Call for testing: netmap on 20.7

Started by mb, May 23, 2020, 02:32:10 AM

Previous topic - Next topic
Print
Go Down Pages 1 ... 7 8 9 10 11 ... 14
User actions
August 23, 2020, 07:18:50 PM #120
Quote from: mb on August 23, 2020, 06:05:59 PM
Quote from: Quetschwalze on August 23, 2020, 09:31:17 AM
Tested with igb interfaces and pppoe on wan (removed VLAN for testing)
Suricata seems to start fine:

..
..

However, it doesn't alert or block on anything.
Then I tried Sensei on the WAN Interface. It starts, but afterwards Internet is gone.
Reports do not show any sessions or blocks.

Hi @Quetschwalze, thanks. Any chances that you can also send a pcap trace? - Sensei is not meant for WAN right now.
Thanks @mb
Yes, No Problem. Just to make sure, you'll need a pcap of suricata/pppoe wan interface traffic?

Gesendet von meinem MI 9 mit Tapatalk

August 23, 2020, 07:46:00 PM #121
Quote from: Quetschwalze on August 23, 2020, 07:18:50 PM
Yes, No Problem. Just to make sure, you'll need a pcap of suricata/pppoe wan interface traffic?

Yep.
August 23, 2020, 08:26:55 PM #122
@mb

One more thing that happens with sensei on vmx:
If on 20.7 and sensei is active I see a performance degration to 100-150 Mbit/s. Without sensei I can reach about 350-400 Mbit/s (on same device connected to WiFi).
Before upgrade I was able to reach 450 Mbit/s with sensei running.
August 23, 2020, 08:31:32 PM #123
Hi @scream, are you doing the tests with speedtest.net ? If so, can you repeat the test with scp ? Try scp'ing a (large) file to one of the IP addresses on sensei protected interfaces on the firewall (you'll basically copy a file to the firewall.)

Run this test with and without sensei and see how much it differs.

e.g.  scp 1gbfile root@fw-sensei-protected-interface-ip:/dev/null
August 23, 2020, 08:33:47 PM #124
Quote from: mb on August 23, 2020, 08:31:32 PM
Hi @scream, are you doing the tests with speedtest.net ? If so, can you repeat the test with scp ? Try scp'ing a (large) file to one of the IP addresses on sensei protected interfaces on the firewall (you'll basically copy a file to the firewall.)

Run this test with and without sensei and see how much it differs.

e.g.  scp 1gbfile root@fw-sensei-protected-interface-ip:/dev/null

No. I'm using iperf on a VM on another subnet and my iPhone.
August 23, 2020, 09:03:09 PM #125
@mb

I did iperf testing now on two ubuntu vms on esx itself.

So...

vm1 (subnet1) -> opnsense vmx0 -> opnsense vmx1 -> vm2 (subnet2). Everything on esx. Sensei configured to be active on both vmx interfaces.

I did 4 tests:

1. opnsense 20.7 with sensei => 126 Mbit/s
2. opnsense 20.7 without sensei (stopped packet engine) => 904 Mbit/s
3. opnsense 20.1.9 with sensei => 918 Mbit/s
4. opnsense 20.1.9 without sensei (stopped packet engine) => 921 Mbit/s

Detail results:
https://paste.ubuntu.com/p/Vjqmrr5Z8m/

August 23, 2020, 09:05:58 PM #126
@scream, thanks. that looks interesting. let us try to reproduce this here. currently we can attain 450-500 Mbps with or without sensei in our lab.
August 23, 2020, 09:30:47 PM #127
Quote from: mb on August 23, 2020, 09:05:58 PM
@scream, thanks. that looks interesting. let us try to reproduce this here. currently we can attain 450-500 Mbps with or without sensei in our lab.

Probably just an issue with vmx interfaces?

May I did a mistake on the installation steps? I didn't reset the config, just updated from 20.1.9 to 20.7.
Then updated packages. After that I patched kernel an rebooted opnsense completly. After that I just startet elasticsearch and packet engine.
After that I saw that I can't see any Interface in configuration tab... so I patched also php file as described.
A simple revert to the snapshot I've created before upgrading to 20.7 brings back the ,,wirespeed" performance.

