# Athlon64 or Sempron (754)

## decay

hey

i curently have a pretty big LAN and the server that acts as a GW for this lan doesn't seem to sustain the huge amount of trafic that goes through it.

It drops large amounts of packets, sometimes ppl on this LAN have a big ping reply, etc .etc.

So i've decided to upgrade the server and i've done somme research and i now want to go for an socket 754 processor. 

The thing is now that the price diference between the Sempron 3100+ and the Athlon64 2800+ is only about 6USD but i really don't find a solid reason to get the A64 (i don't need a big processing speed and i don't think that a 64bit cpu can make a difference based on the purpose for this server)

Again this machine will be used for routing purposes and an aventual apache server..

Other HW components:

MB1 : K8N Nforce3 250 or

MB2 : DFI-K8M800-MLVF (chipset VIAK8M800) <- this one has a 1000 Mb/s NIC

RAM 512DDR 400

HDD WD-80JB

NICs: Intel® PRO/1000 MT or Intel® PRO/100M (don't know yet)

i will be gratefull any sugestions and comments   :Shocked: 

----------

## Jake

Before investing in a new CPU, I'd look into running FreeBSD and question my NIC quality. Another possiblility is that you're running out of RAM for stateful connection tracking.

Intel cards are definately good on open-source OSs. Intel wrote the Linux and FreeBSD drivers. Also, I've read that it's worth using gigabit cards even if you don't have gigabit throughput because the hardware is better. In your case you might want the server version of the Intel cards, which supposedly do even more in hardware rather than on your CPU.

I don't know about 64 vs. 32-bit, except if you were to use encryption (SSL or VPN) or compression (mod_gzip), in which case 64-bit is worth at least $6 more than 32-bit!

----------

## ewan.paton

your thinking of cheaping out for $6, i think the minimum id need to save to overide the future profing would be like $50. if nothing else the extra cache and performance of the encription registers make them worthwhile

----------

## decay

oh no .. i wasn't thinking of cheaping out on that kind of money .... i was just curious if there will be a diference between those CPU's based on my needs ... 

i am cheaping out   :Twisted Evil:  on the NIC's though .. i really can't afford the server version of the Intel cards. I will though go for the 1000Mb/s ones just as Jake said (thx for the tip dude) there is indeed a diference between the 100 and the 1000mb/s models .. even when the 1000 one is runing in a 100 network.

And btw .. i've found this too http://www.hipac.org/index.htm ... 

Anyone used this yet ??

----------

## Jake

HiPAC looks good for long rulesets, but not much else unless I missed something.

If my original post wasn't clear, I recommend invistigating the following, in order:

1. configuration (rulesets, Rx polling, sysctl variables)

2. software (2.4 vs. 2.6, HiPAC, *BSD)

3. NICs (Realtek vs. Intel, gigabit vs. 10/100)

4. other hardware (CPU, RAM, PCI vs. PCI-X)

If you have cheap NICs like Realteks, I'd swap 2 and 3.

1-3 might be enough to save you the cost of a new CPU, mobo, and possibly RAM. I'm no expert on this sort of thing, but if you post the details of your current configuration, we might be able to get to the bottom of your performance problem. You might want to try flood pinging and FTPing a large files while watching CPU usage as tests of NIC quality.

----------

## decay

my curent config. is as folows:

P3 450MHz 

RAm 192 SDRAM (of course)

HDD 40Gb Seagate ATA 100

1 Intel NIC 10/100 (e100)

1 RTL8139 NIC 10/100 (i know is a low performance interface , but i have dropping on the intel interface wich is facing the LAN part of the network)

kernel 2.4.26 

linux Debian 3.0 woody

HTB as limit manager ?! (htb config posted below)

iptables firewall (posted below)

apache server (for redirecting local users on it when the don't pay up the monthly fee   :Twisted Evil:  )

squid (proxy) - i've installed it for about 3 weeks now ... but i have the problems after the network passed the 50 user limit)

