OPNsense Forum
English Forums => Hardware and Performance => Topic started by: cwegh on March 23, 2021, 09:42:38 am
-
Hi all
pfSense and OPNsense supports CPUs that have AES-NI as an on-die cryptographic accelerators. On ARM-based systems, the additional load from AES operations will be offloaded to those on-die cryptographic accelerators, such as the one found on our SG-1000. ARM v8 CPUs include instructions like AES-NI that can be used to increase performance of the AES algorithm on these platforms. Information from pfSense: https://www.netgate.com/blog/more-on-aes-ni.html (https://www.netgate.com/blog/more-on-aes-ni.html)
Besides AES-NI some CPUs, such as the Atom C3xx series, also have Intel QuickAssist as an extra offloading chip for encryption (and compression but not relevant in this context) --> https://www.servethehome.com/intel-quickassist-technology-and-openssl-setup-insights-and-initial-benchmarks/ (https://www.servethehome.com/intel-quickassist-technology-and-openssl-setup-insights-and-initial-benchmarks/) and https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/ (https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/)
Question: I was wondering if the OPNsense team has any plans that this also will become available in OPNsense? I am unable to find concrete information on this (so not assumptions or rumors).
Somewhere the coming year I will upgrade to 1 gigabit internet. I am also setting up my network with an always-on VPN, routing all internet traffic through an OpenVPN tunnel. I have a firewall appliance with a C3558 board so I can leverage QuickAssist in the future.
Having QuickAssist available to avoid too much load on the CPU will become a requirement at a certain point (AES-NI is sufficient for now). Of course I can still use the CPU but that will stress the hardware and will impact longevity but also more power usage.
More background information:
The QAT driver is available in FreeBSD --> https://www.freebsd.org/cgi/man.cgi?query=qat&apropos=0&sektion=0&manpath=FreeBSD+13.0-current&arch=default&format=html (https://www.freebsd.org/cgi/man.cgi?query=qat&apropos=0&sektion=0&manpath=FreeBSD+13.0-current&arch=default&format=html)
pfSense Plus also supports this from version 21.02: Support for IntelĀ® QuickAssist Technology, also known as QAT.
- QAT accelerates cryptographic and hashing operations on supported hardware, and can be used to accelerate IPsec, OpenVPN, and other OpenCrypto Framework-aware software.
- Supported hardware includes many C3000 and C2000 systems sold by Netgate and some other types of built-in QAT support and add-on cards.
pfSense will also make this available in pfSense CE somewhere this year on 3rd party hardware.
-
HISTORY
The qat driver first appeared in FreeBSD 13.0.
Which implies as soon as OPNsense upgrades to Free/HardenedBSD 13, the support will be there. If not in the UI, you can always set a tunable to load the driver as described in the manpage.
-
Thanks, that is good intel. Looking to the roadmap (https://opnsense.org/about/road-map/ (https://opnsense.org/about/road-map/)), this would be not earlier than the January 2022 release?
-
Yes, current plan is 22.1.
Cheers,
Franco
-
Raising my hand here as well - QAT support in OPNSense would be very nice indeed. No pressure or anything, but just to indicate that there's at least one additional user that might appreciate it once >= 22.1 comes around.
-
Yes, current plan is 22.1.
@franco: any update, now that 22.1 is out?
-
OPNsense 22.1.1_3-amd64
According to https://www.freebsd.org/cgi/man.cgi?query=qat (https://www.freebsd.org/cgi/man.cgi?query=qat) I added the loader.conf data to tunables.
I have a Sophos SG 125 Rev.3, powered by Intel Atom C3508.
So I added
- qat_load => YES
- qat_c3xxxfw_load => YES
After a reboot, dmesg gives me:
qat0: <Intel C3000 QuickAssist PF> mem 0xdd240000-0xdd27ffff,0xdd200000-0xdd23ffff irq 18 at device 0.0 on pci1
Does it work? No Idea... I can tell my IPSEC tunnel is working...
-
There is some work to be done
https://github.com/opnsense/core/issues/5559
-
It's really just "kldload" and that's it. As for:
> Does it work? No Idea... I can tell my IPSEC tunnel is working...
It's AESNI all over again. ;)
Cheers,
Franco
-
Oh cool, so the issue is just for labeling and boot loading? :)
-
It's done.
https://github.com/opnsense/core/commit/db686a85
https://github.com/opnsense/core/commit/dd4512aa
Cheers,
Franco
-
Thx! And you removed AES-NI because systems with AES-NI-only without QAT will use it anyway?
-
AESNI is now part of the FreeBSD GENERIC kernel. No use to load the module, see
https://cgit.freebsd.org/src/commit/?id=074a91f746bd
Cheers,
Franco
-
I thought I follow the development close enough :) Thx
-
Atom C3758 QAT support
OPNsense 2.1.2 shows the following:
kldstat -v | grep qat
20 1 0xffffffff82904000 16308 qat.ko (/boot/kernel/qat.ko)
541 pci/qat
21 1 0xffffffff8291b000 a13f8 qat_c3xxxfw.ko (/boot/kernel/qat_c3xxxfw.ko)
542 qat_c3xxxfw_fw
dmesg | grep qat
qat0: <Intel C3000 QuickAssist PF> mem 0xdf340000-0xdf37ffff,0xdf300000-0xdf33ffff at device 0.0 on pci1
So it see's it, it has been selected under System -> Settings -> Misc -> Hardware acceleration.
As Franco said earlier, Does it work? No Idea... I can tell my IPSEC tunnel is working...
the openVPN client connections to ProtonVPN are up and working.
-
Well it already picks up the hardware so that's a good sign (hardware without QAT will not have dmesg output when you load the module).
Now it's the same thing as AESNI really: is it being used? You are the only one who can verify to be honest with throughput tests.
Cheers,
Franco
-
I only have QAT systems with 1Gbit .. sadly I can't test right now.