Supermicro SuperServer E302-9D Review: A Fanless 10G pfSense Powerhouse
by Ganesh T S on July 28, 2020 3:00 PM EST- Posted in
- Networking
- Intel
- Supermicro
- 10GBase-T
- Xeon-D
- SFP+
- 10GbE
- ASpeed
- Skylake-D
Benchmarking with iPerf3 and ipgen
The iPerf3 tool serves as a quick check to ensure that the network link is up and running close to expectations. As a simple passthrough device, we expect the Supermicro SuperServer E302-9D to achieve line-rates for 10G traffic across various interfaces. We do expect the rates to go down as more processing is added in the form of firewalling and NAT. Towards this, each tested mode is started off with an iPerf3 test. Following that, we perform the sweep of various packet sizes with the pkt-gen tool. In both cases, each 10G interface set is tested separately, followed by both sets simultaneously. After both sets of experiments, the L3 forwarding test using ipgen is performed from each of the three machines in the test setup. This section discusses only the iPerf3 and ipgen results. The former includes IPsec evaluation also.
iPerf3
Commands are executed on the source, sink, and DUT using the Conductor python package described in the testing methodology section. The setup steps on the DUT for each mode were described in the previous section. Only the source and sink [Run] phases are described here.
On the sink side, two servers are spawned out and terminated after 3 minutes. The spawn and timeout refer to keywords specified by the Conductor package.
spawn0: cpuset -l 1,2 iperf3 -s -B 172.16.10.2 -p 5201
spawn1: cpuset -l 3,4 iperf3 -s -B 172.16.11.2 -p 5201
timeout180: sleep 180
step3: killall iperf3
On the source side, the first link is evaluated for 30s, followed by the second link. In the third iteration, the tests are spawned off for both links simultaneously.
spawn1: cpuset -l 1,2 iperf3 -c 172.16.10.2 -B 172.16.0.2 -P 4 -O 5 -t 35 --logfile /tmp/
timeout45: sleep 45
spawn3: cpuset -l 1,2 iperf3 -c 172.16.11.2 -B 172.16.1.2 -P 4 -O 5 -t 35 --logfile /tmp/
timeout46: sleep 45
spawn5: cpuset -l 1,2 iperf3 -c 172.16.10.2 -B 172.16.0.2 -P 4 -O 5 -t 35 --logfile /tmp/
spawn6: cpuset -l 3,4 iperf3 -c 172.16.11.2 -B 172.16.1.2 -P 4 -O 5 -t 35 --logfile /tmp/
The table below presents the bandwidth numbers obtained in various modes. The interfaces specified in the headers refer to the ones in the DUT.
| Supermicro E302-9D as pfSense Firewall - iPerf3 Benchmark (Gbps) | ||||
| Mode | Single Stream | Dual Stream | ||
| ixl2 - ixl0 | ixl3 - ixl1 | ixl2 - ixl0 | ixl3 - ixl1 | |
| Router | 9.40 | 9.41 | 8.77 | 8.67 |
| PF (No Filters) | 6.99 | 6.96 | 6.50 | 6.98 |
| PF (Default Ruleset) | 5.43 | 5.81 | 4.22 | 5.69 |
| PF (NAT Mode) | 7.89 | 6.99 | 4.49 | 6.06 |
Line-rates are obtained for the plain router mode. Enabling the packet filtering lowers the performance, as expected - with more rules resulting in slightly lower performance. The NAT mode doesn't exhibit much performance loss compared to the plain PF mode, but, multiple streams on different interfaces needing NAT at the same time does bring the performance more compared to the PF (No Filters) mode.
IPsec Testing using iPerf3
IPsec testing also involves a similar set of scripts, except that only the ixl2 and ixl3 interfaces of the DUT are involved. The table below presents the iPerf3 bandwidth numbers for various tested combinations of encryption and authentication algorithms. The running of the iPerf3 server on the DUT itself may result in lower than actual performance - however, the comparison against the baseline case under similar conditions can still be made.
| Supermicro E302-9D as pfSense Firewall - IPsec iPerf3 Benchmark (Mbps) | ||||
| Algorithm | Single Stream | Dual Stream | ||
| (Src)ixl2 - (DUT)ixl2 | (Src)ixl3 - (DUT)ixl3 | (Src)ixl2 - (DUT)ixl2 | (Src)ixl3 - (DUT)ixl3 | |
| Baseline (No IPsec) | 5140 | 7450 | 3020 | 4880 |
| 3des-hmac-md5 | 119 | 118 | 61.3 | 75.2 |
| aes-cbc-sha | 374 | 373 | 236 | 238 |
| aes-hmac-sha2-256 | 377 | 376 | 235 | 212 |
| aes-hmac-sha2-512 | 433 | 430 | 259 | 280 |
The above numbers are low compared to the line-rate, but closely match the results uploaded to the repository specified in the the AsiaBSDCon 2015 network performance evaluation paper for a much more powerful system. Given the 60W TDP nature of the SoC and the passively cooled configuration, coupled with the absence of QuickAssist in the SKU, the numbers are passable. It must also be noted that this is essentially an out-of-the-box benchmark number, and optimizations could extract more performance out of the system (an interesting endeavour for the homelab enthusiast).
