SirSpanky.com - The Secret Diary of James Pearce Aged 20-Something

I recently decdided to replace my Netgear FVX538 Modem / Router with a PC based firewall / router. The Netgear keeps crashing, dropping the ADSL link, and “forgtting” the WiFi password on reset. I’ve tried upgrading the firmware, and nothing seems to make it any better.

Anyway, the two PC distributions I decided to deploy for testing on real hardware were IPCop (1.4.20) and pfSsense (1.2.2). pfSense is incredibly slick and full featured. It really is an enterprise firewall OS in my view. The reporting options are great, and making changes / advanced configuration is sensible and easy (relative to the difficulty of performing the same changes on a normal *nix OS or a consumer firewall / modem device).

IPCop lacks a bunch of the features of pfSense, but none that affect me. The main difference is in the web interface. It’s just not as nice. It’s a little sloppier to use, and it looks a lot sloppier. It’s not terribly ugly, but it doesn’t look like something that would be produced by a commercial outfit, while pfSense does. The IPCop interface is relatively easy to edit though, it’s mainly just CGI files and a single CSS file.

There are a couple of other major function differences between the two distributions however. Firstly, pfSense is FreeBSD based (actually, based on m0n0wall), and IPCop is Linux based. I’m sure that’s the result of the practical differences that I found. What I’m talking about is the hardware support offered by the two operating systems. I had *a lot* of trouble getting pfSense to even boot from CD on Pentium hardware. Pentium 2 hardware was ok however. Even Pentium 1 MMX chips failed though. I’m sure it’s a minboard problem, as I’ve experienced the same issues with FreeBSD as well. Basically, some sort of incompatibility with the mainboard chipset causes the bootloader to fail to boot. Sometimes an immediate reset occurs, sometimes it crashes, and sometimes it fails with an error message. I tried more than half a dozen board / CPU combinations for Pentium grade hardware, and none worked with pfSense. Additionally, pfSense regused to acknowledge the presence of my Realtek chipset cards. I understand that they are cheap cards and will not offer the performance of a 3Com or Intel Pro card, but to not detect at all? That’s weird. FreeBSD has support for them, but it’s as if the kernel that pfSesnse compiled for their OS doesn’t include it. Weird.

I only tried IPCop on 2 Pentium grade systems, because that’s all I needed to try it on. I tried on a P120 and it failed to boot. I then tried it on a P90 and it worked fine. The system has a lot of RAM for a Penitum, 96MB, but it was nice to see it boot!

As to the performance, pfSense complains about having less than 128MB of RAM, and quite rightly so. It eats 64MB without doing anything. It also spikes my Pentium 2 350 CPU up to 80% load without network traffic. By spike, I mean when the OS is doing “housekeeping” activities.

On the Pentium 90 with IPCop, RAM usage didn’t exceed 32MB when not under network load, and the CPU didn’t exceed 20% usage without load. That’s a big difference; the numbers are smaller even on a ratio, so they are *much* smaller when taking into account the fact that it was running on a system that is 4x slower than the pfSense system.

What about stats for operating with load? I don’t know; I already decided to go with pfSense. Yes, it needs more hardware resources, and is more fussy, but it *is* better. I’m tired of compromising with routers. I’ve been through about 8 routers in the past 10 years, and I’m just tired. I’m 95% confident I can do everything I need to in pfSense right now, and have future support in it. With IPCop, I can probably do what I want in it now, but I’m not confident about future support, and I don’t like using the web interface.

