"Quote from: franco on November 14, 2024, 08:16:23 PM
We haven't tested the RSS bit yet. Only do this if you have time to kill. ;)
Sure, but I am using the x710 card, not sure if I am helping at all..
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
November 15, 2024, 01:14:25 PMSure, but I am using the x710 card, not sure if I am helping at all..
#2
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
November 06, 2024, 02:06:09 PMQuote from: franco on November 05, 2024, 11:54:31 AM
# opnsense-update -zkr 24.7.6-intel5
installed intel5 running with Intel x710 ixl driver.
#3
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
October 25, 2024, 12:38:19 AMQuote from: newsense on October 24, 2024, 01:58:21 AM
No trouble at all, 24.7.7 has no new kernel.
For those already on the 24.7.6-intel2 kernel there are two options:
a) Install 24.7.7 which will revert your kernel to 24.7.6
b) Temporary lock the kernel in the GUI until 24.7.8 is available, so you can upgrade to 24.7.7 without issues. Don't forget to unlock before upgrading to 24.7.8 though
Thanks! Applied intel3 patch on top of 24.7.7. so far so good.. Intel x710-DA2.
#4
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
October 24, 2024, 12:57:43 AMQuote from: franco on October 21, 2024, 09:09:20 AM
Thanks for testing so far. Looks quite ok for the moment, but for extra testing we will skip kernel updates in 24.7.7 this week so this batch will likely land in 243.7.8.
Cheers,
Franco
Upgraded to 24.7.7, will I get into trouble to install the kernel patch on top of 24.7.7?
#5
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
October 23, 2024, 01:28:04 AMQuote from: franco on October 21, 2024, 09:09:20 AM
Thanks for testing so far. Looks quite ok for the moment, but for extra testing we will skip kernel updates in 24.7.7 this week so this batch will likely land in 243.7.8.
219 more years for the kernel update. =) I have time (j/k).
#6
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
October 18, 2024, 03:58:44 PM
Franco,
Thanks for the list of fixes.. That is a lot..
Thanks for the list of fixes.. That is a lot..
#7
24.7, 24.10 Legacy Series / Re: PSA: Test kernel with Intel fixes is available for testing
October 18, 2024, 01:17:24 PM
What specific Intel NIC issues are this kernel fix?
I upgraded to it so far; other than the WAN interface, which does not get a public IPv6 address (/128) anymore, so far, so good.
Using iXL driver with Intel x710..
I upgraded to it so far; other than the WAN interface, which does not get a public IPv6 address (/128) anymore, so far, so good.
Using iXL driver with Intel x710..
#8
24.7, 24.10 Legacy Series / Re: No public ipv6 address after upgraded to 24.7
October 18, 2024, 01:06:24 PMQuote from: franco on July 26, 2024, 07:44:55 PM
SLAAC address? On DHCPv6 mode? ;)
Upgraded to 24.7.6
WAN, IPv4 DHCP, IPv6 DHCP6
WAN Interface no longer receive a public IPv6 address as in the /128.
Code Select
ixl1: flags=1008a43<UP,BROADCAST,RUNNING,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4800028<VLAN_MTU,JUMBO_MTU,HWSTATS,MEXTPG>
ether 3c:<redux>
inet 157.xx.xx.xx netmask 0xfffff800 broadcast 157.xx.255.255
inet6 fe80::3efd:feff:<redux>:<redux>%ixl1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (10Gbase-Twinax <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="299"] Sending Solicit
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="300"] set client ID (len 14)
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="301"] set identity association
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="302"] set elapsed time (len 2)
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="303"] set option request (len 4)
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="304"] set IA_PD prefix
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="305"] set IA_PD
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="306"] send solicit to ff02::1:2%ixl1
<29>1 2024-10-18T04:21:12-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="307"] reset a timer on ixl1, state=SOLICIT, timeo=5, retrans=32498
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="308"] Sending Solicit
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="309"] set client ID (len 14)
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="310"] set identity association
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="311"] set elapsed time (len 2)
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="312"] set option request (len 4)
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="313"] set IA_PD prefix
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="314"] set IA_PD
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="315"] send solicit to ff02::1:2%ixl1
<29>1 2024-10-18T04:21:44-07:00 firewall.local dhcp6c 27808 - [meta sequenceId="316"] reset a timer on ixl1, state=SOLICIT, timeo=6, retrans=67049
Under WAN interface (Have not make any changes to these setting since initial setup back in 24.6)
Use IPv4 connectivity : Not Checked
Prefix delegation size : 56
Request prefix only : Not Checked
Send prefix hint : Checked
#9
24.1, 24.4 Legacy Series / Re: Mellanox Connect-X4 25Gbit/s not Working (working in pfsense)
February 09, 2024, 12:10:41 AM
Can you try follow this PDF file section 3.9?
https://network.nvidia.com/pdf/prod_software/Mellanox_FreeBSD_User_Manual_v3.5.2.pdf
hope it helps.
https://network.nvidia.com/pdf/prod_software/Mellanox_FreeBSD_User_Manual_v3.5.2.pdf
hope it helps.
