Call for testing: netmap on 20.7

[mb]

@sorano, it does not seem to be related.

Please follow below steps and see if this kernel is of help:

Code: [Select]

[root@20gw /root]# cd /boot/
[root@20gw:/boot # fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/kernel-12.1-0805-2.tar.gz
kernel-12.1-0805-2.tar.gz                           45 MB 4980 kBps    10s
[root@20gw /boot]# mv kernel kernel.stock.save
[root@20gw /boot]# tar zxf kernel-12.1-0805-2.tar.gz 
[root@20gw /boot]# reboot
After the reboot, you should be able to see this kernel information:

Code: [Select]

root@20gw:~ # uname -a
FreeBSD 20gw.local 12.1-RELEASE-p7-HBSD FreeBSD 12.1-RELEASE-p7-HBSD #2  5742b25c4(master)-dirty: Wed Aug  5 22:20:24 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64
root@20gw:~ #

To restore stock OPNsense kernel:

Code: [Select]

# cd /boot
# rm -rf kernel
# mv kernel.stock.save kernel
# reboot

[Voodoo]

@mb before 20.7 enabling ips mode with suricata/sensei crashed the kvm virtio opnsense with a kernel panic within 5 seconds, now i can enable it without any issues everything is working, also disabling/enabling.

[mb]

@Voodoo, that's great to hear, thanks for sharing.

[madj42]

Is the kernel above the test kernel that includes the PPPoE fixes, or should we still PM?

[mb]

Hi @madj42, yes. Can you test and provide feedback?

You can also use a newer kernel: https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/kernel-12.1-0806-1.tar.gz

[bunchofreeds]

I have run up the latest two kernels offered here but cannot enable either IPS or Sensei on my LAN vtnet0 interface.

Setup is Proxmox
PPPoE on vtnet1 for WAN (VLAN 10 on Host Proxmox interface)
vtnet0 for LAN

I reset the logs from System>Settings>Logging to reset Intrusion Detection logs as the button within that view does not work for the 'stats' logs that are displayed.

When I enable IPS on LAN I get cycling of the log within Services>Intrusion Detection>Log File. Cycles every few seconds so am assuming it is the application of IPS failing? This is the' stats' log, not the older detailed log.

I cannot enable Sensei as the LAN interface is not available for selection. Only the underlying vtnet1 of the WAN PPPoE is available.

[mb]

I cannot enable Sensei as the LAN interface is not available for selection. Only the underlying vtnet1 of the WAN PPPoE is available.

@buchoffreeds, you can use this hack to have Sensei on vtnet1:

https://forum.opnsense.org/index.php?topic=9521.msg84199#msg84199

Your feedback is much appreciated.

NOTE: We'll remove this check once we have the test kernel in production.

[bunchofreeds]

Thanks @mb

That allowed me to select my LAN interface within Sensei.
Sensei is now running successfully on my Proxmox vtnet0 LAN Interface!

It first alerted that Suricata was in use on the LAN Interface, so I moved Suricata to WAN Interface to resolve this.
Just Disabling Intrusion Detection was not enough.

[FullyBorked]

I'm on chip=0x150e8086 and my graphs don't work with IPS enabled.  Also having some very poor throughput with or without IPS.  If this helps at all.

Edit: intel nic using the igb (i think that designates the drivers being used?)

[mb]

Hi @bunchofreeds, thanks for the feedback. Glad to hear that vtnet is now fine.

It first alerted that Suricata was in use on the LAN Interface, so I moved Suricata to WAN Interface to resolve this.
Just Disabling Intrusion Detection was not enough.

Yes, this is done on purpose, since people might enable Suricata on LAN in a future time forgetting that Sensei is running there.

[mb]

Hi @FullyBorked, yours might be related to a different issue. Generally netmap problems generally appear in cases where you have total packet flow problems.

[bunchofreeds]

I see there is progress on PPPoE when looking at the google drive sheet.

Let me know if you want this tested.

I am running Proxmox and vtnet drivers.
Have Sensei successfully running on the LAN interface currently.

[binaryanomaly]

netmap with 20.7 release for vnet driver (virtio) is working, the kernel panic is gone.

I still do observe pagefaults with virtio vtnet interfaces...

Yes, this is expected as of now. Fix is on upstream.

That seems to have massively improved or even be fixed completely with the new test kernel. 👍🏻

[lewald]

Thanks to the new test kernel, I now have almost the max. over OpenVPN what I can transmit with my line. Instead of 25 Mbit it is now 45 MBit. I run the opnsense on both sides as VM within Proxmox. Network in Proxmox virtio with 8 queues.

PS: Sensei and Suricata enabled. And Suricata works now in VM

[mb]

@bunchofreeds, yes that'd be perfect if you can have Suricata on WAN (pppoe) and see how it goes. Our early tests showed good results with our test tools.

@binaryanomaly, thanks for the feedback. vtnet seems to be doing even better than 20.1.

@lewald, that's great to hear, though I wouldn't expect netmap work might have contributed to the vpn speed. It could be virtio that you can use it with 8 queues.