Messages

1

24.7 Production Series / Re: [SOLVED] Hyperscan AVX-512 gcc arch flag

« on: September 07, 2024, 06:09:58 pm »

This totally explains the small performance difference. I tmarked this as solved.

2

24.7 Production Series / Re: Hyperscan AVX-512 gcc arch flag

« on: September 07, 2024, 05:54:47 pm »

Considering the following note, I'd say this debate is very much pointless.

There is currently no operating system support for this feature on non-Linux systems.

https://github.com/opnsense/ports/blob/master/devel/hyperscan/Makefile

Thank you for looking this up. So if i understand correctly there is no AVX-512 support.

3

24.7 Production Series / Re: Hyperscan AVX-512 gcc arch flag

« on: September 07, 2024, 04:25:19 pm »

Alternatively, I would like to know how I can check this myself so that I can answer my own questions.

4

24.7 Production Series / [SOLVED] Hyperscan AVX-512 gcc arch flag

« on: September 06, 2024, 06:16:51 pm »

Hello OPNsense developers,

Background information on my questions. I have run Suricata performance tests with Ryzen 7700X and Ryzen 9700X and found that the throughput rates in my scenario are almost identical (23Gbit/s and 26Gbit/s). In the Ryzen 9000 generation, the AVX-512 performance should be twice as fast as in the 7000 generation.

Could it be that Hyperscan was built without AVX-512 support? Is that the reason for the low speed differences?

Documentation for reference:
https://intel.github.io/hyperscan/dev-reference/getting_started.html

Hyperscan v5.3 adds support for AVX512VBMI instructions - in particular the AVX512VBMI instruction set that was introduced on Intel “Icelake” Xeon processors - however the AVX512VBMI runtime variant is not enabled by default in fat runtime builds as not all toolchains support AVX512VBMI instruction sets. To build an AVX512VBMI runtime, the CMake variable BUILD_AVX512VBMI must be enabled manually during configuration. For example:

cmake -DBUILD_AVX512VBMI=on <...>

5

24.7 Production Series / Re: What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

« on: July 03, 2024, 05:12:24 pm »

I also do not understand why people become angry so easy.

When the community version support is not enough for one, go bui a business licence and escalate this on the support side.

There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.

6

24.1 Legacy Series / Re: Intel killed Hyperscan

« on: May 10, 2024, 10:27:10 pm »

Due to licensing changes beginning with Hyperscan 5.5[0] to a
proprietary/closed license and general lack of support for the 5.4.x
branch I will be retiring Hyperscan from rawhide.

The intent is to replace the hyperscan package with the vectorscan[1]
package that is currently in the last stages of review[2].

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/UZD4BLRMHPQY27IMYQZ76TXCBULHALFJ/

Vectorscan as a fork:
https://github.com/VectorCamp/vectorscan

7

24.1 Legacy Series / Intel killed Hyperscan

« on: May 10, 2024, 10:08:02 pm »

Hyperscan as Regex patternmatcher is important for Suricate. Firewalls with CPUs with AVX benefit from this performance gain.

Now Intel makes hyperscan proprietary. I guess this will harm suricata performance on opnsense systems in the future.

https://www.phoronix.com/news/Intel-Hyperscan-Now-Proprietary

8

Intrusion Detection and Prevention / Re: AMD zen 5 Hyperscan AVX-512 Suricata Throughput

« on: April 15, 2024, 08:13:48 pm »

It looks like the EPYC 3451 does not Support avx-512. So my estimates could be waaaaay off.
Zen 4 with avx-512 could be a massive improvement above the AMD EPYC Embedded 3000 architecture. Zen 5 could be mindblowing.

Unfortunately i cant benchmark beyond 1Gbps with my ryzen 7700 setup (my access switch ports are just 1G).

I would be very happy if opnsense entered the performance class of ASIC/FPGA firewalls.

9

Intrusion Detection and Prevention / AMD zen 5 Hyperscan AVX-512 Suricata Throughput

« on: April 15, 2024, 08:01:07 pm »

Hi there,

since Hyperscan 5.4.0 AVX-512 is supported. This Version is currently a part of OPNsense 24.1.5_3-amd64. The latest version is: Hyperscan 5.4.2 released in april 2023 (please update Hyperscan @opnsense devs).

Since AVX is used to speed up suricata. More avx performance should mean more throughput.
It is rumoured that AMDs zen 5 architrecture will double the avx-512 performance. In theory this could result in an extreme performance improvement.

The Deciso DEC4280 (EPYC 3451) is being marketed with ~7.5Gbps Threat Protection Throughput.
Using this information as a baseline and throwing in some benchmark numbers i try to estimate what a zen 5 Suricata IPS performance could look like:

CPU              Benchmarkesult (cpubenchmark.net)   IPS Throughput (gbps)
EPYC 3451             19532                                                      7,5
Ryzen 7700x              36021                                                      13,8 (estimated)
Ryzen 7950x             62950                                                       24,1 (estimated)
Ryzen 9950x          94425 (estimated)                                               36,2 (estimated)

10

24.1 Legacy Series / Re: Error reconfiguring IDS

« on: March 06, 2024, 07:16:01 pm »

try this patch https://github.com/opnsense/core/commit/8fab0a77c

# opnsense-patch 8fab0a77c

I applied the patch after installing 24.1.3 and rebooted. Suricata with IPS seems to run fine. Thank you.

11

24.1 Legacy Series / Re: 24.1 IDS breaks internet

« on: January 31, 2024, 01:14:14 pm »

I hope it isn’t postponed to somewhere in six months. Without any logs on hand it seems difficult to open a bugreport in the suricata github.

Edit: i meant the release of suricata 7. not the release of the rollback.

12

24.1 Legacy Series / Re: 24.1 IDS breaks internet

« on: January 30, 2024, 07:42:46 pm »

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

Adding:

Code: [Select]

stream.midstream-policy: ignore
http2:
  enabled: yes
quic:
  enabled: yes
to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.

Even with the fix applied i have problems reaching my servers by http/https.
I disabled suricata for now.

13

24.1 Legacy Series / Re: 24.1 IDS breaks internet

« on: January 30, 2024, 06:46:34 pm »

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

Adding:

Code: [Select]

stream.midstream-policy: ignore
http2:
  enabled: yes
quic:
  enabled: yes
to /usr/local/opnsense/service/templates/OPNsense/IDS/custom.yaml fixed the issue as described in the upper post.
Looks like a little hotfix must be released.

14

24.1 Legacy Series / Re: 24.1 IDS breaks internet

« on: January 30, 2024, 06:36:47 pm »

I must report the same issues.
Having suricata running breaks the connection.

When connected to the opnsense console i can ping 1.1 through the igb interface. But not to lan (lacp lagg with ixl interfaces)

15

23.7 Legacy Series / Clearing IP Do-Not-Fragment in Firewall Normalizations causes issues

« on: January 24, 2024, 08:54:29 pm »

I have the problem that clearing the DF-Bit using normalisation causes service disruptions.
Sites like Reddit or Github wont work any longer when "no-df" is set.



Go to: "Firewall: Settings: Normalization"
Click on "IP Do-Not-Fragment"
Browse to https://github.com/opnsense/core/ or try to read a reddit post.
Sites dont function as expected



When directly connected to my router things work as expected. When "IP Do-Not-Fragment" is disabled everything works fine.
But enabling "IP Do-Not-Fragment" causes issues.

Please check on your own setup and report back. This bugs me.