this is it .. the hw / sw part .. now for the scripts 

firewall :

```

IPTABLES="/sbin/iptables"

DROP="/etc/init.d/drop"

#reset the default policies in the filter table.

$IPTABLES -P INPUT ACCEPT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -P OUTPUT ACCEPT

#reset the default policies in the nat table.

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

#reset the default policies in the mangle table.

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

#flush all the rules in the filter and nat tables.

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -t mangle -F

#erase all chains that's not default in filter and nat table.

$IPTABLES -X

$IPTABLES -t nat -X

$IPTABLES -t mangle -X

#Internet Interface

INET_IP="81.181.142.66"

INET_IFACE="eth0"

INET_BROADCAST="81.181.142.127"

#Local Area Network configuration.

LAN_IP="10.0.0.1"

LAN_IP_RANGE="10.0.0.0/24"

LAN_IFACE="eth1"

#LO Configuration.

LO_IFACE="lo"

LO_IP="127.0.0.1"

###########################################################################

#Module loading.

/sbin/depmod -a

#/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

###########################################################################

#/proc set up.

echo "1" > /proc/sys/net/ipv4/ip_forward

#INPUT chain

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

###Log weird packets that don't match the above.

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

#FORWARD chain

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died$

#OUTPUT chain

##Log weird packets that don't match the above.

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

#FORWARD  chain

#client 1

$IPTABLES -A FORWARD -s 10.0.0.2 -m mac --mac-source *:*:*:*:*:* -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.2/32 -j SNAT --to-source 81.181.*.*

#iptables -t nat -A PREROUTING -s 10.0.0.2 -p tcp -j DNAT --to 10.0.0.1:80

#client 2

$IPTABLES -A FORWARD -s 10.0.0.3 -m mac --mac-source *:*:*:*:*:* -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.3/32 -j SNAT --to-source 81.181.*.*

#iptables -t nat -A PREROUTING -s 10.0.0.3 -p tcp -j DNAT --to 10.0.0.1:80

and so on .... untill client 80 let's say

$IPTABLES -A FORWARD -s 10.0.0.0/24 -j DROP

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j DROP

$DROP

```

```
the DROP script

IPTABLES="/sbin/iptables"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects

PORT="0 1 13 98 111 137 138 139  161 162  1214 1999 2049 3049 4329 6346  8000 8008  12345 65535 135 445 5554 "

TCP="$PORT 98 512:515 1080 6000:6009 6112 4444"

UDP="$PORT 138 139 137 161 162 520 517 518 1427 9000 1434 69"

echo 'Blocking some ports'

for p in $TCP;

do

  $IPTABLES -A INPUT -p tcp --dport $p -j DROP

  $IPTABLES -A OUTPUT -p tcp --dport $p -j DROP

  $IPTABLES -A FORWARD -p tcp --dport $p -j DROP

done

for i in $UDP;

do

  $IPTABLES -A INPUT -p udp --dport $i -j DROP

  $IPTABLES -A OUTPUT -p udp --dport $i -j DROP

  $IPTABLES -A FORWARD -p udp --dport $i -j DROP

done

echo 'done'