#10
23.7 Legacy Series / Re: [Tutorial/Call for Testing] Enabling Receive Side Scaling on OPNsense
January 06, 2024, 05:12:26 PM
Hi,
I am using HP T740 (AMD Ryzen Embedded V1756B with Radeon Vega Gfx (4 cores, 8 threads)) with Intel X710 NIC. I enabled rss. In the netstat -Q ouput, the QDrops for IP6 are increasing slowly. I already tried to increase net.isr.defaultqlimit from 2048 to 8192. That still did not increase the QLimits for IP6.
Find the tunables to adjust them,
net.inet.ip.intr_queue_maxlen
net.inet6.ip6.intr_queue_maxlen
I am using HP T740 (AMD Ryzen Embedded V1756B with Radeon Vega Gfx (4 cores, 8 threads)) with Intel X710 NIC. I enabled rss. In the netstat -Q ouput, the QDrops for IP6 are increasing slowly. I already tried to increase net.isr.defaultqlimit from 2048 to 8192. That still did not increase the QLimits for IP6.
Find the tunables to adjust them,
net.inet.ip.intr_queue_maxlen
net.inet6.ip6.intr_queue_maxlen
Code Select
root@opnsense:/home/root # netstat -Q
Configuration:
Setting Current Limit
Thread count 8 8
Default queue limit 8192 10240
Dispatch policy direct n/a
Threads bound to CPUs enabled n/a
Protocols:
Name Proto QLimit Policy Dispatch Flags
ip 1 3000 cpu hybrid C--
igmp 2 8192 source default ---
rtsock 3 8192 source default ---
arp 4 8192 source default ---
ether 5 8192 cpu direct C--
ip6 6 1000 cpu hybrid C--
ip_direct 9 8192 cpu hybrid C--
ip6_direct 10 8192 cpu hybrid C--
Workstreams:
WSID CPU Name Len WMark Disp'd HDisp'd QDrops Queued Handled
0 0 ip 0 12 0 499 0 3039 3538
0 0 igmp 0 0 0 0 0 0 0
0 0 rtsock 0 0 0 0 0 0 0
0 0 arp 0 0 501 0 0 0 501
0 0 ether 0 0 2271227 0 0 0 2271227
0 0 ip6 0 1000 0 93596 202 1083995 1177591
0 0 ip_direct 0 0 0 0 0 0 0
0 0 ip6_direct 0 0 0 0 0 0 0
1 1 ip 0 10 0 375 0 5571 5946
1 1 igmp 0 0 2 0 0 0 2
1 1 rtsock 0 0 0 0 0 0 0
1 1 arp 0 0 0 0 0 0 0
1 1 ether 0 0 865820 0 0 0 865820
1 1 ip6 0 1000 0 1071 517 1508206 1509277
1 1 ip_direct 0 0 0 0 0 0 0
1 1 ip6_direct 0 0 0 0 0 0 0
2 2 ip 0 7 0 425 0 1902 2327
2 2 igmp 0 0 0 0 0 0 0
2 2 rtsock 0 0 0 0 0 0 0
2 2 arp 0 0 0 0 0 0 0
2 2 ether 0 0 3891441 0 0 0 3891441
2 2 ip6 0 1000 0 89837 154 786449 876286
2 2 ip_direct 0 0 0 0 0 0 0
2 2 ip6_direct 0 0 0 0 0 0 0
3 3 ip 0 49 0 117 0 30043 30160
3 3 igmp 0 0 1 0 0 0 1
3 3 rtsock 0 0 0 0 0 0 0
3 3 arp 0 0 0 0 0 0 0
3 3 ether 0 0 2731942 0 0 0 2731942
3 3 ip6 0 1000 0 570 160 355308 355878
3 3 ip_direct 0 0 0 0 0 0 0
3 3 ip6_direct 0 0 0 0 0 0 0
4 4 ip 0 10 0 273 0 1897 2170
4 4 igmp 0 0 0 0 0 0 0
4 4 rtsock 0 2 0 0 0 115 115
4 4 arp 0 0 0 0 0 0 0
4 4 ether 0 0 597119 0 0 0 597119
4 4 ip6 0 1000 0 66457 1360 988018 1054475
4 4 ip_direct 0 0 0 0 0 0 0
4 4 ip6_direct 0 0 0 0 0 0 0
5 5 ip 0 33 0 671 0 6113 6784
5 5 igmp 0 0 3 0 0 0 3
5 5 rtsock 0 0 0 0 0 0 0
5 5 arp 0 0 0 0 0 0 0
5 5 ether 0 0 626430 0 0 0 626430
5 5 ip6 0 1000 0 1430 1226 1361493 1362923
5 5 ip_direct 0 0 0 0 0 0 0
5 5 ip6_direct 0 0 0 0 0 0 0
6 6 ip 0 59 0 331 0 4234 4565
6 6 igmp 0 0 0 0 0 0 0
6 6 rtsock 0 0 0 0 0 0 0
6 6 arp 0 0 0 0 0 0 0
6 6 ether 0 0 725274 0 0 0 725274
6 6 ip6 0 1000 0 94895 3162 1398256 1493151
6 6 ip_direct 0 0 0 0 0 0 0
6 6 ip6_direct 0 0 0 0 0 0 0
7 7 ip 0 25 0 644 0 8798 9442
7 7 igmp 0 0 0 0 0 0 0
7 7 rtsock 0 0 0 0 0 0 0
7 7 arp 0 0 0 0 0 0 0
7 7 ether 0 0 445253 0 0 0 445253
7 7 ip6 0 936 0 236 0 909138 909374