I can also try 1.6 beta, may it is fixed there?
August 23, 2020, 09:35:12 PM #128
It is mostly related to the kernel. I would not expect 1.6 would do any difference.

What happens if you put sensei into bypass mode?
August 23, 2020, 09:51:32 PM #129
Quote from: mb on August 23, 2020, 09:35:12 PM
It is mostly related to the kernel. I would not expect 1.6 would do any difference.

What happens if you put sensei into bypass mode?

20.1.9 sensei bypass mode => 855 Mbit/s
20.7 sensei bypass mode => 205 Mbit/s

Note that there is now some other traffic in the networks so 855 Mbit/s is normal.

https://paste.ubuntu.com/p/35v3HxmJrT/
August 24, 2020, 02:26:30 AM #130
Quote from: scream on August 23, 2020, 09:51:32 PM
20.1.9 sensei bypass mode => 855 Mbit/s
20.7 sensei bypass mode => 205 Mbit/s

Note that there is now some other traffic in the networks so 855 Mbit/s is normal.

https://paste.ubuntu.com/p/35v3HxmJrT/

@scream, these tests are very helpful, thanks.

sensei in bypass mode does nothing than simply bridging packets back and forth. Hence, this looks like netmap performance.

However, in our labs we can attain 450-500 Mbps throughput between VMware guests (vmx).

Any chances that you can reach out? Send a PR via "Report Bug" menu on the upper right hand side of the screen. We would like to have a closer look.

August 24, 2020, 07:33:54 AM #131
Quote from: mb on August 24, 2020, 02:26:30 AM
Any chances that you can reach out? Send a PR via "Report Bug" menu on the upper right hand side of the screen. We would like to have a closer look.

Done. :)
Any chance for the 1.6 link to test tun devices?
August 25, 2020, 04:37:34 AM #132
Hi @scream,

Sure, please find it below :)

Code Select
# fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
os-sensei-1.6.beta1.txz                                 25 MB 4688 kBps    05s
# pkg add os-sensei-1.6.beta1.txz

Please be noted, although this has been thoroughly tested and reached beta stage, it's still not meant for production use. Use carefully.
August 25, 2020, 08:12:02 AM #133
Quote from: mb on August 25, 2020, 04:37:34 AM
Hi @scream,

Sure, please find it below :)

Code Select
# fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
os-sensei-1.6.beta1.txz                                 25 MB 4688 kBps    05s
# pkg add os-sensei-1.6.beta1.txz

Please be noted, although this has been thoroughly tested and reached beta stage, it's still not meant for production use. Use carefully.

Did a clean upgrade from 20.1.9 to 20.7 agian, uninstalled sensei and installed it from the packet.
Also did a fresh clean configuration of 1.6 beta.
tun device does work and looks like performance of 100Mbit/s isn't a issue here. (Can't test faster at time as this is the speed limit of this uplink).

As expected this doesn't make any difference of the performance issue reported in combination of opnsense 20.7, sensei & vmx interface on my server. Still arount 100-130 Mbit/s. (If sensei is stopped wirespeed around 950 Mbit/s) is possible.

One thing I want to mention is that there is no "Web Control" in this 1.6beta?
On my installation "Web Control" doesn't show categories at all. I just can select between "Permissive" / "Moderate Control" ... but if I select "Moderate Control" for e.g. I can't save this. It is just hanging on the load bar.

Will test further.
August 25, 2020, 10:52:14 PM #134 Last Edit: August 25, 2020, 11:25:31 PM by bunchofreeds
Hi @mb,

When I try to apply the 1.6 package via SSH I get the following:

the most recent version of os-sensei-1.5.2_1 is already installed

Just to confirm, this is the latest Sensei version, do we also need the latest kernel version?
What versions do you recommend we test with?
Print
Go Up Pages 1 ... 7 8 9 10 11 ... 14
User actions