Call for testing: netmap on 20.7

Started by mb, May 23, 2020, 02:32:10 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6 7 ... 14
User actions
August 01, 2020, 06:54:37 AM #60
@hfvk, @heresjody, thanks for letting us know.

@guyp2k, we have not heard of any feedback about that.

As of now, chip ids that are reported to be working:

0x156f8086
0x100e8086

Problematic chip id:
0x10d38086

August 01, 2020, 08:22:09 AM #61
My system has

em0@pci0:0:31:6:   class=0x020000 card=0x00008086 chip=0x156f8086 rev=0x21 hdr=0x00

used on the WAN, the rest are igb.

All looks ok, except WAN does not appear in the sensei list (but i think it didn't in 20.1)
August 01, 2020, 08:23:54 AM #62
Hi @aimdev, thanks. Do you have Suricata (in IPS mode) on WAN? If so, that's good. Yours is another testimony that this particular chipset works.
August 01, 2020, 08:28:10 AM #63
No not yet. I don't fully understand the ramifications of disabling the hardware options.
August 01, 2020, 02:55:59 PM #64
Quote from: mb on August 01, 2020, 08:23:54 AM
Hi @aimdev, thanks. Do you have Suricata (in IPS mode) on WAN? If so, that's good. Yours is another testimony that this particular chipset works.

@mb just a FYI, I do have Suricata running in IPS mode on the WAN interface however, I had to add the WAN IP to the "Home Networks in order to start logging and blocking, chipset em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00.

Question, I subscribe to Sensei and still confused on the road map, is the ultimate goal is to use Suricata on both internal and external interface to take the place of Suricata or use both? Under Sensei Configuration, I do not have an option to select the external/WAN interface, just LAN and and VLANs.

Again, just a little confused on this entire Sensei, Suricata, and netmap effort.....

TIA
August 01, 2020, 04:23:17 PM #65
Quote from: bunchofreeds on June 13, 2020, 10:50:56 PM
Thanks for looking into this @mb

I have put the 20.7 proxmox virtual instance of OPNsense inline with PPPoE by backing up my 20.1 config and restoring to 20.7. Really easy to do and was up and running quickly.

Suricata runs successfully and alerts on the LAN interface (Virtio)
Switched to run on the WAN interface and am not receiving alerts. The new log view with v5 Suricata is different and seems to cycle with this when trying to establish IPS on the PPPoE WAN

   Counter | TM Name | Value
   ------------------------------------------------------------------------------------
   Date: 6/14/2020 -- 08:49:09 (uptime: 0d, 00h 08m 17s)
   ------------------------------------------------------------------------------------
   flow.memuse | Total | 7154304
   tcp.reassembly_memuse | Total | 196608
   tcp.memuse | Total | 1146880
   flow_mgr.rows_skipped | Total | 65536
   flow_mgr.rows_checked | Total | 65536
   flow.spare | Total | 10000
   ------------------------------------------------------------------------------------
   Counter | TM Name | Value
   ------------------------------------------------------------------------------------
   Date: 6/14/2020 -- 08:49:01 (uptime: 0d, 00h 08m 09s)
   ------------------------------------------------------------------------------------
   flow.memuse | Total | 7154304
   tcp.reassembly_memuse | Total | 196608
   tcp.memuse | Total | 1146880
   flow_mgr.rows_skipped | Total | 65536
   flow_mgr.rows_checked | Total | 65536
   flow.spare | Total | 10000
   ------------------------------------------------------------------------------------

I am getting the ifconfig -a to you via PM

Here is the log when it successfully runs on the LAN interface

   flow.memuse | Total | 7177096
   tcp.reassembly_memuse | Total | 231424
   tcp.memuse | Total | 1146880
   flow_mgr.rows_maxlen | Total | 1
   flow_mgr.rows_skipped | Total | 65534
   flow_mgr.rows_checked | Total | 65536
   flow_mgr.flows_notimeout | Total | 2
   flow_mgr.flows_checked | Total | 2
   flow.spare | Total | 10000
   flow_mgr.new_pruned | Total | 9
   app_layer.flow.failed_udp | Total | 40
   app_layer.tx.dns_udp | Total | 20
   app_layer.flow.dns_udp | Total | 6
   app_layer.flow.failed_tcp | Total | 4
   app_layer.tx.dhcp | Total | 2
   app_layer.flow.dhcp | Total | 1
   app_layer.flow.tls | Total | 3
   tcp.overlap | Total | 1
   tcp.rst | Total | 16
   tcp.synack | Total | 9
   tcp.syn | Total | 9
   tcp.sessions | Total | 9
   flow.udp | Total | 47
   flow.tcp | Total | 39
   decoder.max_pkt_size | Total | 1514
   decoder.avg_pkt_size | Total | 474
   decoder.udp | Total | 320
   decoder.tcp | Total | 988
   decoder.ethernet | Total | 1594
   decoder.ipv6 | Total | 2
   decoder.ipv4 | Total | 1306
   decoder.bytes | Total | 756423
   decoder.pkts | Total | 1594
   capture.kernel_packets | Total | 1594
   ------------------------------------------------------------------------------------
   Counter | TM Name | Value
   ------------------------------------------------------------------------------------
   Date: 6/14/2020 -- 09:10:57 (uptime: 0d, 00h 01m 52s)
   -----------------------------------------------------------------------------------

I'm having the same result on my Qotom Installation with intel interfaces. I'm using pppoe over VLAN as WAN Interface. It would be really awesome to have netmap support for setups like that :)
August 01, 2020, 07:15:31 PM #66
A quick update:

I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests and I'll post some results.

