Topics

1

24.7 Production Series / [SOLVED] Hyperscan AVX-512 gcc arch flag

« on: September 06, 2024, 06:16:51 pm »

Hello OPNsense developers,

Background information on my questions. I have run Suricata performance tests with Ryzen 7700X and Ryzen 9700X and found that the throughput rates in my scenario are almost identical (23Gbit/s and 26Gbit/s). In the Ryzen 9000 generation, the AVX-512 performance should be twice as fast as in the 7000 generation.

Could it be that Hyperscan was built without AVX-512 support? Is that the reason for the low speed differences?

Documentation for reference:
https://intel.github.io/hyperscan/dev-reference/getting_started.html

Hyperscan v5.3 adds support for AVX512VBMI instructions - in particular the AVX512VBMI instruction set that was introduced on Intel “Icelake” Xeon processors - however the AVX512VBMI runtime variant is not enabled by default in fat runtime builds as not all toolchains support AVX512VBMI instruction sets. To build an AVX512VBMI runtime, the CMake variable BUILD_AVX512VBMI must be enabled manually during configuration. For example:

cmake -DBUILD_AVX512VBMI=on <...>

2

24.1 Legacy Series / Intel killed Hyperscan

« on: May 10, 2024, 10:08:02 pm »

Hyperscan as Regex patternmatcher is important for Suricate. Firewalls with CPUs with AVX benefit from this performance gain.

Now Intel makes hyperscan proprietary. I guess this will harm suricata performance on opnsense systems in the future.

https://www.phoronix.com/news/Intel-Hyperscan-Now-Proprietary

3

Intrusion Detection and Prevention / AMD zen 5 Hyperscan AVX-512 Suricata Throughput

« on: April 15, 2024, 08:01:07 pm »

Hi there,

since Hyperscan 5.4.0 AVX-512 is supported. This Version is currently a part of OPNsense 24.1.5_3-amd64. The latest version is: Hyperscan 5.4.2 released in april 2023 (please update Hyperscan @opnsense devs).

Since AVX is used to speed up suricata. More avx performance should mean more throughput.
It is rumoured that AMDs zen 5 architrecture will double the avx-512 performance. In theory this could result in an extreme performance improvement.

The Deciso DEC4280 (EPYC 3451) is being marketed with ~7.5Gbps Threat Protection Throughput.
Using this information as a baseline and throwing in some benchmark numbers i try to estimate what a zen 5 Suricata IPS performance could look like:

CPU              Benchmarkesult (cpubenchmark.net)   IPS Throughput (gbps)
EPYC 3451             19532                                                      7,5
Ryzen 7700x              36021                                                      13,8 (estimated)
Ryzen 7950x             62950                                                       24,1 (estimated)
Ryzen 9950x          94425 (estimated)                                               36,2 (estimated)

4

23.7 Legacy Series / Clearing IP Do-Not-Fragment in Firewall Normalizations causes issues

« on: January 24, 2024, 08:54:29 pm »

I have the problem that clearing the DF-Bit using normalisation causes service disruptions.
Sites like Reddit or Github wont work any longer when "no-df" is set.



Go to: "Firewall: Settings: Normalization"
Click on "IP Do-Not-Fragment"
Browse to https://github.com/opnsense/core/ or try to read a reddit post.
Sites dont function as expected



When directly connected to my router things work as expected. When "IP Do-Not-Fragment" is disabled everything works fine.
But enabling "IP Do-Not-Fragment" causes issues.

Please check on your own setup and report back. This bugs me.

5

23.7 Legacy Series / Firewall rules not working as configured

« on: November 12, 2023, 09:52:23 pm »

Today I converted my mail server to dualstack and therefore added the IPv6 address to the alias in the WAN rule. However, no tcp handshake was established (the syn-ack couldnt "get out").


After several hours of searching, I recreated the exact same rule and suddenly it worked.

How can this happen?