L3 Forwarding Test with ipgen
The ipgen L3 forwarding test is executed on a single machine with two of its interfaces connected to the DUT. In the evaluation testbed, this condition is satisfied by the source, sink, and the conductor as well. The ipgen tool supports scripting of a sweep of packet and transmission bandwidth combinations. The script is provided to the tool using a command of the following form:
ipgen -T ${TxIntf},${TxGatewayIP},${TxSubnet} -R ${RxIntf},${RxGatewayIP},${RxSubnet} -S $ScriptToRun -L $LogFN
where the arguments refer to the transmitter interface, the IP of the gateway to which the interface connects, and its subnet specifications, along with a similar set for the receiver interface.
| L3 Forwarding Benchmark (ipgen) with the Xeon D-2123IT (Source) | |||
| L3 Forwarding Benchmark (ipgen) with the Xeon D-1540 (Sink) | |||
| L3 Forwarding Benchmark (ipgen) with the AMD A10 Micro-6700T (Conductor) | |||
Twelve distinct runs were processed, once in each of the four tested modes for each of the machines connected to the DUT. As mentioned earlier, these numbers are likely limited by the capabilities of the source (like in the case of the Compulab fitlet-XA10-LAN), but the other two machines present some interesting results that corraborate with results observed in the iPerf3 and pkt-gen benchmarks. In general, increasing the number of rules seems to noticeably affect the performance. Enabling NAT, on the other hand, doesn't have such a discernible impact compared to other configurations with similar number of rules to process.
Facebook
Twitter
RSS
34 Comments
View All Comments
GreenReaper - Tuesday, July 28, 2020 - link
The D-1541 only gets ~160% of the performance, that is - under ideal conditions. In practice we tend to average one to two core usage; and scaling for DB operations falls off after four, so the D-1521 may have been the faster CPU for us. (It also meant it was cheaper, yet came with NVMe SSD.)herozeros - Saturday, August 1, 2020 - link
Had no idea on the price jump on SoC with quickassist, question answered thoroughly, cheers!TrevorH - Tuesday, July 28, 2020 - link
I notice that it does have an HTML5 remote console so it's not locked to java for that.GreenReaper - Tuesday, July 28, 2020 - link
I'd love one of these under my desk to go with my HP MicroServer Gen8. Can't justify it, of course, but maybe in a few years they'll end up available at clearance prices or on the second-hand market.Foeketijn - Wednesday, July 29, 2020 - link
I am hoping for a ryzen gen 11. So far I've skipped the gen 10.Microserver without IPMI/iLo. Thats just silly.
Spunjji - Wednesday, July 29, 2020 - link
+1 on that. Don't even care if it's Zen 1 or Zen+ for cost reasons - seems like the perfect fit.Raven Ridge would also be a solid option.
hrana - Tuesday, July 28, 2020 - link
Great review but I need some context with your testing methodology. How do the 8C, 12C, and 16C variants perform? If I want a 10G router for everything except IPsec, what do I need today in terms of hardware today for pfsense? Some say pf has its own limitations such that throwing hardware at it is not successful. It would be good if your team could help us better understand using the above methodology.Bp_968 - Tuesday, July 28, 2020 - link
I wasn't terribly impressed with PFsense. It was blocking my own website (hosted on godaddy at the time and running WordPress) and was blocking it without any explanation or reasonable way to stop blocking it. I dropped by the forums and tried to get some help and instead got 3 pages of tinfoil hat paranoia about how I was probably a russian hacker trying to take over their machines through the forum. This is the offical pfsense forum btw... one guy finally decided I wasn't smart enough to be a russian hacker and then more or less threw his hands up saying sometimes it doesnt like certain types of traffic/websites/etc but hopefully it will get fixed in the future.It finally was fixed, by a Ubiquiti edgerouter.
ruthan - Wednesday, July 29, 2020 - link
Can someone explain me, why to paid $1500 for overprice network switch with just 2 x 10 Gb/s ports? What is wrong with classic networking hardware - standalone boxes?PeachNCream - Wednesday, July 29, 2020 - link
There's flexibility to do more with this system than merely act as a network switch since its running general purpose hardware. Is that worth $1500 if all you need is a switch? Of course not - go buy a switch and save some money.