IPS with LRO and VLAN Hardware Filtering

Started by morphxyz, November 27, 2023, 10:14:07 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 27, 2023, 10:14:07 PM
10Gbit/s Fiber Uplink.
bare metal on a Ryzen 7700 and 64GB of ECC.

The system is not in production yet.
I want to experiment with IPS but would like to have as many things in place as possible.

https://docs.opnsense.org/manual/interfaces_settings.html
suggests to disable pretty much all Hardware capabilities.

https://forum.opnsense.org/index.php?topic=10839.0
suggests to enable VLAN Hardware Filtering.

NIC:
Code Select
options=48500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,NOMAP>
capabilities=4f507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

Hardware CRC: Probably.. Disabled?

Hardware TSO: Disabled. I will enable IPS

Hardware LRO: I guess I can leave this disabled as long the CPU can handle all the traffic. right?

VLAN Hardware Filtering: Like stated, the recommendations are mixed.

I haven't found much on the topic so here I am.
Do you guys use Hardware LRO and VLAN Hardware Filtering?
Did you ever have any stability issues when using those?
I appreciate any experience you share!

Best regards
November 27, 2023, 11:00:05 PM #1
All off is the general recommendation as far as I have seen over the last year I've been here.
November 28, 2023, 05:39:42 AM #2
I've been digging in the wrong direction I guess. Apparently Hardware Offloading causes too much trouble for the negligible perfomance gains.

The holy grail for "most" modern hardware and 10Gbit/s seems to be following tunables

net.isr.dispatch="deferred"
- Defines which Interrupt Service Routine (ISR) to use. Controls how the CPU handles network interrupts.
(Note that all traffic is a network interrupt message to the CPU)
- "Deferred" Let's the CPU use it's prefered routine. Adds minimalistic delay to queue interrupts before distributing the workload across cores.

net.isr.bindthreads="1"
- Binds ISR threads to specific CPU cores.
- Each thread runs exclusively on one core.

net.isr.maxthreads="-1"
- Sets the maximum threads for network interrupts.
- "-1" allows dynamic adjustment based on workload and available cores.

Most information gathered with following Link and Links in the article:
https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/

Closed
Print
Go Up Pages1
User actions