6

23.7 Legacy Series / radvd 23.7.8

« on: November 09, 2023, 08:39:44 pm »

radvd wont start after update to 23.7.8.
I use virtual IPs on my interfaces and configured their /64 in radvd.

ULA on interface and GUA as virtual IPs

7

23.7 Legacy Series / NGINX no resolver defined

« on: November 02, 2023, 07:59:55 pm »

Nginx is missing a resolver in the opnsense config. This causes this error below:

no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: "/usr/local/etc/nginx/key/my.certificate.domain.pem"

To resolve this issue one should be able to configure a dns server in the nginx config.

8

23.7 Legacy Series / haproxy wont autostart

« on: October 17, 2023, 05:49:24 pm »

After restarting the opnsense, HAproxy must be started manually by hand. The service does not start itself.

OPNsense 23.7.6-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023

9

23.7 Legacy Series / ipv6 gateway bug

« on: October 17, 2023, 05:48:33 pm »

If gateway monitoring is active for an ipv6 gateway with an ula address, then the gateway or the service must be restarted after the opnsense restart.

If gateway monitoring is disabled, then the service or gateway starts normally.
The problem occurs only with the dpinger.

OPNsense 23.7.6-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023

10

23.7 Legacy Series / update 23.7.5

« on: September 26, 2023, 07:46:14 pm »

Haproxy is still not starting after reboot. Manual starting is required


dpinger with ipv6 gateway does not autostart:

Code: [Select]

dpinger LTEROUTER_SLAAC 2001:db8:1:: sendto error: 55

or

sendto error: 65

or

sendto error: 64

or

sendto error: 55

in gateway log. once started via gui ipv6 dpingers run fine.

11

23.7 Legacy Series / [SOLVED] CVE-2023-4809

« on: September 09, 2023, 05:14:19 pm »

Hello there

Smells like Kernel update  to me 

A few months ago, as part of our investigations on IPv6 security in the NetSecurityLab @ Sapienza University, we discovered a vulnerability that allows attackers to bypass rules in pf-based IPv6 firewalls in particular conditions. Let’s see some details of this vulnerability.

https://www.enricobassetti.it/2023/09/cve-2023-4809-freebsd-pf-bypass-when-using-ipv6/

12

23.7 Legacy Series / haproxy 2.8

« on: August 31, 2023, 04:13:47 pm »

Is it already planned to upgrade the haproxy plugin to haproxy version 2.8 lts from version 2.6?

13

23.7 Legacy Series / [SOLVED] 23.7.2 Update error

« on: August 23, 2023, 07:22:50 pm »

this looks like an error to me:

Starting configd.
Reloading plugin configuration
Configuring system logging...Error opening plugin module; module='examples', error='/usr/local/lib/syslog-ng/libexamples.so: Undefined symbol "random_choice_generator_parser"'
done.

14

23.7 Legacy Series / Unbound crashing

« on: August 22, 2023, 08:18:48 am »

Sometimes unbound is crashing and the whole device gets unresponsive


2023-08-22T04:14:01   Critical   unbound   [85028:3] fatal error: Could not initialize thread   
2023-08-22T04:14:01   Error   unbound   [85028:3] error: Could not set root or stub hints
2023-08-22T04:14:01   Error   unbound   [85028:3] error: reading root hints /root.hints 2:12: Syntax error, could not parse the RR's type   
            TypeError: an integer is required (got type NoneType)   
            os.write(self._pipe_fd, res.encode())   
            File "dnsbl_module.py", line 226, in log_entry   
            mod_env['logger'].log_entry(   
            File "dnsbl_module.py", line 378, in cache_cb   
            logger.close()   
            File "dnsbl_module.py", line 443, in deinit

15

23.7 Legacy Series / Upgradethread 23.1.11_1 to 23.7

« on: July 31, 2023, 03:07:59 pm »

Using these directions:
https://forum.opnsense.org/index.php?topic=25540.msg122731#msg122731

i will upgrade my opnsense this evening. I will post my experiences.

If you already have upgraded your instance feel free to report.