Untangle on a Dual Core Atom

N

NetJunkie

[H]F Junkie
Joined
Mar 16, 2001
Messages
9,683
Thinking of playing with an appliance for Untangle. Let's say I do a D2700. Right now I'm running Untangle in a VM, which after some network tweaking, runs well given 1 vCPU on a box with an Intel X3440. My load average is real high (6 to 13) under really heavy load...pulling full 50Mb down, probably 300KB/s up...and about 900 sessions (heavy Bittorrent or something..worst case for me).

Would a D2700 Atom fall on its face here? I'm just trying to judge how it would do.
 
Sounds extremely slow for a plain firewall and given those says I'd say that you'd need something more powerful. If you're just looking for a firewall m0n0wall (requires less processing power than pfsense) would be something worth looking at otherwise pfsense. Have in mind that a plain mips router would be able to handle that too. ...but you want more features?
//Danne
 
Dual Core Atom will do fine...use Intel NICs and 4 gigs of RAM. The dual core Atoms handle networks of 50 rigs just dandy...it's when you have a mail server with heavy mail flow that she can bog down (AV and spam module). Want some extra headroom, use an i3..ain't much more cost/power consump/heat.
 
We give no credit to ATOM. ATOM is very powerful when properly applied to a server application. My nas can real time stream like 4 1080P streams over gig/e to my laptop, television, desktop, and television all at the same time. I tested it and the dual core atom with hyperthreading @ 2.13ghz
 
My units that have 1.66Ghz Atom D510s push 600mbps+ in pfsense under real world traffic for a few customers.

Atoms are fine.
 
I might give it a shot...in the mood to play with something anyway and I can always find a use for a small box like that. It's pretty cool now that I got it working well under 1 vCPU. I have it using VMware FT (Fault Tolerance) so I have full live failover to a mirror VM that's always kept in lock step with the primary. Under max load it takes 11MB/s of network throughput to ship all the CPU/memory transactions and the secondary VM is at most 2/10ths of a second behind, so actual cutover would take 2/10ths of a second and then it picks up exactly where the primary was.
 
Brak710 said:
My units that have 1.66Ghz Atom D510s push 600mbps+ in pfsense under real world traffic for a few customers.

Atoms are fine.
Click to expand...

You can't compare pfsence to Untangle in that matter. Untangle is a bit more cpu intense and has more features & modules..
 
I agree with Dash on that... Untangle is much more resource intensive than others, but I will add that I`m running Untangle on a Dual 1.8Ghz Atom D525 with 60/3 (soon to be at least 60/6) and it`s not skipped a beat, not once.

Totally pleased with it`s performance and it`s performance per GB£ both for initial outlay and running cost.

The crap that this has blocked is phenomenal! You really would be surprised at just how much, and how you managed without one for so long;)
 
BigBadAl said:
I agree with Dash on that... Untangle is much more resource intensive than others, but I will add that I`m running Untangle on a Dual 1.8Ghz Atom D525 with 60/3 (soon to be at least 60/6) and it`s not skipped a beat, not once.

Totally pleased with it`s performance and it`s performance per GB£ both for initial outlay and running cost.

The crap that this has blocked is phenomenal! You really would be surprised at just how much, and how you managed without one for so long;)
Click to expand...

I MISS MINE ALREADY :( i love how Untangle blocks youtube ad's and sonicwall doesnt :( FML

OR i just haven't put any effort into makeing the sonicwall block them.....
 
dashpuppy said:
I MISS MINE ALREADY :( i love how Untangle blocks youtube ad's and sonicwall doesnt :( FML

OR i just haven't put any effort into makeing the sonicwall block them.....
Click to expand...

Why don't you run it transparently just for the filtering? That's what I do with my ASA.
 
/usr/home said:
Why don't you run it transparently just for the filtering? That's what I do with my ASA.
Click to expand...

whats that all about ? Maybe i should :) heeh


P.s Working on this, the new Parents Untangle box.

