparison’s sake, I have a gigabit symmetrical fiber connection and was using a protectli device with an Atom CPU to run OpenBSD+pf on the router and saw similar max throughput. I replaced that box with an older Dell Optiplex SFF PC with an i5-6500 and now have no issues saturating the connection.
Yes, you have to make sure you have a device with properly and well performing NICs. In my case I have an older APU2 with 3x Intel I210. I’ve read about tests that claim to come close to 900 Mbit/sec (but not sure if it was on OpenBSD), but in my case my ISP uses PPPoE which makes that receive side scaling and other forms of TCP/UDP offloading that the I210 offers, can’t be utilized. So only one of the four CPU’s is the bottleneck and I don’t come much further than 480 Mb/sec. But this is an older and passively cooled/low power device.
Ah, that’s interesting! Thank you very much! I will definitely pick OpenBSD up then for some tests.
This sounds good, has anyone assessed the effects of this change?
I find that very interesting!
I’m running an OpenBSD Kettop router in the office, and it’s been performing really well so far. After the initial setup, it’s needed almost no intervention on my part. I’m happy with the choice. Configuring it has been much simpler compared to a Linux-based router.
This is really cool, are there other OSes which modify their compile?