| Performance leaks with passive network interface cards |
| # Performance leaks with passive network interface cards |
| A similar questions repeats always again in the IPFire forum, what hardware we would recommend, or whether a described hardware are enough for IPFire´s requirements. |
| Mostly all are thinking of processor speed, memory, disk space and speed and in terms of network cards the thoughts are hanging mostly around the maximum transfer speed thus a card have 100 MBit/s or 1000 MBit/s. |
| Mostly all are thinking of processor speed, memory, disk space and speed and in terms of network cards the thoughts are hanging mostly around the maximum transfer speed thus a card have **100 MBit/s** or **1000 MBit/s**. |
| Rare enough someone thinks about whether it is a active or passive network card. Therefore, I dedicate my time today to go for this theme. |
| I do not want to take this opportunity to sink into deep technical details but a briefly description for the difference between active and passive network card types should takes place in here, also the impact on the overall system should be mentioned. |
| So the general question: What is a passive network card ? |
| ## So the general question: What is a passive network card ? |
| A passive network card do not have an own controller, therefor all administrative tasks have to be done over the system CPU. |
| For this purpose hard- and software interrupts will be triggered. |
| This can be imagine as a system break. During this period the upcoming tasks can´t be done by the system cause the task executes the device that triggered the interrupt, in our case the network card. |
| An active network card has its own controller, and can perform administrative tasks by itself. The advantage it obvious: There are considerably fewer interrupts triggered and the system can take care of other tasks. |
| Unfortunately this process are normally not recognized, cause always the CPU workload are reviewed. But interrupts doesn't assigned to a process and therefor they aren´t visible as a CPU load factor. |
| So it may happen that in a system, the CPU running low at only 10% but a system utilization of 60% prevails. |
| So it may happen that in a system, the CPU running low at only **10%** but a system utilization of **60%** prevails. |
| So to illustrate this, here´s a little example: |
| ## So to illustrate this, here´s a little example |
| There is a weak power system with two passive network cards, for example an Intel Celeron 600 Mhz. Then I install a IPFire. |
| My ISP provides me a VDSL50 line. |
| Without activating additional services the network speed will be proofed. |
| The full download bandwidth of 50 MBit/s are exhausted (~ 5,5 MByte/s) with only about 5-10 % CPU consumption. On a closer inspection there are recognized 35-50 % hard- and software interrupts. |
| The full download bandwidth of 50 MBit/s are exhausted (~ **5,5 MByte/s**) with only about **5-10%** CPU consumption. On a closer inspection there are recognized **35-50%** hard- and software interrupts. |
| Now the Squid proxy server will be additionally activated. |
| Can´t believe my eyes, the download bandwidth goes down to 35-40 MBit/s (~ 4,0 MByte/s). The CPU consumption amounts to 99,9 %. |
| Can´t believe my eyes, the download bandwidth goes down to **35-40 MBit/s** (~ **4,0 MByte/s**). The CPU consumption amounts to **99,9%**. |
| The whole system load (99,9 %) belongs to Squid. By a closer view this aren´t correct cause there is also a interrupt from 35-50 %. |
| The whole system load (**99,9%**) belongs to Squid. By a closer view this aren´t correct cause there is also a interrupt from **35-50%**. |
| Now it will be quiet clear that the system load aren´t the CPU load. Naturally a system have only 100 % available resources not 150 %. |
| Now it will be quiet clear that the system load aren´t the CPU load. Naturally a system have only **100%** available resources not **150%**. |
| So the question is, what does us say now 99,9% load factor really ? This tell us the Squid arrogates 99.9% of the available CPU time. |
| So the question is, what does us say now **99,9%** load factor really ? This tell us the Squid arrogates **99.9%** of the available CPU time. |
| There are now two possibilities: Either the CPU will be changed against a quiet quicker one or the interrupts will be reduced and become in that way more CPU time. |
| So I replace one passive of the two network cards against a active and benchmark them again. |
| The interrupts have been reduced significantly to 20-30%. |
| The interrupts have been reduced significantly to **20-30%**. |
| As a result I now have a download rate of about 5.0 MBytes/s. The CPU usage amounts to 99.9%. |
| As a result I now have a download rate of about **5.0 MBytes/s**. The CPU usage amounts to **99.9%**. |
| Unfortunately my test system gives only the opportunity to change one network card cause the other is a onboard card. Therefore, I can not repeat the test with two active network cards. However, I can say from experience with two active network cards the interrupts are less than 5%. |
| Unfortunately my test system gives only the opportunity to change one network card cause the other is a onboard card. Therefore, I can not repeat the test with two active network cards. However, I can say from experience with two active network cards the interrupts are less than **5%**. |
| Thus even a Celeron with 600 Mhz would be enough for a VDSL50-line and an enabled Squid without speed loss. |
| Again a short review of the facts: |
| ### Again a short review of the facts |
| Download rate without Squid and two passive network cards: 5,5 MBytes/s . |
| Download rate without Squid and two passive network cards: **5,5 MBytes/s** . |
| Download rate with Squid and 2 passive network cards : 4,0 MBytes/s . |
| Download rate with Squid and 2 passive network cards : **4,0 MBytes/s** . |
| Download rate with Squid and one active and one passive network card : 5,0 MByte/s . |
| Download rate with Squid and one active and one passive network card : **5,0 MByte/s** . |
| I hope this little example makes the importance of the quality of the network card in a firewall system clear. |
| Finally, a few examples of active and passive network cards. |
| ### Finally, a few examples of active and passive network cards |
| Realtek 8139 (100 MBit/s): passiv |
| * Realtek 8139 (100 MBit/s): passiv |
| Realtek 8110 (1 GBit/s): passiv |
| * Realtek 8110 (1 GBit/s): passiv |
| Realtek 8169 (1 GBit/s): passiv |
| * Realtek 8169 (1 GBit/s): passiv |
| Via Rhine II (100 MBit/s) : passiv |
| * Via Rhine II (100 MBit/s) : passiv |
| * |
| 3Com 3c905B-TX (100 MBit/s) : activ |
| * 3Com 3c905B-TX (100 MBit/s) : activ |
| 3Com 3c590 (100 MBit/s) : activ |
| * 3Com 3c590 (100 MBit/s) : activ |
| Intel Pro100VE (100 MBit/s) : activ |
| * Intel Pro100VE (100 MBit/s) : activ |
| Intel Pro1000 (1 GBit/s) : activ |
| * Intel Pro1000 (1 GBit/s) : activ |