I recently redeployed my main desktop computer to be a virtualisation hub. I’m going to run a headless VirtualBox setup on Ubuntu with it. It’ll only be using CLI. At the moment the specs of the desktop are:

• 3G DDR2
• 2.66Ghz Core2Duo
• Asus P5K
• ATI Radeon 2900XT

Now, when idle, Core2Duo’s are quite power efficient. And I’m going to be merging 3 physical boxes into this one, but none of them do continuous work (hence why I’m merging them). For some reason, when sitting idle (I haven’t installed the real OS yet, it’s just a testing version of Debian Lenny on there with no services), the machine was still spewing out heat.
It turns out that even on a CLI, the Radeon card gets quite toasty. I mean, not hot by gaming standards, but hot compared to say, an entry level card. I happened to have an entry level card around: an ATI X1300. So I thought, I’ll quickly swap them out, ensure that it was indeed the GFX card, and go merrily on my way. No such luck. The X1300 was a dud. Sometimes the PC would get to the POST if I wiggled the card, only to complain that it didn’t have a card, and other times it just wouldn’t POST at all.
Now, this is a 2008 model system. I mean, it’s early 2008, but it was top of the line. But it has PCI cards. And I figured I had a TNT2 PCI version around somewhere, or something. The “or something” turned out to be a generic PCI card. I also had an S3 trident, but I wanted to see if the generic card worked. It looked older than the S3. That means it’s about 20 years old now. I didn’t even know if recent motherboards are able to detect and boot with a PCI graphics card only. I do now. They can. Mine did. Sweeeet! It makes _no heat_. There’s not even a heat sink on the card. It doesn’t display the BIOS graphics splash screen properly (the whole “powered by Intel” image), but it displays the actual text fine, BIOS is fine, VESA images is fine (i.e. the Linux boot splash screen). It’s so cool. It also takes up a fraction of the space that the 2900XT did.

Now my system runs cool and uses less power, I’m happy[ier]

The site has been (semi) offline for a couple of days now. I took the database server that drives the site down because I’m virtualizing a lot of my infrastructure. Because it took longer than I thought it would to get everything back online, only cached pages were being served. The cache eventually times out and requires regeneration from the database, which it couldn’t do, and returned error 500 pages! Anyway, the new (virtualized) database server is up, so the site is back online

I’ve read lots of forum posts recently where someone asks how to turn encryption off for an SSH session; specifically for an SCP transfer. Every one I’ve seen has been flamed for asking this. One common response I see is:

“the encryption doesn’t take up enough of the CPU to warrant the kind of exposure on a modern CPU, you’re probably I/O limited anyway”

GARBAGE. On my Via C3 Nehmiah @ 900Mhz (it’s a 1.2Ghz chip in a 100Mhz FSB capable motherboard hence the slowed clock), my CPU taps out at 3.7MB/s on a 100Mb/s network. An it taps out on the SSH daemon, not the I/O time. Using NFS I can pull 9 to 10MB/s at CPU tap-out. Encrypting at wire speed DOES take up significant CPU time. Normal SSH terminal connections, sure, negligible. Bulk SCP connections, it’s real. Just take a look at the performance measurements taken on a Via C3 on this Linux / Via Padlock OpenSSH enabling tutorial.

Modern distributions of linux (i.e. kernel 2.6.27+ based), seem to have patched the OpenSSH (and hence the SSHD) to use the hardware encryption on the Via chip (Padlock), and I can pull 9-10MB/s at CPU tap-out on that with SCP. A P3 733Mhz also taps out at 3.5MB/s with the same Linux (Ubuntu) though, so it’s definitely the software being optimized for the Via chip.

At the end of the day though, on my local LAN (wired), I don’t really care about the encryption of the file transfer. What I care about is the ubiquity of the SSH protocol. I’m also the only one using it to access files, so I’m not using it to replace NFS, I’m just using it to access my private files (which are sometimes quite large) using the already-configured ACL (PAM). Why can’t I disable the encryption for the SSH data transfer in V2? Sigh.

I have a couple of entries that I added into my system crontab file a while back that I noticed immediately working. I’ve been running the command manually for a while because I couldn’t be bothered invetigating. When I did sit down to investigate, I found that running:

crontab /etc/crontab

Makes crontab echo the output to STDOUT. Including errors. It’s kind of annoying how those errors don’t appear in my system message log normally, but at least I found the error! The error - what looked like wordwrap wasn’t, and so crontab was seeing a syntax error