OPNsense Forum

English Forums => Hardware and Performance => Topic started by: cwegh on March 23, 2021, 09:42:38 am

Title: pfSense will support Intel Quickassist, what about OPNsense?
Post by: cwegh on March 23, 2021, 09:42:38 am
Hi all

pfSense and OPNsense supports CPUs that have AES-NI as an on-die cryptographic accelerators. On ARM-based systems, the additional load from AES operations will be offloaded to those on-die cryptographic accelerators, such as the one found on our SG-1000. ARM v8 CPUs include instructions like AES-NI that can be used to increase performance of the AES algorithm on these platforms. Information from pfSense: https://www.netgate.com/blog/more-on-aes-ni.html (https://www.netgate.com/blog/more-on-aes-ni.html)

Besides AES-NI some CPUs, such as the Atom C3xx series, also have Intel QuickAssist as an extra offloading chip for encryption (and compression but not relevant in this context) --> https://www.servethehome.com/intel-quickassist-technology-and-openssl-setup-insights-and-initial-benchmarks/ (https://www.servethehome.com/intel-quickassist-technology-and-openssl-setup-insights-and-initial-benchmarks/) and https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/ (https://www.servethehome.com/intel-quickassist-at-40gbe-speeds-ipsec-vpn-testing/)


Question: I was wondering if the OPNsense team has any plans that this also will become available in OPNsense? I am unable to find concrete information on this (so not assumptions or rumors).


Somewhere the coming year I will upgrade to 1 gigabit internet. I am also setting up my network with an always-on VPN, routing all internet traffic through an OpenVPN tunnel. I have a firewall appliance with a C3558 board so I can leverage QuickAssist in the future.


Having QuickAssist available to avoid too much load on the CPU will become a requirement at a certain point (AES-NI is sufficient for now). Of course I can still use the CPU but that will stress the hardware and will impact longevity but also more power usage.

More background information:

The QAT driver is available in FreeBSD --> https://www.freebsd.org/cgi/man.cgi?query=qat&apropos=0&sektion=0&manpath=FreeBSD+13.0-current&arch=default&format=html (https://www.freebsd.org/cgi/man.cgi?query=qat&apropos=0&sektion=0&manpath=FreeBSD+13.0-current&arch=default&format=html)

pfSense Plus also supports this from version 21.02: Support for IntelĀ® QuickAssist Technology, also known as QAT.

pfSense will also make this available in pfSense CE somewhere this year on 3rd party hardware.





Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: pmhausen on March 23, 2021, 10:47:27 am
Quote
HISTORY
     The qat driver first appeared in FreeBSD 13.0.

Which implies as soon as OPNsense upgrades to Free/HardenedBSD 13, the support will be there. If not in the UI, you can always set a tunable to load the driver as described in the manpage.
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: cwegh on March 23, 2021, 01:32:11 pm
Thanks, that is good intel. Looking to the roadmap (https://opnsense.org/about/road-map/ (https://opnsense.org/about/road-map/)), this would be not earlier than the January 2022 release?
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: franco on March 23, 2021, 08:10:38 pm
Yes, current plan is 22.1.


Cheers,
Franco
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: jbattermann on August 20, 2021, 03:28:10 pm
Raising my hand here as well - QAT support in OPNSense would be very nice indeed. No pressure or anything, but just to indicate that there's at least one additional user that might appreciate it once >= 22.1 comes around.
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: skyjam on February 21, 2022, 11:46:34 pm
Yes, current plan is 22.1.
@franco: any update, now that 22.1 is out?
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: skyjam on February 22, 2022, 12:15:12 am
OPNsense 22.1.1_3-amd64

According to https://www.freebsd.org/cgi/man.cgi?query=qat (https://www.freebsd.org/cgi/man.cgi?query=qat) I added the loader.conf data to tunables.

I have a Sophos SG 125 Rev.3, powered by Intel Atom C3508.
So I added

After a reboot, dmesg gives me:
Code: [Select]
qat0: <Intel C3000 QuickAssist PF> mem 0xdd240000-0xdd27ffff,0xdd200000-0xdd23ffff irq 18 at device 0.0 on pci1
Does it work? No Idea... I can tell my IPSEC tunnel is working...
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: mimugmail on February 22, 2022, 06:46:47 am
There is some work to be done

https://github.com/opnsense/core/issues/5559
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: franco on February 22, 2022, 07:53:57 am
It's really just "kldload" and that's it. As for:

> Does it work? No Idea... I can tell my IPSEC tunnel is working...

It's AESNI all over again. ;)


Cheers,
Franco
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: mimugmail on February 22, 2022, 08:27:30 am
Oh cool, so the issue is just for labeling and boot loading? :)
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: franco on February 22, 2022, 09:18:59 am
It's done.

https://github.com/opnsense/core/commit/db686a85
https://github.com/opnsense/core/commit/dd4512aa


Cheers,
Franco
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: mimugmail on February 22, 2022, 05:46:52 pm
Thx! And you removed AES-NI because systems with AES-NI-only without QAT will use it anyway?
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: franco on February 22, 2022, 08:39:50 pm
AESNI is now part of the FreeBSD GENERIC kernel. No use to load the module, see

https://cgit.freebsd.org/src/commit/?id=074a91f746bd


Cheers,
Franco
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: mimugmail on February 23, 2022, 07:06:30 am
I thought I follow the development close enough :) Thx
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: zz00mm on March 02, 2022, 02:23:45 am
Atom C3758 QAT support
OPNsense 2.1.2 shows the following:

kldstat -v | grep qat
20    1 0xffffffff82904000    16308 qat.ko (/boot/kernel/qat.ko)
                541 pci/qat
21    1 0xffffffff8291b000    a13f8 qat_c3xxxfw.ko (/boot/kernel/qat_c3xxxfw.ko)
                542 qat_c3xxxfw_fw

dmesg | grep qat
qat0: <Intel C3000 QuickAssist PF> mem 0xdf340000-0xdf37ffff,0xdf300000-0xdf33ffff at device 0.0 on pci1


So it see's it, it has been selected under System -> Settings -> Misc -> Hardware acceleration.

As Franco said earlier, Does it work? No Idea... I can tell my IPSEC tunnel is working...


 the openVPN client connections to ProtonVPN are up and working.
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: franco on March 02, 2022, 08:46:45 am
Well it already picks up the hardware so that's a good sign (hardware without QAT will not have dmesg output when you load the module).

Now it's the same thing as AESNI really: is it being used? You are the only one who can verify to be honest with throughput tests.


Cheers,
Franco
Title: Re: pfSense will support Intel Quickassist, what about OPNsense?
Post by: mimugmail on March 02, 2022, 10:03:28 am
I only have QAT systems with 1Gbit .. sadly I can't test right now.