7 7 ip_direct 0 0 0 0 0 0 0
7 7 ip6_direct 0 0 0 0 0 0 0
root@opnsense:/home/root # sysctl -a | grep isr
net.route.netisr_maxqlen: 8192
net.isr.numthreads: 8
net.isr.maxprot: 16
net.isr.defaultqlimit: 8192
net.isr.maxqlimit: 10240
net.isr.bindthreads: 1
net.isr.maxthreads: 8
net.isr.dispatch: direct
#11
Hardware and Performance / RSS support on newer Intel 13th Gen CPU
December 26, 2023, 07:09:18 PM
Researching at Intel 13th Gen CPUs, many of these newer CPUs have the Performance-cores (P cores) and Efficient-cores (E Cores). The performance cores support hyperthreading. How do I set the net.inet.rss.bits = X?
If I have a i5-13500 Processor, which has 6 P cores and 8 E Cores. That is 20 threads with HT or 14 w/o HT. How should I set the RSS bits? Thanks!
If I have a i5-13500 Processor, which has 6 P cores and 8 E Cores. That is 20 threads with HT or 14 w/o HT. How should I set the RSS bits? Thanks!
#12
Hardware and Performance / Re: DEC750 only 4 logical cores
December 26, 2023, 06:53:34 PM
Do you see any performance improvement after enabled SMT?
#13
Intrusion Detection and Prevention / Re: Order of operation
June 29, 2023, 07:15:44 PM
Hello pmhausen,
Thanks for confirming it and agree with your point #2 and #3. I am testing Zenarmor on the internal interfaces at this point.
I am hope I can use Suricate to monitor both in and out direction traffic as well.
Thanks for confirming it and agree with your point #2 and #3. I am testing Zenarmor on the internal interfaces at this point.
I am hope I can use Suricate to monitor both in and out direction traffic as well.
#14
Intrusion Detection and Prevention / Order of operation
June 29, 2023, 05:48:31 PM
Hello,
I setup Suricata to monitor my wan interface. I got these alerts,
I don't have any inbound rule which allow TCP or UDP port 5060 at all. What is the order of operation in OPNSense? Is the packet get inspected by IPS before firewall rule?
If the traffic is going to get deny by the firewall rule. There is no reason to get inspected by IPS at all.
Thanks in advanced.
I setup Suricata to monitor my wan interface. I got these alerts,
Code Select
2023-06-29T07:17:41.257635-0700 2011716 allowed 162.240.78.231 5060 my.wan.ip.addr 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2023-06-29T07:14:59.087306-0700 2011716 allowed 45.134.144.57 5119 my.wan.ip.addr 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2023-06-29T07:14:59.087306-0700 2008578 allowed 45.134.144.57 5119 my.wan.ip.addr 5060 ET SCAN Sipvicious Scan
2023-06-29T07:13:39.864465-0700 2011716 allowed 45.93.16.217 5128 my.wan.ip.addr 5060 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
2023-06-29T07:13:39.864465-0700 2008578 allowed 45.93.16.217 5128 my.wan.ip.addr 5060 ET SCAN Sipvicious ScanI don't have any inbound rule which allow TCP or UDP port 5060 at all. What is the order of operation in OPNSense? Is the packet get inspected by IPS before firewall rule?
If the traffic is going to get deny by the firewall rule. There is no reason to get inspected by IPS at all.
Thanks in advanced.
#15
23.1 Legacy Series / Re: 23.1.6 firewall stopped passing traffic for about 10 mins and came back
May 06, 2023, 01:30:46 AM
I just saw your reply. I updated to 23.1.7. Let's see what happened now. I am looking for information that I can check to understand what is the root cause.
