FIXME This article could explain the performance differences between active and passive cards more clearly. It should also be reviewed for technical content by an expert.
Questions are frequently asked in the IPFire forum about which hardware we would recommend, or if particular devices meet the requirements of IPFire.
When building a system, people mainly consider processor speed, memory, disk space and possibly disk performance.
They may consider network cards, but usually only think in terms of their maximum transfer speed, for example 100 MBit/s or 1000 MBit/s. However people rarely consider if a network card is active or passive.
This article does not go in to deep technical details but briefly describes the difference between active and passive network cards and their impact on the overall system.
What is a passive network card?
A passive network card does not have its own controller;
* All administrative tasks have to be run on the system CPU
* For this purpose hardware and software interrupts are triggered
Imagine an interrupt as a break which forces the CPU to suspend anything else it is doing. During the interrupt other tasks cannot be done by the system as it must address the device that triggered the interrupt, in this case the network card.
An active network card has its own controller;
* it can can perform administrative tasks by itself, without generating interrupts.
The advantage is obvious: There are considerably fewer interrupts triggered by an active network card and the system can take care of other tasks, uninterrupted.
Unfortunately people often do not recognise the performance lost due to a CPU being frequently interrupted, they often only check the CPU workload. Since interrupts are not assigned to a process, they are not visible as something which puts load on a CPU.
It is possible that a system with a passive network card could be running processes which combine to as little as 10% CPU utilisation, when in fact the total CPU utilisation is up to 60%. The difference is due to frequent interrupts.
An example
A low power system has two passive network cards, for example an Intel Celeron 600 Mhz. IPFire is installed and connected to an ISP using a VDSL50 (50 MBit/s) service.
Without even activating additional services the network speed will be capped.
The full download bandwidth of 50 MBit/s are exhausted (~ 5,5 MByte/s) with only about 5-10% CPU consumption. However on a closer inspection there are 35-50% hardware and software interrupts.
The Squid proxy server is then activated.
Now the download bandwidth goes down to 35-40 MBit/s (~ 4,0 MByte/s). The CPU consumption totals 99,9%!
The whole system load (99,9%) appears belong to Squid. However, by looking closer this is incorrect as interrupts are actually consuming from 35 to 50% of that load.
Now it will be quiet clear that the system load arenĀ“t the CPU load. Naturally a system have only 100% available resources not 150%.
So the question is, what does us say now 99,9% load factor really ? This tell us the Squid arrogates 99.9% of the available CPU time.
There are now two possibilities: Either the CPU will be changed against a quiet quicker one or the interrupts will be reduced and become in that way more CPU time.
So I replace one passive of the two network cards against a active and benchmark them again.
The interrupts have been reduced significantly to 20-30%.
As a result I now have a download rate of about 5.0 MBytes/s. The CPU usage amounts to 99.9%.
Unfortunately my test system gives only the opportunity to change one network card cause the other is a onboard card. Therefore, I can not repeat the test with two active network cards. However, I can say from experience with two active network cards the interrupts are less than 5%.
Thus even a Celeron with 600 Mhz would be enough for a VDSL50-line and an enabled Squid without speed loss.
Reviewing the facts
- Download rate without Squid and two passive network cards: 5,5 MBytes/s.
- Download rate with Squid and two passive network cards : 4,0 MBytes/s.
- Download rate with Squid and one active and one passive network card : 5,0 MByte/s.
Hopefully this example makes the importance of the quality of the network card in a firewall system clear
Some examples of active and passive network cards
Passive cards
- Realtek 8139 (100 MBit/s)
- Realtek 8110 (1 GBit/s)
- Realtek 8169 (1 GBit/s)
- Via Rhine II (100 MBit/s)
Active Cards
- 3Com 3c905B-TX (100 MBit/s)
- 3Com 3c590 (100 MBit/s)
- Intel Pro100VE (100 MBit/s)
- Intel Pro1000 (1 GBit/s)