Messages

@patient0, yes, I think I have it enabled.  I was just looking for some way to confirm that it is 1) there and accessible at all and 2) OpnSense is using it.

I tested the QAT speed of my ATOM C3758 which has onboard QAT, using the openssl speed  command from this article.
https://stackoverflow.com/questions/64862544/how-to-check-compare-openssl-speed

@zz00mm , do you happen to know the prerequisite steps you need to install to get the test to run?  I just did an OpnSense install and when I log in as root and go to the shell I get library errors when running the test.

I don't even have the basic diagnostic commands like cpuid available.  I suppose OpnSense wasn't built for ease of use using the shell.

Code Select Expand

root@OPNsense:~ # lspci | grep -i "QuickAssist"
lspci: Command not found.
root@OPNsense:~ # openssl speed -engine qat rsa2048
Invalid engine "qat"
00208112871B0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/engines-3/qat.so): Cannot open "/usr/lib/engines-3/qat.so"
00208112871B0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:152:
00208112871B0000:error:13000084:engine routines:dynamic_load:dso not found:/usr/src/crypto/openssl/crypto/engine/eng_dyn.c:442:
00208112871B0000:error:13000074:engine routines:ENGINE_by_id:no such engine:/usr/src/crypto/openssl/crypto/engine/eng_list.c:433:id=qat
00208112871B0000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_dlfcn.c:118:filename(libqat.so): Shared object "libqat.so" not found, required by "openssl"
00208112871B0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:/usr/src/crypto/openssl/crypto/dso/dso_lib.c:152:
00208112871B0000:error:13000084:engine routines:dynamic_load:dso not found:/usr/src/crypto/openssl/crypto/engine/eng_dyn.c:442:
Doing 2048 bits private rsa's for 10s: 3547 2048 bits private RSA's in 10.05s
Doing 2048 bits public rsa's for 10s: 122119 2048 bits public RSA's in 10.00s
version: 3.0.15

root@OPNsense:~ # cpuid -1 | egrep 'VAES|VPCLM|GFNI|AVX512F|AVX512IFMA'
cpuid: Command not found.

root@OPNsense:~ # vmstat -i | grep qat

root@OPNsense:~ # sysctl -a | grep qat
qat0: <Intel c3xxx QuickAssist> mem 0xdfb40000-0xdfb7ffff,0xdfb00000-0xdfb3ffff irq 16 at device 0.0 on pci1
qat0: qat_dev0 started 6 acceleration engines
qat0: FW version: 4.18.0
qat0: Excessive clock measure delay
qat_ocf0: <QAT engine>
irq140: qat0:b0:291 @cpu0(domain0): 0
irq141: qat0:b1:293 @cpu0(domain0): 0
irq142: qat0:b2:295 @cpu0(domain0): 0
irq143: qat0:b3:297 @cpu0(domain0): 0
irq144: qat0:b4:299 @cpu0(domain0): 0
irq145: qat0:b5:301 @cpu0(domain0): 0
irq146: qat0:b6:303 @cpu0(domain0): 0
irq147: qat0:b7:305 @cpu0(domain0): 0
irq148: qat0:b8:307 @cpu0(domain0): 0
irq149: qat0:b9:309 @cpu0(domain0): 0
irq150: qat0:b10:311 @cpu0(domain0): 0
irq151: qat0:b11:313 @cpu0(domain0): 0
irq152: qat0:b12:315 @cpu0(domain0): 0
irq153: qat0:b13:317 @cpu0(domain0): 0
irq154: qat0:b14:319 @cpu0(domain0): 0
irq155: qat0:b15:321 @cpu0(domain0): 0
irq156: qat0:ae:323 @cpu0(domain0): 0
dev.qat_ocf.0.enable: 1
dev.qat_ocf.0.%iommu:
dev.qat_ocf.0.%parent: nexus0
dev.qat_ocf.0.%pnpinfo:
dev.qat_ocf.0.%location:
dev.qat_ocf.0.%driver: qat_ocf
dev.qat_ocf.0.%desc: QAT engine
dev.qat_ocf.%parent:
dev.qat.0.frequency: 685000000
dev.qat.0.cnv_error:
dev.qat.0.fw_counters:
dev.qat.0.mmp_version: 6.0.0
dev.qat.0.hw_version: 17
dev.qat.0.fw_version: 4.18.0
dev.qat.0.heartbeat: 1
dev.qat.0.heartbeat_failed: 0
dev.qat.0.heartbeat_sent: 1
dev.qat.0.dev_cfg: [GENERAL]
dev.qat.0.num_user_processes: 0
dev.qat.0.cfg_mode: ks
dev.qat.0.cfg_services: sym;dc
dev.qat.0.state: up
dev.qat.0.%iommu: rid=0x100
dev.qat.0.%parent: pci1
dev.qat.0.%pnpinfo: vendor=0x8086 device=0x19e2 subvendor=0x8086 subdevice=0x0000 class=0x0b4000
dev.qat.0.%location: slot=0 function=0 dbsf=pci0:1:0:0
dev.qat.0.%driver: qat
dev.qat.0.%desc: Intel c3xxx QuickAssist
dev.qat.%parent:

root@OPNsense:~ # sudo pkg install cpuid
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'cpuid' have been found in the repositories

@jde1000 , I got the Qotom Denverton Q20300G9-S10 Atom C3808 to run my OpnSense and some firewall apps like Traefik and Authentik.

Let us know how it performs.
Especially I would be interested in the difference between C3808 and C3758R/C3758 when running OPNsense on bare metal.

I am interested in the Qotom Q20331G9-S10 or Q20331G9-1U with C3758R. But so far I cannot find an OK offer in Europe. The Amazon and Aliexpress vendors currently are not shipping to Europe, or at least to my country.

I think I over-purchased.  Two scenarios...  Bare Metak and PRoxMox.

I had/have OpnSense running fine on bare metal.  I have QAT enabled but really don't have a good way of knowing if it is working or not.
Had and want to go back to ProxMox after I try to confirm QAT so that I can have a before/after test for ProxMox.  When I had it on ProxMox prior there was zero problems with a handful of VMs for Traefik/Authentik.

You must use the UI to add your public key to the user. Everything done directly on the command line will be overwritten by the configuration management.

That did it!!  Thank you Patrick! 

I am curious how to test out if the QAT acceleration is working on my Atom based router.

Does anyone know of any benchmarks that can be run to see the on/off numbers?

@jde1000 , I got the Qotom Denverton Q20300G9-S10 Atom C3808 to run my OpnSense and some firewall apps like Traefik and Authentik.

I am curious how to test out if the QAT acceleration is working.

Do you know any benchmarks that can be run to see the on/off numbers?

I'm trying to enable ssh login as root with an ssh key for my system and disable password access.

• I enable ssh
• enable pw access
• scp my public key to opnsense
• successfully ssh into the opnsense machine
• disable pw access, since my key works
• ssh with key fails
• Seems like disabling the pw access removes my key and key access

Am I missing something?

THanks

Step 1: Set up aliases

Too simple explanation: Aliases are friendly names to IP addresses. If you're managing a bunch of IPs to forward, it's best to give the IP address a label.

Under firewall > aliases > add a new alias

Code Select Expand


- name: A short friendly name for the IP address you're aliasing. I'll call it "media-server"
- type: Host(s)
- Aliases: Input 192.168.1.200


These are not the options for setting an alias.

They are Enabled: y/n
Name:
Type: Hosts
Categories:?
Content: dropbox selection
Stats:
Desciption:

I think I had a simple wrong setting in my rules.  Copied a little too much verbatim from LAN to Opt1.  I'll test once my wife isn't at the computer so she doesn't yell at me for dropping the network again :-)

Thank you.

Hmm, thought I did that and the machine on the new switch got a proper IP address but could not get to the internet.

Thank you.

I'll double check to look for mistakes.  I was wondering if I missed a step.

Total noob, Basic install went well.  I see my interfaces WAN, LAN and my extra OPTx for my extra nics.  WAN and LAN are working fine on the default 192.168.1.x range.

Groovy.

Now I want to connect a basic SPF switch to expand my capacity and partion off my IoT devices into a secure vlan.

Forgetting the secure vlan stuff for a moment...  How do I get my devices plugged into the SPF switch to have internet access.

This is what I did so far.

• My LAN is fine and is using static 192.168.1.1 and has the default DHCP service and rules configured.
• Eidted the Optx interface to give it a static IP of 192.168.10.1 and replicated the DHCP and rules for OPTx.  The DHCP range for SPF just used the 192.168.10.x range.
• A computer connected to the switch and is getting an IP assigned of 192.168.10.10.
• But...  that computer cannot get to the internet.

Am I missing something silly?