```

```
the HTB script

#!/bin/bash

u32="filter add dev eth1 protocol ip parent 1:0 prio 1 u32"

echo Delete previous root qdisc

tc qdisc del dev eth1 root > /dev/null 2>&1

echo Add root qdisc

tc qdisc add dev eth1 root handle 1: htb default 500

echo Add root class 1:1 rate 100Mbit

tc class add dev eth1 parent 1: classid 1:1 htb rate 100Mbit quantum 1500

echo Add Servers class 1:2 rate 100Mbit

tc class add dev eth1 parent 1:1 classid 1:2 htb rate 100Mbit quantum 1500

    tc filter add dev eth1 parent 1:0 protocol ip prio 3 u32 match ip tos 0x10 0xff flowid 1:2

    tc filter add dev eth1 protocol ip parent 1:0 prio 3 u32 match ip src 10.0.0.1/32 flowid 1:2

    tc filter add dev eth1 protocol ip parent 1:0 prio 3 u32 match ip src 81.181.142.66/32 flowid 1:2

#delay minim && icmp

tc filter add dev eth1 parent 1:0 protocol ip prio 2 u32  match ip protocol 1 0xff flowid 1:2

echo Add Internet class 1:9 rate 512kbit

tc class add dev eth1 parent 1:1 classid 1:9 htb rate 400kbit ceil 512kbit quantum 1500

echo Add default class 1:500 rate 1kbit

tc class add dev eth1 parent 1:1 classid 1:500 htb rate 1kbit ceil 1kbit quantum 1500

echo clasa - clienti 10

tc class add dev eth1 parent 1:9 classid 1:10 htb rate 24kbit ceil 64kbit quantum 1500

         echo adaug clasa 1:11 rata 16 kbit pentru client1

         tc class add dev eth1 parent 1:10 classid 1:11 htb rate *kbit ceil *kbit quantum 1500

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip dst 10.0.0.2/32 classid 1:11

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip src 10.0.0.2/32 classid 1:11

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip dst 81.181.*.*/32 classid 1:11

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip src 81.181.*.*/32 classid 1:11

         tc qdisc add dev eth1 parent 1:11 handle 11: sfq perturb 10

         echo adaug clasa 1:12 rata 16 kbit pentru client2

         tc class add dev eth1 parent 1:10 classid 1:12 htb rate *kbit ceil *kbit quantum 1500

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip dst 10.0.0.3/32 classid 1:12

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip src 10.0.0.3/32 classid 1:12

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip dst 81.181.*.*/32 classid 1:12

         tc filter add dev eth1 protocol ip parent 1:0 prio 6 u32 match ip src 81.181.*.*/32 classid 1:12

         tc qdisc add dev eth1 parent 1:12 handle 12: sfq perturb 10

and so on ....

```

i have created clases in witch i have 5 clients each ...

for example : class 1:10 have clients 1:11 1:12 1:13 1:14 1:15

the comes the next class 1:20 .. wich have 1:21 1:22 1:23 1:24 1:25 

and so on... 

this is all the stuff i have on that machine ... and it does not work .. i'm getting drops any 3-4 packets i have 1 packet droped :

```

Jan  7 11:50:25 is5 kernel: IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=81.196.160.139 DST=10.0.0.9 LEN=1500 TOS=0x00 PREC=0x00 TTL=122 ID=16478 DF PROTO=TCP SPT=2111 DPT=1059 WINDOW=63990 RES=0x00 ACK PSH URGP=0

Jan  7 11:50:34 is5 kernel: IPT INPUT packet died: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:2e:20:50:55:08:00 SRC=10.0.0.29 DST=10.0.0.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=3016 PROTO=UDP SPT=137 DPT=137 LEN=58

Jan  7 11:50:45 is5 kernel: IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=212.93.137.130 DST=10.0.0.7 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=27016 DPT=27005 LEN=24

Jan  7 11:50:46 is5 kernel: IPT OUTPUT packet died: IN= OUT=eth0 SRC=81.181.*.* DST=212.213.255.72 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=2635 DF PROTO=TCP SPT=34537 DPT=80 WINDOW=37648 RES=0x00 ACK FIN URGP=0

Jan  7 11:50:53 is5 kernel: IPT OUTPUT packet died: IN= OUT=eth0 SRC=81.181.*.* DST=216.32.68.54 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=20917 DF PROTO=TCP SPT=34545 DPT=80 WINDOW=5840 RES=0x00 ACK URGP=0

Jan  7 11:50:54 is5 kernel: IPT INPUT packet died: IN=eth0 OUT= MAC=00:00:0e:9d:21:a7:4c:00:10:a1:be:8d:08:00 SRC=216.32.68.54 DST=81.181.*.* LEN=610 TOS=0x00 PREC=0x00 TTL=44 ID=37758 DF PROTO=TCP SPT=80 DPT=34545 WINDOW=6432 RES=0x00 ACK PSH FIN URGP=0

Jan  7 11:51:05 is5 kernel: IPT FORWARD packet died: IN=eth0 OUT=eth1 SRC=212.93.137.130 DST=10.0.0.7 LEN=44 TOS=0x00 PREC=0x00 TTL=59 ID=0 DF PROTO=UDP SPT=27016 DPT=27005 LEN=24

Jan  7 11:51:13 is5 kernel: IPT OUTPUT packet died: IN= OUT=eth0 SRC=81.181.*.* DST=216.32.68.54 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=34548 DPT=80 WINDOW=7386 RES=0x00 ACK FIN URGP=0

Jan  7 11:51:16 is5 kernel: IPT INPUT packet died: IN=eth1 OUT= MAC=4c:00:10:3a:8d:7e:00:30:05:6c:ec:88:08:00 SRC=10.0.0.54 DST=81.181.*.* LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=11674 DF PROTO=TCP SPT=2765 DPT=3128 WINDOW=64240 RES=0x00 SYN URGP=0

