Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Zenarmor causes long outages with native netmap driver
« previous
next »
Print
Pages: [
1
]
Author
Topic: Zenarmor causes long outages with native netmap driver (Read 1635 times)
JasMan
Full Member
Posts: 175
Karma: 9
Zenarmor causes long outages with native netmap driver
«
on:
August 25, 2023, 11:42:51 pm »
Hi,
Since some month I noticed that my OPNsense needs a long time until all services are fully up after a complete reboot (up to 10 minutes).
The other day I noticed the same behaviour when I restart the Zenarmor engine.
Today I found some time to digging into this.
When I restart the Zenarmor engine several services like Unbound and NTP stop and start several times immediatly after Zenarmor is up again.
The log shows a lot of the following errors for this range of time:
/usr/local/etc/rc.linkup: dhcpd_dhcp4_configure() found no suitable IPv4 address on INTERFACE_NAME
When all calmed down, everything works fine.
I played arround and found out, that this issue is solved as soon as I choose the emulated netmap driver for Zenarmor.
The interfaces of my system are all Intel I211.
Is this an expected behaviour when the hardware/driver doesn't support the native netmap driver? Or did I configured something wrong?
Jas Man
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenarmor causes long outages with native netmap driver
«
Reply #1 on:
August 26, 2023, 12:15:28 am »
Hi JasMan,
When you start/stop zenarmor engine, zenarmor (same with suricata in IPS mode) issues a call to netmap to start/stop inspecting packets for your protected interfaces respectively.
Once this is requested, netmap re-initializes the interface causing down/up events for the particular ethernet interface.
When OPNsense code notices a link down/up event; it tries to re-initialize and refresh interfaces and services.
This is expected. The thing I'm surprised in your case is that it takes so long for things to "calm down".
Quick question: do you have IPv6 enabled in your network or is it just IPv4?
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: Zenarmor causes long outages with native netmap driver
«
Reply #2 on:
August 26, 2023, 11:11:02 am »
Hi mb.
IPv6 is enabled for all interfaces in tracking mode.
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenarmor causes long outages with native netmap driver
«
Reply #3 on:
August 26, 2023, 06:05:22 pm »
Got it, with IPv6+wan tracking interface initialization take a bit more longer because OPNsense tries to re-initialize the WAN interface as well.
Another question: when you use emulated netmap mode, is it better?
Logged
JasMan
Full Member
Posts: 175
Karma: 9
Re: Zenarmor causes long outages with native netmap driver
«
Reply #4 on:
August 26, 2023, 08:00:15 pm »
Yep, with the emulated mode the downtime is near zero, and no errors appear in the log ( found no suitable IPv4 address )
Logged
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
mb
Hero Member
Posts: 941
Karma: 99
Re: Zenarmor causes long outages with native netmap driver
«
Reply #5 on:
August 26, 2023, 08:59:20 pm »
That's good to hear indeed. Another reason why we should focus on improving emulated mode.
Let us check this on our lab as well.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Zenarmor causes long outages with native netmap driver