OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: donatom3 on October 03, 2020, 07:53:24 am

Title: Eastpect only single core?
Post by: donatom3 on October 03, 2020, 07:53:24 am
I just upgraded to a Xeon D 2123-it and am maxing out eastpect on a single core and only pulling 200 down on my gig connection.

Running top -P I see eastpect running maxing out a single cpu.
(https://imgur.com/a/QEJGOVD)

On my old i5-7600 this was working a bit better but as you can so many of my cores are sitting there idle.
Title: Re: Eastpect only single core?
Post by: mb on October 03, 2020, 07:23:12 pm
Hi donatom3,

Yes and No.

Eastpect (packet engine) architecture is multi-process and it can scale to the number of CPU cores in the system.

Having said that, currently, we're running single core. Reason is we need Receive Side Scaling (RSS) kernel option be compiled in to the kernel. RSS is a technique for the ethernet drivers to distribute incoming packets into multiple RX/TX queues (thus CPU cores) to be able to make use of the multi-core capability of the hardware:

https://wiki.freebsd.org/NetworkRSS (https://wiki.freebsd.org/NetworkRSS)

I think I should bring this to OPNsense team's attention. Should they see a fit for the project, we can work on this after the netmap work.

One question: what does "ubench -cs" report for you?

A note about the Xeon-D series processors. Our experience with them has not been much promising so far. I read that these processor are meant for low-end market. Looks like they converted a single core to multiple cores having the same total processing power. Meant for systems where there are many jobs with less cpu Hz requirements.

For Sensei, a simple desktop/mini pc with i5 or i7 CPU is performing way better than low Hz many core server CPUs.


Title: Re: Eastpect only single core?
Post by: donatom3 on October 04, 2020, 06:04:39 am
Mb

Ubench Single CPU:   464101 (0.40s)

Title: Re: Eastpect only single core?
Post by: mb on October 04, 2020, 05:53:52 pm
@donatom3, this looks good. Can you reach out? Let's have a closer look.
Title: Re: Eastpect only single core?
Post by: donatom3 on October 04, 2020, 08:21:43 pm
Sure I'll open a ticket from the firewall and have it upload the logs.

For now I've switched to passive so I can collect data and get full speed.

I did want to mention since moving to the supermicro with Xeon D I've had much less problems with suricata and sensei taking minutes  after a reboot to get connectivity since they each caused the wan to release IP's.

This could also be a side effect of me getting rid of all the custom  tunables I did on the qotom running an i5-7600 with igb drivers and going with just the stock opnsense tunables. Could also mean the qotom was using a clone intel chipset.
Title: Re: Eastpect only single core?
Post by: DenverTech on October 05, 2020, 04:55:33 pm
@donatom3

I've definitely gone through that testing myself and can vouch for what MB was saying. I've gotten FAR better scores from i3s and i5s than from anything in the D-series. I had a D-2123 and a D-1528, which had abysmal scores. They're amazing for normal firewall use, but can't handle the higher burden that Sensei and programs like it put on them.

It made me sad in a big way to set aside my own Supermicro D-2123 in favor of an old 4th gen i5, but the performance difference was amazing.

One trick you can use though is to move Elasticsearch to another system. That lowers the load on the firewall a lot. It won't get you 1gbit speeds, but it'll help.
Title: Re: Eastpect only single core?
Post by: donatom3 on October 07, 2020, 05:04:15 am
@denvertech I see what you're saying but on the same page as my post is another one where mb said a score of 250,000 should be enough for 1gb. The D-2123 pulled a 460,000 on single core. There may have been something to hyperthreading that support asked me to turn off. I think one of the tunables I set made my system unstable so I reverted for now but will try again with hyperthreading off tonight.
Title: Re: Eastpect only single core?
Post by: donatom3 on October 07, 2020, 09:29:47 am
@mb

I'm not sure what did it but I'm back to the performance I'm expecting. NOt sure if it's 1.6.1 or if it's because I changed powerd from adaptive to hiadapative.

Also still have hyperthreading on and while doing a speedtest I can't see any single core go above 35%
Title: Re: Eastpect only single core?
Post by: DenverTech on October 07, 2020, 05:10:11 pm
I would be curious if you do manage to get solid speeds with a 2123, as support and I never could. I ended up offloading to an old i5 box rather than keep fighting with it. Tbf, it worked great on the 2123 in OPNsense 20.1, but we never got it quite right on 20.7.
Title: Re: Eastpect only single core?
Post by: donatom3 on October 08, 2020, 05:47:57 am
So far the speeds are holding up. I need to bust out my old box that was doing gig fine with sensei but that was an i5-7600k in a case that can't handle it's tdp.

I got rid of all custom tunables except the igb tx and rx process limit tunable. I may even drop that. The interface that's connected to my internal network is using the ixl driver on 10gb sfp+ to my Aruba 1930.
Title: Re: Eastpect only single core?
Post by: actionhenkt on October 10, 2020, 11:33:03 am
Is sensei ever going to be multithreaded ? My download speeds over WG vpn seems to max out at 400mbit (of 1gb) with eastpect running 100% cpu on 1 core (out of 8 ) with average load of 60% on the complete box.
Title: Re: Eastpect only single core?
Post by: mb on October 10, 2020, 04:37:09 pm
Hi @actionhect, yes. It might be sooner than we originally planned, since we have requests from school districts to handle 10 gig. Like netmap work, we need to work with OPNsense team on this. There are two kernel options (RSS, PCBGROUP) that need to be enabled in the kernel.
Title: Re: Eastpect only single core?
Post by: donatom3 on October 10, 2020, 06:47:23 pm
@mb I realize my last message was a bit confusing.

I'm getting 1gbps now with the D-2123it. Again not sure what did it. Multithreading would be great since I imagine traffic between vlans would have to go through Sensei if I'm using opnsense as my router.
Title: Re: Eastpect only single core?
Post by: mb on October 14, 2020, 04:59:02 pm
Hi @donatom3, thanks for the update & clarification.
Title: Re: Eastpect only single core?
Post by: alexroz on December 16, 2020, 07:08:32 pm
posted by mistake
Title: Re: Eastpect only single core?
Post by: ittk on February 14, 2021, 12:16:01 pm
Hi,

is there any update on it? Regarding the kernel options integration and to actually support all CPU Cores / threads from the CPU inside the system?

Hi @actionhect, yes. It might be sooner than we originally planned, since we have requests from school districts to handle 10 gig. Like netmap work, we need to work with OPNsense team on this. There are two kernel options (RSS, PCBGROUP) that need to be enabled in the kernel.