OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: johndchch on October 17, 2022, 10:39:21 pm
-
whilst troubleshooting very uneven core loading I noticed that each eastpect instance seems to be locked to a single core
e.g.
cpuset -g -p <pid of eastpect instancle 0>
pid 17862 mask: 1
pid 17862 domain policy: first-touch mask: 0
I presume this is done to either aid latency or to allow for a multiple interfaces ( and hence multiple eastpect instances )
question is - for a single LAN interface config ( so single eastpect instance ) would setting the mask to all available cores make more sense?
A few quick experiments changing the mask to all cores seems to improve the single core overloads I was seeing, and doesn't seem to affect performance in any negative manner
-
Hi,
Yes, Zenarmor performance will be better for high traffics with multicore support. It is on our roadmap and will be added next year.
-
Hi @johndchch,
We intentionally pin zenarmor to a dedicated core in order to prevent CPU context-switching overhead. Because if the process is wandering around CPU cores, we start to see CPU cache misses, which will in turn negatively impact performance.
Having said that, it's very interesting that you're seeing the opposite. Can you provide a bit more information? What is the CPU model? Is there a specific server hardware you're using?
-
it's running on a i7-6700 ( with a 1gbps internet connection ) - and yes, I expect pinning WOULD help on smaller/slower cpus ( especially ones with small L2/L3 ), guess it's one of those things where you had to make a call and obviously need to err on the side of acceptable performance on low powered systems
any chance you could expose the pin option in the UI or too esoteric to explain and too low a priority? right now I just have a cron job to check/reset the process
-
Hi @johndchch,
Makes sense, thanks.
Sure thing, I think we can introduce an option to the Interface Configuration Screen.
It's a bit late for 1.12, however let's see if we can ship with 1.13.
-
Hi @mb,
so, multi core support with RSS is off the table, or is it still being worked on?
@johndchch, would it be possible to share your configuration? I'd really like to give it a spin on my VM running on a multi core EPYC system when I find the time.
Thanks both of you!
-
Pinning could be specified somewhere. In the era of P+E cores, it's necessary to prioritize the cores accordingly.
-
RSS is allowed. It is still experimental, but it is allowed.
Multi-core easpect has been scheduled for November.
-
Hey @almodovaris,
Is the multi-core support still scheduled for November?
-
Hi @Raptcha,
We have made some adjustments to the priority of several exciting features, including Full TLS Inspection, TLS Decryption Mirroring for External Tools (e.g., Suricata, Snort, Bro, etc.), Zero Trust Network Access (ZTNA), and Arm64 CPU support. Our plan is to continue improving these features in the mid-term period, aiming for completion around the late third quarter of 2024.
-
So, now multi-score support has been delayed for a year?
-
So, now multi-score support has been delayed for a year?
Another year, not the first time this happened.
-
So, I'm currently using Zimaboard 432 with Intel Celeron N3450 Quad Core (1.1 GHz Base and 2.2 GHz Boost). I'm only getting half internet speed because of this single core usage issue. Is there no way currently to fix this on my device? If not, could someone recommend a different hardware that won't have this issue till Sunny Valley decides to make this a priority?
-
So, I'm currently using Zimaboard 432 with Intel Celeron N3450 Quad Core (1.1 GHz Base and 2.2 GHz Boost). I'm only getting half internet speed because of this single core usage issue. Is there no way currently to fix this on my device? If not, could someone recommend a different hardware that won't have this issue till Sunny Valley decides to make this a priority?
https://forum.opnsense.org/index.php?topic=35023.msg170055#msg170055
-
He does not have a N100, I do.
-
Hi,
Great news! After carefully reviewing the roadmap timeline, the product team has decided to prioritize shipping the multicore support in the first quarter of this year.
-
Hi,
Great news! After carefully reviewing the roadmap timeline, the product team has decided to prioritize shipping the multicore support in the first quarter of this year.
Excellent news, thanks Sy. In the meantime, will enabling RSS drive some benefit? I appreciate it is experimental but on the i210 NIC it seems most people have no problems?
-
I've placed an order for this appliance. It's an overkill for just Zenarmor at gigabit speeds or perhaps even with wireguard enabled. But I'll find some use for its processing power.
https://cwwk.net/products/i5-1335u-i7-1355u-13th-gen-2-5g-soft-router-intel-6x-intel-i226-v-fanless-mini-pc-firewall-appliance-proxmox-pfsense?variant=44933248975080 (https://cwwk.net/products/i5-1335u-i7-1355u-13th-gen-2-5g-soft-router-intel-6x-intel-i226-v-fanless-mini-pc-firewall-appliance-proxmox-pfsense?variant=44933248975080)
Hoping to have it in hand soon.
-
Hi,
Great news! After carefully reviewing the roadmap timeline, the product team has decided to prioritize shipping the multicore support in the first quarter of this year.
Really good news when I plot it on the growing internet speeds.2- 4-8Gigabit could be ordered for home use.
Thanks for listing to the customer install base.
-
Even with lower specs it is too expensive for me.
-
Yay! Waiting for this before installing again.
-
Hi @sy,
any news on multicore progress? If there's a beta program I can subscribe to, happy to test!
-
I will add to the multithreaded request, any news yet?
-
Hi All,
We needed to make a bit of differences in our roadmap due to SSE and SASE features. It is kept in roadmap but it seems at the end of this year or at the first quarter of next year.
-
For most users multithreaded easpect would mean close to 4 times lower CPU specs needed, which would allow them to use a lot of older hardware. And thus be more willing to pay for a Zenarmor license.
It's usually the bill for the electrical power which scares them, not the price of the device. Since it's very hard to find high-specs devices, for a normal price, which don't use a lot of power. I'm lucky that I bought my Venus series for less than 200 Euro per piece. Now their prices are getting crazy, that is if you can buy them at all.
-
I'll have to test on my hardware, but lack of multithreaded performance may stop me from using this. If it runs OK on my test system, and runs OK on my future production, then maybe. But as mentioned, it will allow much lower end processors, or much higher throughput in a multithreaded configuration.
-
the bigger issue is the increased availability of 2.5gbs and higher connections - it's very hard to find a cpu with sufficient single-core speed to handle those kind of speeds in zenarmor - you generally end up with a bottleneck
-
correct, 2.5gbit everywhere. On my main 10port switch only 1 device remains 1gbit. Everything including WiFi6E and ISP is 2.5gbit nowadays, and that will go away fast with WiFi7 and regular ISP speed improvements. I've got Gold 8505 CPU, on par with N305, and it's suffocating. I'm puzzled how something 10x faster (in crypto benchmarks up to 200x faster) than a top Arm router struggles with everything, from VPN to ZenArmor. Looks like we will need water cooled Threadripper machines soon.
-
Hi All,
We needed to make a bit of differences in our roadmap due to SSE and SASE features. It is kept in roadmap but it seems at the end of this year or at the first quarter of next year.
:( disapointing news... gigabit plus wan and 10 gig lan backbone would have liked to see multicore support.
-
I'm going to throw this out there...
As much as I want multithreaded performance, I also want it to be done right! Please don't rush something that immediately breaks when it gets in the hands of people like me with hardware you could never test on. Please just make it right the first time. Just raise the priority a little if possible.