Subject: Re: looking for small, quiet, low-power firewall
To: None <port-i386@netbsd.org>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: port-i386
Date: 01/31/2002 16:03:58
On Thu, Jan 31, 2002 at 09:06:27PM +0100, wojtek@chylonia.3miasto.net wrote:
> > > I want a small, quiet, low-power firewall box for my home
> > > network (cable modem link) and I'm looking at this unit:
> > > http://www.soekris.com/net4501.htm
> > >
> > > Does anyone have any experience with this board?
> > >
> > I am running 1.5.2 with IPF and NAT as my firewall box and I recommend it
> > without reservation.
> >
> will you try adding PCI IDE and do some fileserving task too?
>
> it's very interesting as at least 1 HDD should fit into their case...
I have several of these. With even the smallest of PCI cards installed,
there is *no way* you could get a hard disk into the case. If you had
a MiniPCI IDE module (which you would have to have custom-made) you might
get somewhere; or you could use an IBM Microdrive in the CF slot instead
of a CF card.
However, this will simply not work well. Here are some reasons why:
1) If you go the Microdrive route, you will be serving up files that you
access over what is effectively an 8-bit, ISA, PIO-only IDE interface.
2) If you somehow get PCI IDE onto the box, it won't do you a whole lot of
good, because the machine's CPU is a truly stupid design -- a 133MHz
486 core connected internally to a 133MHz, 64-bit-wide SDRAM controller
by a 32-bit-wide, 33MHz pipe! AMD's documentation is somewhat unclear
about this point but you can easily test the memory bandwidth for
yourself and see what they did: hooked up existing "486 core" and "SDRAM
controller" cells from their library without bothering to do any design
work on the path between them. Sigh... that's right, the machine has no
more memory bandwidth than a 33MHz 486 would, and this turns out to be
*the* limiting factor for its performance even in routing applications
where all you do is move data from a network controller, into memory, and
then back to another network controller without any copies. For file
service, even if you use NFS (where at least the data isn't repeatedly
copied across the user/data boundary) instead of Samba (where it is) this
box is particularly ill-suited because of its cripplingly narrow memory
pipe.
For what it's worth, with a great deal of optimization you might manage
to route 50Mbit/sec between two interfaces on one of these boxes, but
that's pretty much the end of the line.
I really wish Soekris made a similar machine with a CPU that didn't lose
in this particular way -- it would be perfect for several things I do
at home _and_ at work.
--
Thor Lancelot Simon tls@rek.tjls.com
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud