Messages

[If you do not have a crypto chip in your system, this option will have no effect.]

You have no QAT on that CPU, either Xeon D or Atom C and P series are QAT capable -- or a dedicated card.

https://ark.intel.com/content/www/us/en/ark/products/212327/intel-pentium-silver-n6005-processor-4m-cache-up-to-3-30-ghz.html

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-quick-assist-technology-overview.html

thanks for noticing, I overlooked this detail. Among the four options available in System --> Settings --> Miscellaneous --> Cryptography settings -->  Hardware acceleration I picked the Intel one since I did not recognize the other options. What is an alternative value for my CPU? there is no disable option, so not sure which one to pick.

EDIT: nevermind, found the answer: If you do not have a crypto chip in your system, this option will have no effect. so no harm done.

[SETUP]

Hello everybody, I have been following this thread with great interest, since I have been experimenting with RSS as well. This is my experience so far.

SETUP

• OPNSense 23.7.3 & all packages up to date
• Intel Pentium Silver N6005 (4 cores, 4 threads) with AES-NI hardware acceleration
• Cryptography acceleration set to Intel QAT (QuickAssist Technology) (System --> Settings --> Miscellaneous) see newsense post
• i226-V with igc driver
• OPNSense tunables set like this:
  
  
  
  • net.isr.bindthreads = 1
  • net.isr.maxthreads = -1
  • net.inet.rss.enabled = 1
  • net.inet.rss.bits = 2
• ZenArmor installed wiith native Netmap driver and SQLite db (2 days of log + max 100 devices)
• CrowdSec with defaults
• Unbound set to fully recursive

netstat -Q output shows:

Code Select Expand

Configuration:
Setting                        Current        Limit
Thread count                         4            4
Default queue limit                256        10240
Dispatch policy                 direct          n/a
Threads bound to CPUs          enabled          n/a

Protocols:
Name   Proto QLimit Policy Dispatch Flags
ip         1   1000    cpu   hybrid   C--
igmp       2    256 source  default   ---
rtsock     3    256 source  default   ---
arp        4    256 source  default   ---
ether      5    256    cpu   direct   C--
ip6        6   1000    cpu   hybrid   C--
ip_direct     9    256    cpu   hybrid   C--
ip6_direct    10    256    cpu   hybrid   C--

I have been running my OPNSense rig like this for the last 4 months with absolutely zero problems and still I have to run into some significant issue, except for a small hiccup with ZenArmor that I recently solved thanks to their support. In this thread, I initially asked for ways to test my setup, so if anyone has some idea I'll be more than willing to give it a spin.

Thanks for all the useful information.

Hey, thanks for the feedback.
Unfortunately it seems like your problem is different than mine and I haven't run into a similar issue so far.
I am afraid I can't help with what you are experiencing.

A couple of things I can add:

• You can try to change Netmap driver mode (vanilla, native or emulated)
• I have been pleased so far with SunnyValley support, I believe they can help you out
• Also make sure to check the dedicated thread about RSS experiments and trials, maybe someone more knowledgeable can help you out.
  

Hope you can solve your issue.

Last chapter: I was able to solve the problem above by nuking the reporting database in ZenArmor settings.
Settings --> Data Management --> Reporting Database Settings --> Reset Database and make sure to tick Re-install database.

After resetting and reinstalling the SQLite db, now everything works and I was able to register my node in the cloud management portal.

So, it looks like I am able to run ZenArmor with native Netmap driver and RSS enabled, like I was doing before it broke. I'll keep an eye on it and see if everything works in the future.

[Reports]

Spoke too soon.

While the engine is running, there is a problem with the database.
Reports and Live Sessions pages show the following error:


More of the same in ZenArmor logs:

Code Select Expand

[FATAL] UpdateTable, Cannot open /usr/local/datastore/sqlite/conn_all.sqlite: database disk image is malformed

In this state I also can't register my node to the ZenArmor cloud console.

Not sure if you encountered this issue as well, but worth mentioning it since it's not over.

[native netmap driver]

Ok well, this deserves another post.

I wanted to reproduce the issue once again since you took interest in my post, and give you a screenshot of the error in ZenArmor.
So I followed the guided procedure, installed a SQLite database (more than enough for my needs) but this time, out of frustration ;D I selected native netmap driver.



I always left everything default just to be sure it deployed, so i never bothered changing this setting, By re-reading my original post, I realized I was using the native driver, so I guessed why not give it a try.

Lo and behold... it worked  :o



Notice how I still get the same popup about RSS I was complaining about in my original post.
So thanks for replying: it started a chain of events that culminated in solving my issue ;D, I hope it solves yours too.

did you find any difficulties? I ask because I think I have found one, and I can reproduce it but I'm unsure if is to do with Zenarmor. Disabling it seems to make the problem go away.

actually yes. Since latest major update with revamped UI (I believe it's version 1.14), ZenArmor stopped working for me. As I stated in the original post, it's been working fine ever since, up until very recently.
I thought it could be because of RSS, but I ended up disabling ZenArmor instead, didn't want to reboot to disable RSS :D

In my case, after I finish the guided procedure in the new ZenArmor interface, it tries to start the engine but I get:

Code Select Expand

Cannot read any worker configuration from workers.map

Did you have a similar experience when ZenArmor stopped working? And just to confirm, were you able to make it work again by disabling RSS?

P.S.: just fyi, I am now running OPNSense 23.7.3, but ZenArmor stopped working while I was on version 23.1.11. Updating to 23.7 first, and then to 23.7.3, did not change the result: I always get the same error in ZenArmor.

Hello everybody,
first post here.

I recently setup an OPNSense box (HUNSN RJ03m, Intel N6005, 32GB DDR4, Intel 2.5GbE I226-V) and I am trying to exploit the hardware to the fullest. I am on the latest version (OPNsense 23.1.9-amd64) and I already installed several plugins:

• AdGuard Home
• wireguard for DNS over VPN
• DynamicDNS for Cloudflare DNS updating
• CrowdSec
• ZenArmor

I also enabled RSS (Receive Side Scaling) even though I see my network driver (igc) is not explicitly supported.
OPNSense documentation mentions:

Only enable this feature if you're interested in testing it and seeing if it will increase your throughput under high load – such as when using IDS/IPS.

and since I am definitely using IDS/IPS, I guessed why not.

Now, after installing ZenArmor I started receiving popups about having RSS enabled, and that if I run into any issue I should disable it. I looked a bit deeper into it and I am still not sure what to make of it.
SunnyValley only recommends to disable HW offloading but I don't see anything explicit rather than "your mileage may vary". This thread says that it has indeed an impact on netmap driver.

On the other hand, in this thread the recommendation for igc is to use the emulated netmap driver for ZenArmor.

I am telling you all this because up until now I used
- ZenArmor with RSS enabled
- ZenArmor with native netmap driver enabled on igc
and I didn't notice any issue whatsoever, while I realize now my setup should cause issues big time.

So my question to you is: how do I make sure my setup isn't borked? Is there any test I can perform to be sure I am not running into issues? Because as of now, I did not have any: firewall works, I get maximum speed in both direction on WAN and local networks work flawlessly.

Should I keep living recklessly, or should I behave and disable RSS and switch to emulated netmap driver for ZenArmor?
I like to test things out and since I just started, I can afford making mistakes and tinker my way around the OS.
At the same time I am not persuaded by the fact that everything works fine™ and would love to hear from people more knowledgeable in this area if what I am doing is profoundly wrong.

Thanks.