Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Comment on Inline mode
« previous
next »
Print
Pages: [
1
]
Author
Topic: Comment on Inline mode (Read 6838 times)
dcol
Hero Member
Posts: 635
Karma: 51
Comment on Inline mode
«
on:
December 12, 2017, 03:51:56 pm »
I find it strange that Inline mode works without issues in OPNsense while the other solution has nothing but trouble with it and tells everyone not to use it because it is too buggy. Am I missing something? Are they missing something?
If OPNsense is not masking the netmap bad packet errors then the only conclusion I can come to is the simplicity of OPNsense is what makes it better and more efficient in packet handling with netmap.
I would love to hear some responses to this from the devs of OPNsense. Great job guys, you truly have your finger on how to develop a superior product by learning from others mistakes. Its no wonder this product forked. Thanks!
Logged
xinnan
Full Member
Posts: 125
Karma: 13
Re: Comment on Inline mode
«
Reply #1 on:
December 12, 2017, 10:56:50 pm »
Mine worked on both. Maybe I'm the odd man out.
I did later decide that I didn't need it but I had no problems and test drove it for a couple weeks.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Comment on Inline mode
«
Reply #2 on:
December 13, 2017, 12:15:14 am »
Hi there,
If anything, I would say it is a lack of wrappers and trying to keep things as simple as possible during Suricata/Netmap setup.
But there is also some more elaborate commit history:
FreeBSD 11.0 always had bugs in Netmap and e1000 regarding Netmap:
https://github.com/opnsense/src/commit/175886459
https://github.com/opnsense/src/commit/850e1e96
We've talked to the Netmap authors, and they more or less refrained from pushing fixes to FreeBSD 11.
FreeBSD 11.1 was later fixed opportunistically by Netmap authors
https://github.com/freebsd/freebsd/commit/5699459
The e1000 correction also went into FreeBSD 11.1 after several reminders needed to be sent out to e1000 maintainers.
We don't have any custom patches on FreeBSD 11.1 at this point for 18.1 so that would level the playing field...
And don't forget we also ship the Realtek vendor driver with all its merits and caveats, which seems to help with stability in Netmap usage as well.
Cheers,
Franco
«
Last Edit: December 13, 2017, 12:17:39 am by franco
»
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Comment on Inline mode
«
Reply #3 on:
December 13, 2017, 12:21:30 am »
PS: I totally forgot that we tiptoed around 10.3 (16.7) issues in Netmap with e1000 by using the Intel stock driver:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212828
Whatever makes this work we have to try
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Comment on Inline mode
«
Reply #4 on:
December 13, 2017, 12:29:38 am »
Funny, never got it to work on the other system without packet errors on any computer using Inline. I think that my bridged pass through WAN connection was just too active for that system. probably too much overhead for netmap. But no issues on OPNsense, same computer so the simplicity paid off. Thanks.
I never used an e1000 or emulator mode so I didn't see any issues while on FreeBSD 11.0. Now using 11.1
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Comment on Inline mode
«
Reply #5 on:
December 13, 2017, 08:10:59 am »
I wonder if the issue is simpler than this and we're not looking for something that was done here or in FreeBSD. I know that keeping ALTQ alive requires messing with network card drivers constantly as they refuse to work with the disabled-by-default system, requiring to push them to unintended states in the kernel that could cause a less than favourable outcome for Netmap? *shrugs*
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Intrusion Detection and Prevention
»
Comment on Inline mode