89$ at newegg.ca

Dropped in a dc 2.0 lga775 cpu
2 gigs ram
160gig hdd

Ordering a pci low profile intel nic, and will be set..

Opened Cover.

DSCN3295.JPG


Goodies Installed & wiring Cleaned up.

DSCN3296.JPG
 
2012-05-23%2018.23.21%20(Medium).jpg


Atom d510 and 2gb ram, 32bit install with onboard intel nics. This will be going into production in the next few weeks for a site that will have a terminal server+public wifi. I've done lesser for other sites with no issue.

My home box is a single core sempron with 2gb ram that also runs w/o issue.

While untangle may take more resources than others on the scene, it isn't going to need top tier server hardware for 90% of those that are looking at using an atom system.
 
sc0tty8 said:
While untangle may take more resources than others on the scene, it isn't going to need top tier server hardware for 90% of those that are looking at using an atom system.
Click to expand...

Yup.....unless there's a beefy mail server behind it with thousands of e-mails per day flowing through it being scanned...a dual core Atom will do networks of 50 and more users just fine.

One note though, for top gaming performance, or for top p2p torrent crap performance....I'd go to PFSense. Untangle is designed for biz networks. It's designed to block torrents..it's not designed to optimize them. Kinda two opposites here.
 
YeOldeStonecat said:
Yup.....unless there's a beefy mail server behind it with thousands of e-mails per day flowing through it being scanned...a dual core Atom will do networks of 50 and more users just fine.

One note though, for top gaming performance, or for top p2p torrent crap performance....I'd go to PFSense. Untangle is designed for biz networks. It's designed to block torrents..it's not designed to optimize them. Kinda two opposites here.
Click to expand...

And how does pfSense "optimize" them? Untangle seems to have no problem with them maxing my connection with almost 1K connections.
 
NetJunkie said:
And how does pfSense "optimize" them? Untangle seems to have no problem with them maxing my connection with almost 1K connections.
Click to expand...

I've seen PFSense handle anything you can throw at it..load wise. Wicked high max session count (I've had it allow 512,000 max sessions if I have a gig or two of RAM in it...and I know it can go higher). Untangle, due to it's Debian base, currently has 10,000 max session limit. Not that most home users can obtain that.

PFSense is a freaking Ferrari....fastest performance I've ever seen based on using tons of various *nix distros at home. Incredibly rich QoS abilities. Untangle is not meant for speed, it's primary purpose is to be a UTM for business networks. The basic "free" version (Untangle Lite), which is what most home users use...has basic QoS...and you only get more granular QoS features if you purchase the Bandwidth Controller module (which most home users here aren't going to do). I'm not knocking Untangle...I am an Untangle reseller and I sell/support a lot of Untangle installs...and I love the product.

It's just...if speed, high state tables, online gaming, and torrents 'n stuff are your primary goal...Untangle IMO is the wrong tool for that.
 
Okay, but that doesn't mean anything about pfSense optimizing anything. Yes, it has better QoS and bandwidth control than the free Untangle but I don't use the free Untangle, I use the Premium. I've used pfSense, it's good..it's lean...it's also not nearly as simple to setup and use as Untangle and since my time to learn pfSense is extremely limited these days I chose Untangle. I doubt you'll see any home or SOHO user hit the 10K session limit so that's a non-issue.

So back to my point..curious to see if I can do what I want with a dual core Atom. Depending on how much money I give to Apple tomorrow I may just order one to play with. :)
 
Also, another reason I no longer use pfSense..there were bugs with its networking stack (not unusual with BSD) while running in a VM. It used way more CPU than it should and I had several other people reproduce it. That may be fixed by now, I don't know. Haven't gone back to try.
 
NetJunkie said:
Okay, but that doesn't mean anything about pfSense optimizing anything.
Click to expand...

Well, OK, if we're going to nit-pick linguistics....PFSense, by default, has much deeper QoS settings and flexibility which allow you (if you're capable) of optimizing certain types of traffic (desired or not desired)...so you can customize it more for your needs. It's optimized more for QoS, by default, than Untangle is, by default.
 
