Anyone tried a PC Engines APU2C4 yet?

Discussion in 'Networking & Security' started by Zarathustra[H], May 31, 2016.

  1. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    I discovered these while reading up early last week.

    I ordered mine and it should be arriving this evening.

    Provided my serial null-modem cable arrives from China as well (never thought I'd be buying one of these in 2016, wish I could find my old one from the early 90's) I'll be starting the setup today. It will be my first time setting up a serial console only system.

    Looks like a match made in heaven for pfSense.

    - Quad core AMD Jaguar at 1Ghz using just 6W fanless.
    - 4GB ECC RAM
    - 3x Intel i210AT Gigabit Ethernet
    - 2x Mini PCIe for WLAN (and presumably other things)
    - 1x msata

    All things considered, with Case, AC adapter, a 16GB msata SSD and shipping from Switzerland, my total was ~$175

    I think I've finally found a router I will be happy with!
     
  2. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    Not so good at that clock speed. Otherwise it's usable.
     
  3. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Well, it's not going to be a gaming rig, it's just doing routing and codel.

    I currently have an i5-4750T as a pfSense box, and with my connection (150/150) I've never seen it exceed 3% CPU utilization.

    I figure this low power board will be great and allowe to repurpose the i5 in an HTPC box.
     
  4. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    pfsense tend to use a low thread count. Codel is clk intensive. Your i5 would have to run at 750Mhz to compare to the jaguar.

    Point is, if your CPU can keep ahead of the workload the CPU looks bursty, or instantaneous in respect to load. Once you start hitting 100% the query starts to backup.... its all downhill

    A Pico FF board with i3T would be a better choice, but finding it at the right price would the hard part.
     
  5. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Hmm.

    My understanding is that this used to be the case (this is actually why I built the i5), but that pf has been increasingly threaded in the last couple of years.

    PPPoe is apparently one of the few things left that really isn't very threaded in pfSense.

    I'll test it and let you guys know though!
     
  6. +Eric

    +Eric Limp Gawd

    Messages:
    128
    Joined:
    Jul 4, 2012
    You're going to run pfSense here too? 2.3?

    I'd love to know how this goes. I wouldn't be running codel but just pfSense, I'm looking for something new as right now I'm running it on ESXi but would like to get rid of the server. I have gig fiber, so I don't know if this will be enough, but I need to start looking into options.

    Great price really.
     
  7. Dawizman

    Dawizman Gawd

    Messages:
    807
    Joined:
    Jul 9, 2003
    The apu1d4 has worked well for us so far. Once I use up the last of the units I have on the shelf, I'll be getting some of the new models. We use them as managed routers for small offices, providing vpn connections, and other basic routing functions. Plenty of power for our needs.
     
  8. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    I will definitely post my performance results when I get it up and running.

    I'm temporarily stuck however. Can't get serial console output out of it. I suspect that the USB to serial adapter I am using with my laptop might be bad.

    My desktop motherboard has a serial header, and I think I have a serial port faceplate somewhere in the parts bin in the basement. The desktop is temporarily down as I repaint my office though, so it will have to wait until the paint has dried and everything has been moved back in.
     
  9. Dawizman

    Dawizman Gawd

    Messages:
    807
    Joined:
    Jul 9, 2003
    What were you using for serial settings? The default for both the apu and pfsense is 115200/8/N/1.
     
  10. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yep, I have it set to 115200 8n1, but I get nothing out of it.
     
  11. Dawizman

    Dawizman Gawd

    Messages:
    807
    Joined:
    Jul 9, 2003
    I've yet to see a bad usb to serial adapter that showed up correctly in the device manager, but that doesn't mean it's not possible. You're sure your cable is null modem? I've come across poorly made cables that caused issues in the past though.
     
  12. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Well, for what its worth, I have bios output on my first attempt with the on board serial port on my desktop mobo and the same cable, so I'd say it's the USB to serial adapter.

    Boot of the pfsense 2.3.1 serial console disk image dd:ed to a USB stick fails though, with some odd errors. Going to try burning the ISO to a CD and booting it from a USB CDROM (if the APU can handle that :p )
     
  13. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yeah, CDROM image fails to boot as well. Has issues mounting the root fs.

