Messages

@djr92, thanks, very helpful. Glad to hear that you've seen improvements in bufferbloat tests.

WRT the stalls, can you try the same test with Zenarmor in bypass mode? I want to make sure it's not ZA-related. In bypass mode, ZA acts as a dummy bridge switching packets back and forth.

Yes, I do.  I don't use pass-throughs on my VM. They cause problems with snapshots. (Or at least they have for me in the past.)

After my last reply here, it had another kernel panic (post patch).

Thanks for more information @jbhorner. Since you're using vlan(4), you're actually using the netmap emulated driver. We'll take a look.

For the time being, for the sake of clarity, please confirm these crashes happen when you're using the netmap beta kernel?

@jbhorner, thanks. Quick question: are you using vlans on a vtnet interface?

Hi @almodovaris,

It's expected that if you use L2 Bridge Mode (netmap), whenever you stop the packet engine the bridge will go down - since bridge is managed by zenarmor itself.

Thanks for letting us know that you can protect a bridge member interface.

In the meantime, we're working with OPNsense Klara team to bring a better bridge(4) support for netmap:

https://reviews.freebsd.org/D38066

If you've experienced packet stalls while using Zenarmor or Suricata IPS with vlan/lagg interfaces:

OPNsense team has shipped a test kernel which has bug-fixes for netmap emulated driver, the default mode for vlan and lagg interfaces.

Please test and provide feedback. We want to make sure all issues are addresses this time. So, your help will be greatly appreciated.

https://forum.opnsense.org/index.php?topic=32114.0

If you've experienced packet stalls while using Zenarmor or Suricata IPS with vlan/lagg interfaces:

OPNsense team has shipped a test kernel which has bug-fixes for netmap emulated driver, the default mode for vlan and lagg interfaces.

Please test and provide feedback. We want to make sure all issues are addresses this time. So, your help will be greatly appreciated.

https://forum.opnsense.org/index.php?topic=32114.0

Hi @DoBoY,

Happy New Year!

We're aware of this problem. This affects Top Local and Top Remote Hosts charts. We're testing the fix in pilot environments.

We'll ship the fix with 1.12.3 tomorrow / Tuesday.

Got it. It's ok to have some sockets lingering in TIME_WAIT / CLOSE_WAIT. They do not consume resources and will be purged by the OS network stack after their timeouts.

This might be the culprit. If there's a network problem between the router & ES server, connections might be stuck in a stale state.

Hi @BillyJoePiano,

This is not expected. In my home firewall, I see around 15-30 active connections.

Are they all in ESTABLISHED state?

Hi @BNaCI,

Currently, the way ZA L2 bridge works is it actually disconnects them from the OS, and does the bridging itself switching packets back and forth between ZA-configured bridge interfaces (it is independent of OS bridge).

The drawback is, when you don't have the ZA packet engine running, you don't have the bridge. In some of our deployments, we also utilize Silicom Bypass adapters for that. With them, you always have a hardware-assisted bridge even when you have your server hardware powered down.

To simplify things, together with OPNsense team, we're bringing netmap support to if_bridge(4). So basically, you'll be able to run zenarmor or Suricata IPS on an OS bridge interface.

WRT an ETA, we hope to provide a testable kernel in February '23.

Hi @jlab,

Thanks for the video, just watched it! That's a very well organized introduction to Zenarmor on OPNsense!

Looking forward to Episode 3!

@almodovaris, due to a feature, we had bumped the netmap buffers in 1.12. This might be the reason.

We'll re-adjust and decrease them with the upcoming 1.12.1. Update and see if you see improvements in memory consumption.

@greY thanks, very helpful.

Most probably, there has been a driver update in the meantime causing a regression on the netmap support.

These days, we're working on a project which tries to bring a driver-agnostic methodology with regard to netmap support, this feedback will be very helpful.

Hi @johndchch,

Makes sense, thanks.

Sure thing, I think we can introduce an option to the Interface Configuration Screen.
It's a bit late for 1.12, however let's see if we can ship with 1.13.

Hi @greY,

Thanks for the additional information. Very helpful.

This suggests that this is a netmap issue. Because zenarmor in bypass mode does nothing more than basically switching packets back and forth. It behaves like a dummy bridge.

Having said that, if this config is working in a different scenario, that might be a useful hint.

By business edition, are you referring to OPNsense Business edition? If so, can you share the exact version information?