NetJunkie said:
Also, another reason I no longer use pfSense..there were bugs with its networking stack (not unusual with BSD) while running in a VM. It used way more CPU than it should and I had several other people reproduce it. That may be fixed by now, I don't know. Haven't gone back to try.
Click to expand...

YET another reason why we all say DONT USE YOUR FIREWALL IN A VM it should be your edge device..

SURE it will work, but it's not suggested or meant to me...
 
This sounds more like a plain configuration issue more than real performance issue and reading a bit more.... http://forums.untangle.com/networking/20335-10000-maximum-tcp-sessions.html
This is to keep performance with reasonable limits, pf doesn't do layer 7 filtering like iptables does at least using the default/open source tools. As for state tables Untangle supports more than 10k which makes sense but so does pf. I would although say that 512,000 is more of a "bogus" value since you'll hit other limits before that such as pps. ~300k pps seems to be the about limit for "normal" gigabit hardware without any filtering and such. Add a firewall on top of that and you'll have a lot lower real world value. Going by mailinglists I've seen people starting getting packet loss at 20k-30k sessions while others can supposedly push 200k (with pf enabled). Anyhow, I'd say that ~500-800 is sane for a normal client including P2P. If you need more than that I would seriously have a look since thats not "normal" unless you have a really whacky p2p client and/or very long session timeouts.

I personally like pf a lot more than iptables given its syntax and features but its not unbreakable ;-)
FWIW, at work our router barely goes over 1k states with ~30 clients but then again that's without P2P.
//Danne
 
Last edited:
dashpuppy said:
YET another reason why we all say DONT USE YOUR FIREWALL IN A VM it should be your edge device..

SURE it will work, but it's not suggested or meant to me...
Click to expand...

I think you're choosing the wrong person to tell what should and shouldn't be ran in a VM. ;)
 
YeOldeStonecat said:
Well, OK, if we're going to nit-pick linguistics....PFSense, by default, has much deeper QoS settings and flexibility which allow you (if you're capable) of optimizing certain types of traffic (desired or not desired)...so you can customize it more for your needs. It's optimized more for QoS, by default, than Untangle is, by default.
Click to expand...

Hey, you said optimize, not me. :p
 
dashpuppy said:
YET another reason why we all say DONT USE YOUR FIREWALL IN A VM it should be your edge device..

SURE it will work, but it's not suggested or meant to me...
Click to expand...

Why not? Because pfSense's network stack has (or had) a bug where it uses more CPU than needed (or at least shows that it does) when running against the E1000 drivers in a VM? That's a specific bug on a specific OS/App.

Why would an "edge device" be more secure or capable than what I have? I'd say my configuration is more capable than yours. I have vSphere FT w/ a full time in-sync mirror VM running that can take over in a split second doing EXACTLY what the primary was doing when it failed. I can very easily throw more CPU and/or RAM at the box any time I want, can you?

And please, PLEASE don't tell me that something "network intensive" shouldn't be in a VM. I architect VM solutions that *FAR* outscale anything being discussed here for network and storage I/O.
 
Database said:
I think you're choosing the wrong person to tell what should and shouldn't be ran in a VM. ;)
Click to expand...

because he will do it anyways right ? LOL!

to me it just doesn't make sense to run your firewall in a vm..

In the real world *real* businesses, I have NEVER EVER SEEN a firewall in a vm...
 
dashpuppy said:
because he will do it anyways right ? LOL!

to me it just doesn't make sense to run your firewall in a vm..

In the real world *real* businesses, I have NEVER EVER SEEN a firewall in a vm...
Click to expand...

Really? I have. I'm deploying some this week for a PCI environment. You might want to go tell Cisco that their Virtual ASA (vASA) project should be shelved. No one wants it. :)
 
Spend some money and get a Barracuda. Scrw all this VMware PFTANGLEUNSENSEAMESS lol.
 
dashpuppy said:
what's their contact info ?
Click to expand...