If anyone out there is able to test 12/STABLE kernel with an ESX vmx interface, that'd also be great :)
August 02, 2020, 01:17:15 AM #67
Quote from: mb on August 01, 2020, 07:15:31 PM
A quick update:

I think this vmx bug has been resolved on FreeBSD 12-STABLE:

https://svnweb.freebsd.org/base?view=revision&revision=363163

Let's do some tests and I'll post some results.

If anyone out there is able to test 12/STABLE kernel with an ESX vmx interface, that'd also be great :)

I have ESXi 7.0 with Netmap crashing using vmxnet3 with Intrusion Detection and Sensei enabled. So if you think this test would fix it, I could give it a try. Let me know how to test.

August 03, 2020, 12:34:13 PM #68
netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.
August 04, 2020, 12:48:35 AM #69 Last Edit: August 04, 2020, 12:54:12 AM by bunchofreeds
No sure if this is netmap related, but I can't seem to get any alerts showing for IPS anymore?
They we're showing initially after upgrading to 20.7 rc1

My test is to initiate to P2P traffic from a client behind OPNsense.
I can usually catch this with 'ET telemetry/emerging-p2p' set to drop and its associated alerts.

Running:
OPNsense 20.7-amd64
FreeBSD 12.1-RELEASE-p7-HBSD
OpenSSL 1.1.1g 21 Apr 2020

Currently IPS is enabled on my LAN interface which is vtnet through Proxmox
I have tried em through Proxmox also with no success

IPS Enabled
Promiscuous Enabled
Syslog Dsiabled
Eve Disabled

I don't use remote logging, but as an FYI I have disabled circular logging so am using syslog-ng.
IPS appears to be running successfully when checking the IPS log from the GUI
The log appears to have returned to its original format...

Have enabled 'drop' for all rulesets including ET Telemetry in an attempt to 'kick' it into life.

Any ideas of how to test this further and progress would be great.
August 04, 2020, 10:59:44 PM #70
Quote from: Voodoo on August 03, 2020, 12:34:13 PM
netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

Hi @Vodoo, what happens when you go out of netmap mode ? (e.g. shut down suricata/sensei) ? virtio bug is related to that. entering netmap mode seems fine.
August 05, 2020, 12:40:58 PM #71
Quote from: Voodoo on August 03, 2020, 12:34:13 PM
netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

I still do observe pagefaults with virtio vtnet interfaces...
August 06, 2020, 03:37:43 AM #72
Quote from: binaryanomaly on August 05, 2020, 12:40:58 PM
Quote from: Voodoo on August 03, 2020, 12:34:13 PM
netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

I still do observe pagefaults with virtio vtnet interfaces...

Yes, this is expected as of now. Fix is on upstream.
August 06, 2020, 06:37:11 AM #73 Last Edit: August 06, 2020, 08:06:18 AM by mb
For those who

  • are using Suricata/Sensei on VLANs on em(4)
  • experiencing vmx crash
  • experiencing vtnet crash
  • want to have Suricata on PPPoE / OpenVPN interfaces
I have an (unofficial) test kernel ready. Please PM me if you'd like to give it a try.

PS: vmx patch fixes the kernel crash, but has an outstanding issue. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248494
August 06, 2020, 10:39:14 AM #74
Quote from: mb on August 06, 2020, 06:37:11 AM
For those who

  • are using Suricata/Sensei on VLANs on em(4)
  • experiencing vmx crash
  • experiencing vtnet crash
  • want to have Suricata on PPPoE / OpenVPN interfaces
I have an (unofficial) test kernel ready. Please PM me if you'd like to give it a try.

PS: vmx patch fixes the kernel crash, but has an outstanding issue. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248494


I would like to try out the test kernel, (and see if I get duplicates).

Just out of curiosity, are you certain that the outstanding issue with duplicates is not related to the following: https://kb.vmware.com/s/article/59235

Cause I was seeing lots of duplicates when running CARP & Sensei until I applied the mac-learning workaround on the dswitch.
2x 23.7 VMs & CARP, 4x 2.1GHz, 8GB
Cisco L3 switch, ESXi, VDS, vmxnet3
DoT, Chrony, HAProxy + NAXSI, Suricata
VPN: IPSec, OpenVPN, Wireguard
MultiWAN: Fiber 500/500Mbit dual stack + 4G failover

--
Available for private support.
Did my answer help you? Feel free to click [applaud] to the left
Print
Go Up Pages 1 ... 3 4 5 6 7 ... 14
User actions