    The official APU guide says to boot with a TinyCore linux USB and dd the nanoBSD pfsense image to the main drive. Maybe this is why.

    I had hoped installing the full pfSense rather than the NanoBSD version though, as I am not concerned with SSD drive wear, and would prefer using the full version, but maybe that just isnt possible?
     
  14. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Turns out pfSense 2.3.1 serial images are broken.

    2.3 seems to install just fine. Hopefully a live upgrade to 2.3.1 will work.
     
  15. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yep.

    Installing from the 2.3 image and upgrading using the web interface to 2.3.1_1 works perfectly. For some reason the 2.3.1 images just refuse to properly boot though.
     
  16. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    So, here's some performance testing:

    First, power at wall using my Kill-A-Watt:

    Idle booted up in pfSense with powerD enabled an set to "Hidaptive"
    5.8W-6.5W

    Loaded up by running iperf through it:
    6.5W-7.2W

    Interesting but not really all that relevant: Unplug all network cables and the idle drops down to ~4.7W



    Networking Performance:

    iPerf baseline (Directly (well, through my switch) from my desktop to my server without routing) 937MB/s (240s run)
    iPerf using APU2C4 router between my desktop and my server: 595MB/s with CPU load ranging from 20% up to 40%

    Then I decided to experiment by enabling TSO and LRO:

    Surprisingly CPU load seemd to go up, now ranging from 30% up to 60%

    Performance was mostly unaffected, and may have dropped ever so slightly (571MB/s)


    My conclusion is that it is a great little box, and it will work excellently on my 150/150 connection, but unless there are some performance tweaks I am not aware of, it likely does not handle Gigabit speeds particularly well.
     
  17. bds1904

    bds1904 Gawd

    Messages:
    1,005
    Joined:
    Aug 10, 2011
    Nice to see you are getting good speed out of it. Just proof (to the few on here that don't believe) that these little boxes route just fine on sub-gigabit speeds.

    I have a J1900 box with 4 Intel NIC's that'll do 890mbit routing and 100mbit OpenVPN aes-256 all day with no issues. It'll also run Suricata well at 150mbps for sure, I can't test it a any faster than that with real-world testing because of internet connection speed. That entire setup cost me $250. 64gb ssd and 4gb of memory.

    Symmetrical speeds of 400mbps is where performance issues start. For example, a symmetrical gigabit connection means the router needs to potentially route 2Gbps. Hard thing to achieve on a sub-$500 budget and sub-50w power with pfsense.

    Can you do some VPN testing too? Both OpenVPN and IPSEC? Don't forget to enable AES-NI, that'll speed up IPSEC quite a bit.

    Where did you find the board so cheap BTW?
     
    Last edited: Jun 3, 2016
  18. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    Ubiquiti Edgerouter Lite can route at 2Gbs. Add IPsec that drops to 50Mbs, but not with OpenVPN.


    Edgerouter Pro at $330 brings IPsec up over 250Mbps. Probably faster but I haven't seen any updated benchmarks.
     
  19. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yeah, if I'm ever lucky enough that Google Fiber comes this way, this box will not be enough, but for my 150/150 connection it should be more than enough.

    Hmm. I've never run OpenVPN in my router, but I can set it up to give it a try I guess

    I ordered it directly from PC Engines in Switzerland. They shipped it to me in the US using UPS. It arrived in 3 days.

    Their ordering form on their webpage is imperfect but it works. When I ordered it using their ordering form the pricing was as follows:
    • APU2C4 board: $122
    • CASE1D2BLKU Black Enclosure: $10.00
    • AC12VUS2 US AC adapter: $4.40
    • MSATA16D 16GB msata SSD: $17.00
    • Shipping & handling: $39.40
    • Total: $192.80

    I got an automated order confirmation with this information in it.

    However, when I got my actual invoice the prices changed as follows:
    • APU2C4 board: $114
    • CASE1D2BLKU Black Enclosure: $9.40
    • AC12VUS2 US AC adapter: $4.10
    • MSATA16D 16GB msata SSD: $16.00
    • Shipping & handling: $29.40
    • Total: $172.90

    I was a little bit puzzled, but I wasn't about to complain.

