RE: [m0n0wall] PIX vs m0n0wall testing -- requesting input (was: Re: [m0n0wall] Re: Re: Re: to Wrap or to Soekris that is my question? What about VIA?)

From:	alex wetmore <alex at phred dot org>
To:	Chris Bagnall <m0n0wall at minotaur dot cc>
Cc:	'Chris Buechler' <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	RE: [m0n0wall] PIX vs m0n0wall testing -- requesting input (was: Re: [m0n0wall] Re: Re: Re: to Wrap or to Soekris that is my question? What about VIA?)
Date:	Sat, 18 Dec 2004 08:08:38 -0800 (PST)

On Sat, 18 Dec 2004, Chris Bagnall wrote:
>> http://m0n0.ch/wall/docbook/faq-performancespecifications.html
>
> Has anyone done similar tests using generic PC hardware?  I noticed
> all of the m0n0 box specifications on that page are WRAP/Soekris
> boxes, which, let's be honest, are lower specifications than even
> PCs of 4 or 5 years ago.

I just did a very basic test with a standard PC.  This is a Celeron
300mhz with a mix of ethernet boards.  I wget'd a 26mb file from a box
living on LAN1 to another box living on LAN2.

I did this 5 times.  Twice wget reported 8.55MB/s, three times it
reported 6.51MB/s.

I just put my WRAP back into service and ran 5 test runs.  I always
got 4.27MB/s.  So this is about 40% slower than using the PC hardware.

> I must confess to being rather cynical about these Soekris and WRAP
> platforms.  If you shop around you can find very compact PCs these
> days that still run on mostly standard hardware (just about all the
> Biostar/Iwill/Shuttle SFF boxes, for example).  Given that Sempron
> chips in the 2200+ to 2600+ range are currently around £40 (that's
> probably around $70 - no doubt they're cheaper over the other side
> of the pond anyway), for under £200 you'd have an SFF box with an
> onboard NIC (some of them have 2 onboard, shop around).  Nearly all
> these SFF boxes have at least one PCI slot, so shove a dual-port
> Intel Pro/100+ card into there and you've got a
> * very* fast platform to work with.  For about the same price as a
> * complete
> Soekris/WRAP configuration you've got a compact PC with many times
> the processing power, and the ability to upgrade to gigabit cards in
> the future if/when required.

I disagree with your cynacism about the WRAP and Soekris platforms.  I
agree that PCs are cheap, but show me a brand new one that is $170
including power supply and case.  The WRAP consumes 5w of power vs
about 50-75w for a minimal PC setup.  The WRAP has no moving parts
(solid state disk and no fans).  It is silent.

> On the other hand, when most organizations are still running with net
> connections under 10mbps, does raw throughput really matter all that much?

Only if you are routing across subnets which are on different LAN
ports on the m0n0wall box.  In my example above LAN1 was my DMZ and
LAN2 was my desktop LAN.

> To my mind m0n0wall's greatest advantage is its ability to run quite
> happily on standard PC hardware.  That's good for my clients in that
> they can use an old, retired PC for the task with just a few
> modifications (mainly a couple of extra NICs) and good for the
> environment (fewer PCs being dumped).  There must be thousands of
> old PCs out there that have gone past their usefulness as office
> machines but would still make perfect firewall/routers.  Software
> like m0n0wall gives them a new lease of life.

This is great as long as the old hardware is reliable to continue
running 24x7 and someone can easily replace it should it fail.  I keep
an old PC around as a backup for my WRAP, but trust the WRAP board
more than the PC.  The PC is 5 years old and has many moving parts
that m0n0wall depends on (fans, floppy, CD-ROM).  A single failure in
any of these devices means that my m0n0wall will stop functioning.

The power savings of a WRAP is also a couple of dollars in my pocket
every month.  I wish I could find my "kill-a-watt" power meter, I
would take power readings of the PC and WRAP for this discussion.

alex