```

and so my syslog files have about 100M at the end of each day 

Any suggestions will be appreciated

Thx

----------

## decay

P.S. do you think that a 2.6.* kernel will work better ? 

i'm asking this because with the 2.4.22 kernel the server becomes so loaded that in about 3-4 days it get blocked and i have to reset it.  :Sad: 

----------

## Jake

If Linux becomes unusable and requires a reboot after a few days, something's seriously wrong. Newer versions might be better, but you should really figure out why you have to reboot so frequently. Is it a memory problem or CPU problem? Which tasks consume all your resources?

Dropping so many packets makes me suspect you missed something in your rules. Unfortunately, I don't know much about iptables rules, so I don't think I'll be able to help you, except by saying that your dropped packets don't seem to have anything in common that would suggest an obvious mistake in the rules.

----------

## cylgalad

1) sempron is 32 bit and the successor of duron

2) try to upgrade your 2.4.22 kernel to 2.4.28, you'll surely close a lot of security holes and bugs, rather than jumping into 2.6 on a server

3) buy some ram  :Wink: 

----------

## decay

the system isn't unstable now that i'm using 2.4.26 kernel (was unstable with the 2.4.22 version)

and it is not a memory problem because when running @ full load i still have about 40-64 Megs of free memory left.

the problem seems to be the iptables rules. They seem not to be able to sustain the heavy load that pases through the server.

That's why i was thinking to upgrade the server and use the nf-HiPAC. And i was wondering if someone already used it and can tell me the ups and downs of this package.

 *Quote:*   

> 
> 
> 1) sempron is 32 bit and the successor of duron 
> 
> 

 

Not really .. it comes with another set of instructions ... and the Sempron 3100+ (the only sempron on socket 754) is in fact a Athlon 64 CPU that supports only the 32 bit architecture.

----------

## Jake

I didn't notice your little note about NAT rules for all 80 clients and the for loops. You probably have enough rules to benefit from HiPAC.

Why do you repeat "$IPTABLES -A FORWARD -s 10.0.0.2 -m mac --mac-source *:*:*:*:*:* -j ACCEPT" so many times? If you aren't filtering by MAC, why not accept all the clients in one rule?

The port drop rules also seem excessive. Why not set your default policies to DROP? It would be better security practice anyway.

----------

## decay

i didn't make myself clear. 

each mah address from each IPTABLES -A FORWARD -s 10.0.0.2 -m mac --mac-source  rule is unique, i am doing mac filterling, i just replaced the read addresses with the stars (*) without thinking that they would wrongfully interpreted.  :Embarassed: 

And about the rules ... the thing is that if i set them up to DROP by default it seems that iptables will drop enything .. and no connection will be possible to be done by the users from the lan. The drop rules are so many because i've had problems with the trafic done by the users that had virused/trojaned computers ... they were making A LOT of traffic. And so untill i install squid+squidguard+clamav to limit the access of the lan users to porn/warez pages   :Twisted Evil:  i'll have to use those intensive drop policies

----------

## Jake

I figured if you posted IPs you wouldn't be afraid to post MACs, which I imagine would be less helpful to a potential cracker than IPs.