    Then when I received the box, I was initially concerned, as my itemized invoice in the box was different again:
    • APU2C4 board: $130
    • CASE1D2BLKU Black Enclosure: $9.40
    • AC12VUS2 US AC adapter: $4.10
    • Shipping & handling: $29.40
    • Total: $172.90

    (note the missing SSD and APU board having gone up in price). I almost ordered an msata SSD on amazon before I noticed they had just installed the SSD on the board before shipping it, and combined the pricing of the two items.

    Anyway, in the end, the grand total was $172.90 including 3 days shipping from Switzerland and I am happy.

    It appears to be a small company run by former large PC OEM board designers who really know their engineering stuff, but haven't taken the time to refine their ordering process :p
     
  20. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yeah, I briefly used a Edge Router PoE. I really liked it, but I was very disappointed with the performance after adding QoS. I wound up eating the restocking fee at Newegg on it.

    It's too bad it doesn't have codel as that would likely completely eliminate my concerns with it. Maybe they will add it in some future revision of their firmware.
     
  21. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Nice, What do you use Suricata for? I am not familiar with it at all. I did some reading just now, and it appears to be some sort of security software, but other than that I have no idea.
     
  22. bds1904

    bds1904 Gawd

    Messages:
    1,005
    Joined:
    Aug 10, 2011
    It's an IDS suite. I have 5 kids and I like to know what's going in/out of my network. It dynamically tracks and/or blocks known software exploits, viruses and malware based on their internet traffic. It uses "flowbits" to detect them. Keep reading into it, it's very interesting. It's finicky setting up at first, but once you have things running it's set-it-and-forget-it. Until you tune it a little it'll block too much by default.
     
  23. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Huh. Does it contribute to buffer bloat at all? While cool, it would seem something like that would have a potential for massively slowing things down.
     
  24. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    Edgerouter has fq-codel under adv QOS since firmware 1.7. There's been a plugin available for it since fw 1.5.

    Unfortunately using it drop those packets into sw mode for routing. So performance suffers.

    Edgerouter lite can move 70Mbps through fq-codel, Edgerouter = 125Mbps, Edgerouter Pro =220Mbps


    Most user's only apply it to upload to get around that limitation. I use it on my Edgerouter POE bi-directionally for my WAN connection. 28Mbps Down /4.8Mbps Up usually maintaining sub 20ms latency.

    Make one hell of the difference when streaming, gaming and downloading all at the same time. Without it, it'd be impossible.
     
  25. bds1904

    bds1904 Gawd

    Messages:
    1,005
    Joined:
    Aug 10, 2011
    It is possible, hence the 150mbit test. I've maxed out the conection with many different connections never had an issue. With a 150mbit connection on the j1900 the CPU sits at 60% while maxing out the connection running Suricata. RAM is your friend with Suricata. I would say no less than 2GB is required to run it well.

    The nice thing about it is that it's 100% customizable. You can adjust every single setting on how it handles traffic. You can even have it analyze traffic without blocking it.
     
  26. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    So, I apologize guys.

    I was trying to do an OpenVPN test performance test, but I ran into some sort of OpenVPN configuration issue, and I just don't have time to troubleshoot it right now. I need to get this router installed.

    In lieu of that, here is an OpenSSH test run on the box:

    Code:
    [2.3.1-RELEASE][root@pfSense.localdomain]/root: openssl speed -elapsed -evp aes-128-ecb
    You have chosen to measure elapsed time instead of user CPU time.
    Doing aes-128-ecb for 3s on 16 size blocks: 23413097 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 64 size blocks: 18438085 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 256 size blocks: 7473361 aes-128-ecb's in 3.00s
    Doing aes-128-ecb for 3s on 1024 size blocks: 2115520 aes-128-ecb's in 3.01s
    Doing aes-128-ecb for 3s on 8192 size blocks: 279464 aes-128-ecb's in 3.00s
    OpenSSL 1.0.1s-freebsd  1 Mar 2016
    built on: date not available
    options:bn(64,64) rc4(8x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) 
    compiler: clang
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    aes-128-ecb     124869.85k   393345.81k   637726.81k   720221.92k   763123.03k
    
    I hope this is at least a little bit helpful! I can do more later if needed, I just won't be able to hook up the box to do a full unrestrained local speed test, as it will be serving as my router at that time.
     