Really? I see on your blog you JUST finally got to play with an ASA5505. How many true enterprises have you worked in, especially around security and firewalls? I asked about a simple Untangle config on a dual core Atom but I'm happy to talk enterprise gear if you'd like.

You don't see a lot of large EDGE firewalls virtualized but you see plenty of them in multi-tenancy roles and service providers. It makes no sense to bounce traffic off a physical firewall from each virtual host when you can do it locally right on the host with something like Cisco's vASA or VMware's vShield App.

Now, can we go back to talking about the actual question I asked?
 
NetJunkie said:
Really? I see on your blog you JUST finally got to play with an ASA5505. How many true enterprises have you worked in, especially around security and firewalls? I asked about a simple Untangle config on a dual core Atom but I'm happy to talk enterprise gear if you'd like.

You don't see a lot of large EDGE firewalls virtualized but you see plenty of them in multi-tenancy roles and service providers. It makes no sense to bounce traffic off a physical firewall from each virtual host when you can do it locally right on the host with something like Cisco's vASA or VMware's vShield App.

Now, can we go back to talking about the actual question I asked?
Click to expand...

Now that you answered my rant sure :)

YES your untangle will run fine on the D2700, but like mr stone said, a I3 would be ideal, its been mentioned many times on here that the i3 and atom are = in power usage, but the i3 has more power when needed, so say you have a friend or your wife wants to download a huge movie or your streaming a nice HD youtube video the i3 can speed up and provide the power needed.

Personally i think the D2700 will be just fine at home for you..

p.s klank bailed on selling me his asa 5505, so i'm using my sonicwall TZ210..
 
NetJunkie said:
What's the highest session count and load average you've seen?
Click to expand...

Ha! you would ask this now.... I rebooted a couple of days back to install a Dual Intel Pro 1000GT to play with some other stuff... After it`s current 2 days, 3 hours and 53 minutes of uptime it`s all been really low...

I`m just going to load it up a bit now, some torrents and some debian images from debian.com and I`ll come back to you....


**EDIT**

Up to now, about 10-15 minutes or so of heavy torrents and images, I`ve seen 2068 sessions and load averages for 1 min, 5 mins and 15 mins of 8.86, 6.24, and 4.48 respectively...

The little window currently says medium for cpu load but I`m still downloading at nigh-on my full 60Mb download.

I have running in the Untangle `rack`...

Web filter lite
Virus blocker lite
Spam blocker
Firewall
Intrusion prevension
Ad blocker

If i turn all these off, the load window (eventually) falls back to low.

Sessions are up and down but the max I`ve seen is still 2068

Free Memory is 60-61% (of 4GB (64 bit Untangle))

Processes seem to be sticking round about 122.
 
Last edited:
Jason, the a dual-core Atom will run beautifully. We have deployed several of them at work without any hitch other than a botched Untangle update or a hardware failure. (Both are very, very rare.)
 
tangoseal said:
We give no credit to ATOM. ATOM is very powerful when properly applied to a server application. My nas can real time stream like 4 1080P streams over gig/e to my laptop, television, desktop, and television all at the same time. I tested it and the dual core atom with hyperthreading @ 2.13ghz
Click to expand...

Atom's are a waste of space. Streaming 4 1080P movies? You're way more limited to hard drive speed than you are cpu speed. Theres virtually no cpu usage in transfering a file. Its not even transfering at full speed, its transfering at the speed of movie's bitrate plus some buffer. Thats hardly stress.

As StoneCat pointed out, and I've said lots of time i3 > Atom. The power consumption of an i3 is marginally more than an Atom @ idle. When you talk about an actual load on a system, an Atom running at 50-75% load uses more power than an i3 that is only running at 5-10% doing the same task.

As to the OP, I'd go with an i3. If all you're doing is routing you're not really using Untangle for all its glory. Once you do start using all the real features Untangle as you're going ot need an i3.
 
You must log in or register to reply here.
Back
Top