If your rules don't work with a default drop policy, you must not be considering all possible kinds of traffic. That also means your default accept policy is overlooking important traffic.

----------

## pakman

I would go for the AMD64 as there are architectural differences that mean it runs faster than 32bit chips even if youŕe only using 32bit software, for instance the memory management unit is on the chip instead of on the motherboard like with P4/Sempron/etc.

Good page here:

http://www.devx.com/amd/Article/20960

edit; ewps although if thats not the problem it wont help and it doesnt sound like hardware on re-reading. Just a thought, do you still get dropped packets using NAT rules rather than SNAT with iptables?

e.g. $IPTABLES -A POSTROUTING -t nat -s 10.0.0.0/24 -j MASQUERADE

Also can you turn off the QoS completely for a while and see if you still get dropped packets.

----------

## decay

i will go for the A64 .. in fact i bought the original cd for A64 architecture from the gentoo store ... it must arrive in about 2 days now  :Smile: 

and about using the NAT routing instead of the SNAT .. that is out of the question ... on this network there are a lot more users ... but i only grant access to the internet to about 80 users. And about flushing the QOS rules .. that is out of the questions too  :Smile:  if i do that the clients from the LAN side will take all by bandwith. And it is not a verry good ideea to give a large bandwith to clients and then cut it back after a period ... that will make them mad  :Razz: 

and about showing the local IP's .. i'm not worried .. because each of them is routed via a real ip from the class i have  :Smile: 

----------

## Jake

You have a poorly designed, insecure ruleset, and you're using an inferior operating system/routing framework for the task, with one good NIC and one low-quality one. Wouldn't it be better to fix your problems than attempt to compensate for them with a fast CPU?

----------

## decay

 *Quote:*   

> 
> 
> you're using an inferior operating system/routing framework 
> 
> 

 

 I wouldn't call Debian 3.0 woody inferior ... in fact it is exactly the opposite ... it's a verry stable and poewrfull OS.

 *Quote:*   

> 
> 
> You have a poorly designed, insecure ruleset
> 
> 

 

you are 100% right about this .. but i had to get rid of all my other iptables policyes in order to take somme load of "iptables's shoulders". 

This morning i've changed the bad/low quality NIC with an e100 (intel) NIC and i can't say it was such a difference. Only about 5% less drops ... but in the end the result was the same. I can't verify perfectly if i have the samme drops because it's early in the morning and i don't have the same load as i do in the afternoon .. or in the weekends.

----------

## Jake

 *decay wrote:*   

>  *Quote:*   
> 
> you're using an inferior operating system/routing framework 
> 
>  
> ...

 

It's good for a Linux distro, but FreeBSD is faster for routing, and OpenBSD is more secure and the native platform for PF, IMO the best routing/firewalling framework. DragonFly might be even faster than FreeBSD, but it probably isn't stable enough for production use.

----------

## decay

yes i know that BSD's are verry good OS-es but i'd like to keep it on linux ..

----------

## pakman

On re-reading this thread after more coffee I'm not entirely sure you iptables script is behaving as you expect. When you set a statement for a chain to log, it logs everything on that chain that hasn't matched a -j ACCEPT/DROP previously.

```
#INPUT chain

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -s $LAN_IP_RANGE -j ACCEPT

```

That matches LAN traffic coming in on your external interface, to not log squid/apache you want to allow that on the internal interface ($LAN_IFACE). Since you're defaulting to ALLOW you're not dropping any traffic on the INPUT chain so what you're logging isn't actually dropped packets.

You're logging all OUTPUT traffic as you only have one iptables statement for that chain. I'd get rid of OUTPUT logging entirely in your script.

Also, move your log statement for the FORWARD chain to the end of the ruleset as I think it will log all traffic being forwarded as things stand. If you just want to log dropped traffic bung that before the line iptables -A FORWARD -s 10.0.0.0/24 -j DROP

That may fix your problem, logging can cause performance drop as its quite a slow process.

----------