  27. bds1904

    bds1904 Gawd

    Messages:
    1,005
    Joined:
    Aug 10, 2011
    Good thing both the j1900 board I use and the board the OP is talking about have Intel nic's then....

    Don't get where you got anyone was using realtek nic's from. Also don't know where you got the idea anyone was suggesting a "performance problem".
     
    Last edited: Jun 7, 2016
  28. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Possibly because the original APU boards from PC engines did have realtek NIC's.

    The APU2 boards like mine - however - have Intel NIC's. The APU2C4 like I have has three i210at ports and the APU2C2 has three i211at ports.

    As odd as it sounds the i210 is actually the more recent design covered by the Intel igb driver, whereas the i211 is an older design covered by the em driver.
     
  29. diizzy

    diizzy 2[H]4U

    Messages:
    2,602
    Joined:
    Nov 6, 2008
    I find it quite hilarious that the APU2C4 performs very similar to Mediatek's MT7621A MIPS boards which are available at less than half the price of the APU2C4 board alone (iperf and routing). OpenVPN should be slightly faster (not by much) but I highly doubt it'll a major difference given the aging CPU arch and AMDs not so stellar performance in general regarding CPUs.

    Mackintire
    Those numbers sounds very sane given the slow CPU in the ER(L) boxes. I have one here myself and it's just sitting on a shelf due to lackluster performance. The MIPS64 platform isn't getting much love either which doesn't help... If they decide to do another iteration it'll most likely be ARM, however I do expect prices to be much higher unless they're going for IPQ (QCA) or Marvell platforms.
     
    Last edited: Jun 11, 2016
    Mackintire likes this.
  30. acascianelli

    acascianelli [H]ardness Supreme

    Messages:
    6,812
    Joined:
    Feb 25, 2004
    Considering getting one of these setups to replace a Pentium 4 Prescott class system I'm currently using for pfSense.
     
  31. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yeah, I quite like pfSense though, and last I checked there is no MIPS version of pfSense. Had I been aware of that thing at the time of my shopping, I would likely have taken it into consideration though.
     
  32. acascianelli

    acascianelli [H]ardness Supreme

    Messages:
    6,812
    Joined:
    Feb 25, 2004
    Just got my pfSense firewall running on a APU2C4. My old firewall was a IBM M51 Pentium D (NetBurst) class system. Went from 80W to 6W when idle, verified with a KillaWatt.

    Ended up going with a much larger than necessary 60gb mSATA SSD.
     
    Last edited: Sep 19, 2016
    Zarathustra[H] likes this.
  33. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,046
    Joined:
    Oct 29, 2000
    Yeah, these things are by no means performance systems, but for something light like a router/firewall they are pretty nice, fanless and very low power.

    Good for up to almost 600Mbit/s in my testing. (Maybe 580? I can't remember)
     
  34. acascianelli

    acascianelli [H]ardness Supreme

    Messages:
    6,812
    Joined:
    Feb 25, 2004
    I only have 75/10 from Comcast right now. I don't forsee my self hitting the ~600mbit limit of this hardware in nearish future. I really want to decommission this old P4 for good.
     
  35. TCM2

    TCM2 Gawd

    Messages:
    572
    Joined:
    Oct 17, 2013
    What are you agreeing to here? What you quoted made no statement about performance. That APU probably runs circles around that old Netburst CPU.
     
  36. Ceresia

    Ceresia n00b

    Messages:
    1
    Joined:
    Nov 28, 2016

    I had this issue when I was setting mine up, my idiot mind grabbed a straight through serial cable, I thought it was my serial to USB connector so I ordered a second one and no dice, as soon as I figured out my cable was straight through and swapped it with a null everything went smooth.

    I just got mine up and running this past weekend and dang do I really like this thing! It uses virtually no power, and it runs circles around my old HP SFF custom box (That was a C2D 3.0GHz with 2GB memory and a 80GB Spindle) I couldn't for the life of me get the SD card to work with boot, even following all kinds of directions and installing all types of PFsense images to it, it just wouldn't boot from it. I bought a msata drive and am I glad, this thing is great, with my previous setup if I were running multiple netflix streams and trying to even browse facebook it would lag around (150down/25up) With the apu2c4 I have no issues and am getting full throughput