port-i386: Re: looking for small, quiet, low-power firewall

Subject: Re: looking for small, quiet, low-power firewall
To: None <port-i386@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: port-i386
Date: 01/31/2002 16:03:58
On Thu, Jan 31, 2002 at 09:06:27PM +0100, wojtek@chylonia.3miasto.net wrote:
> > > I want a small, quiet, low-power firewall box for my home
> > > network (cable modem link) and I'm looking at this unit:
> > > http://www.soekris.com/net4501.htm
> > >
> > > Does anyone have any experience with this board?
> > >
> > I am running 1.5.2 with IPF and NAT as my firewall box and I recommend it
> > without reservation.
> >
> will you try adding PCI IDE and do some fileserving task too?
> 
> it's very interesting as at least 1 HDD should fit into their case...

I have several of these.  With even the smallest of PCI cards installed,
there is *no way* you could get a hard disk into the case.  If you had
a MiniPCI IDE module (which you would have to have custom-made) you might
get somewhere; or you could use an IBM Microdrive in the CF slot instead
of a CF card.

However, this will simply not work well.  Here are some reasons why:

1) If you go the Microdrive route, you will be serving up files that you
   access over what is effectively an 8-bit, ISA, PIO-only IDE interface.

2) If you somehow get PCI IDE onto the box, it won't do you a whole lot of
   good, because the machine's CPU is a truly stupid design -- a 133MHz
   486 core connected internally to a 133MHz, 64-bit-wide SDRAM controller 
   by a 32-bit-wide, 33MHz pipe!  AMD's documentation is somewhat unclear
   about this point but you can easily test the memory bandwidth for 
   yourself and see what they did: hooked up existing "486 core" and "SDRAM
   controller" cells from their library without bothering to do any design
   work on the path between them.  Sigh... that's right, the machine has no 
   more memory bandwidth than a 33MHz 486 would, and this turns out to be 
   *the* limiting factor for its performance even in routing applications 
   where all you do is move data from a network controller, into memory, and 
   then back to another network controller without any copies.  For file 
   service, even if you use NFS (where at least the data isn't repeatedly 
   copied across the user/data boundary) instead of Samba (where it is) this 
   box is particularly ill-suited because of its cripplingly narrow memory
   pipe.

For what it's worth, with a great deal of optimization you might manage
to route 50Mbit/sec between two interfaces on one of these boxes, but
that's pretty much the end of the line.

I really wish Soekris made a similar machine with a CPU that didn't lose
in this particular way -- it would be perfect for several things I do
at home _and_ at work.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud