Would it possible to add the Intel i915 GPU drivers/firmware(DRM-KMOD) to Opnsense, either as a plugin or as part of the base install? I completely understand how ridiculous it sounds wanting GPU drivers on a headless FW appliance, but please bear with me.
I have been trying to get my firewall power usage as low as possible, and trawling the net, it would appear that the GPU driver and firmware are required in order to put the GPU into a low power state, otherwise it just burns power (anecdotal evidence on the net suggests up to 3W, which on my N-series appliances could be as much as a third of the total power draw) for no reason.
This matters to me because, as a Brit, I am lucky (HA) enough to live in the country with the most expensive electricity in the world (apparently), and it's only going to get worse. 3W 24x7 over a month is just over 2kW, which is an additional £0.50p+ a month on an electric bill for absolutely no benefit. Multiply by 12 months and it starts to get a bit ridiculous considering that 3W is doing absolutely nothing useful.
Secondly, my firewall appliances are passively cooled. The GPU is putting extra load onto the heatsink for no good reason. Being able to tell it to go away or at least sleep could well bring the system temperature down by a few degrees, which is good for the longevity of the hardware, and would also be beneficial for people living in places with relatively higher ambient temperatures where passive cooling isn't as effective.
I've tried to add drm-61-kmod using ports but the build failed part way through with a nonspecific error.
according to freshports drm-kmod has two dependencies:
1. gpu-firmware-kmod>=20220511 : graphics/gpu-firmware-kmod
2. drm.ko : graphics/drm-61-kmod
So you were installing one of the two dependencies. Looking at the first one, in turn depends on 127 others.
Short of it, it becomes too much of a dependency burden for what you yourself described as a headless FW appliance. These dependencies are for desktop type systems.
So my suggestion is to see if you can build it or pull the package into a VM and see if you can then move it across.
hmm, having looked at the freshports entry for gpu-firmware-kmod, all the dependencies are firmwares for individual gpu cards. So it *SHOULD* only need the one that's appropriate for the system it's being built on, with the rest being completely irrelevant. Wonder if that might be a way forward,
I think the math is slightly off here considering adding this to a nightly build infrastructure, shipping all the new packages to the mirrors and letting people download the bigger upgrade sets millions of times over the next couple of years.
Much of what the build infrastructure does borders on waste of energy compiling almost everything from scratch, but that's also a bit how open source is supposed to work.
Cheers,
Franco
Maybe I am missing something, but
Why not disable the GPU in BIOS?
For OPNsense you don't need the GPU.
Regards,
S.
Quote from: Seimus on April 03, 2025, 10:19:06 AMMaybe I am missing something, but
Why not disable the GPU in BIOS?
For OPNsense you don't need the GPU.
Regards,
S.
BIOS doesn't allow disabling IGPU unless there's a discrete card present, and in any case I don't want it completely disabled in case I need console access.
Hmm on my n100 unit I have seen an option to disable the GPU, but honestly I don't remember if it was for iGPU or eGPU as you mentioned.
Quote from: Seimus on April 03, 2025, 10:44:35 AMHmm on my n100 unit I have seen an option to disable the GPU, but honestly I don't remember if it was for iGPU or eGPU as you mentioned.
It's entirely possible, bios options vary wildly between systems and even bios versions
Thats very true.
But maybe you can disable the GPU using bsd hints?
https://forums.freebsd.org/threads/radeon-rx-7600m-xt-graphics-card-switched-off-in-bios-trying-to-use-igpu-on-an-amd-ryzen-7-7840hs.92735/
Regards,
S.
Allow me to provide two suggestions that don't answer your direct question, but go towards your root concern:
- Have you considered virtualizing OPNsense? You might have more luck managing the power of the base system this way. While Proxmox, like OPNSense, is also an appliance wrapped around an OS distro (in this case Debian instead of FreeBSD) that ideally you'd leave more or less alone, I feel its underpinnings are more tinkerable (within reason) without setting yourself up for maintenance issues down the road. Also, just the fact that it's Linux-based and not Unix may provide more customization options (the fact that you are here looking to install a FreeBSD port of a Linux driver makes for a good example) and broader community support.
Yes, it's another layer of abstraction, but that can work to your benefit here. As @loonylion mentioned regarding "N-series appliances":
Quote from: loonylion on April 03, 2025, 10:51:35 AMbios options vary wildly between systems and even bios versions
When the day comes to upgrade your base system or replace it due to a failure or what have you, you may be hard-pressed to find one whose power management idiosyncrasies are the same as before. Again, I'd rather deal with Linux than Unix here.
Admittedly, there are security implications to consider when virtualizing a firewall that I won't wander too far into here, but enabling PCI-passthrough on the hypervisor for at least the NIC corresponding to the WAN port goes a long way.
- Consider investing in a power monitoring device of some kind, be it a simple, in-line meter (https://www.amazon.co.uk/s?k=power+outlet+meter) or a consumer-grade smart power strip (https://www.amazon.co.uk/s?k=smart+power+strip) (if you search for "smart PDUs" you'll get more enterprise-class gear that is great for its intended purpose, but gets very expensive). You mentioned:
Quote from: loonylion on April 02, 2025, 07:26:40 PManecdotal evidence on the net suggests up to 3W, which on my N-series appliances could be as much as a third of the total power draw
If you're trying to find ways to reduce power consumption you really need to be able to measure the results of your efforts--specifically at the wall. I have a Kasa Smart Plug Power Strip HS300 (https://www.amazon.com/dp/B07G95FFN3), but I couldn't find a UK version.
I run a Proxmox cluster of three passively-cooled mini PCs (two N100s and an N5150) in an expensive power market and have been working on setting up OPNsense on two them to run in an HA configuration to replace a bare metal pfSense device. Inspired by your question, I did a quick Google search for "proxmox manage igpu power state on n100 (https://www.google.com/search?q=proxmox+manage+igpu+power+state+on+n100)" and came across this suggestion (https://community.home-assistant.io/t/psa-how-to-configure-proxmox-for-lower-power-usage/323731) for how to toggle Proxmox's CPU frequency scaling governor. I tried it and instantly saw a full 1W drop in power consumption. Granted, this is just a preliminary finding on what was a mostly idle system and I don't yet know what the performance hit will be, but the point is that Proxmox gave me options and I was able to measure the actual result of the intervention.
unfortunately, I would never consider virtualising a firewall appliance, it's something that's always been a kind of red line for me, My approach and belief is that it needs to always be a bare metal, dedicated machine that runs nothing else in order to have the minimal attack surface possible.
I do have a UK type AC inline meter (I believe what Americans know as a 'kill-a-watt', other brands are available), but even better, I have an Odroid Smartpower3, which is a power supply and meter specifically for low voltage DC such as SBCs. It can actually be quite surprising how different the readings are from the AC in-line once the actual wall-wart/brick is removed from the equation (ultimately my FW will be on PoE, powered upstream by a very high efficiency PSU, as part of my dad's drive to reduce the number of Chinese made wall-wart power supplies in the house, as they're very often a fire risk), and of course the AC in-line meters are generally considered to be less accurate at very low wattages. If nothing else the Smartpower shows way more variation than the AC meter. TBH I think I would trust the Smartpower more than the AC meter for this sort of task.
Quote from: loonylion on April 02, 2025, 07:26:40 PM[...]it would appear that the GPU driver and firmware are required in order to put the GPU into a low power state[...]
Have you tested this yourself? I found that the AMD AM5 iGPU drew more like +10W on bare FreeBSD... and now that I think about it, I don't recall which driver I loaded which resulted in reduced power consumption, and the machine is off as I'm in the middle of moving it. I believe it was the base VGA driver. At any rate, OPNsense runs at the lower power level on AM5 hardware - I checked that (vs. a bare FreeBSD install).
I don't have an Atom, but I can check this on a Coffee Lake at some point. It's in the pile of machines being moved, of course.
I haven't been able to get the intel driver to compile on opnsense so far, and I'm actually very limited in what testing I can do at present due to being in the middle of a home office renovation, so I'm primarily working from online documentation etc at the moment, but I see nothing related to gpu in kldstat so I don't think there's any sort of driver loaded currently.
this isn't an atom, it's an alder lake refresh, so basically 12th gen but only e-cores, no p-cores. It's a substantially changed microarch since previous gens so that might be playing into it also