Call for testing: netmap on 20.7

[Quetschwalze]

Tested with igb interfaces and pppoe on wan (removed VLAN for testing)
Suricata seems to start fine:

..
..

However, it doesn't alert or block on anything.
Then I tried Sensei on the WAN Interface. It starts, but afterwards Internet is gone.
Reports do not show any sessions or blocks.

Hi @Quetschwalze, thanks. Any chances that you can also send a pcap trace? - Sensei is not meant for WAN right now.

Thanks @mb
Yes, No Problem. Just to make sure, you'll need a pcap of suricata/pppoe wan interface traffic?

Gesendet von meinem MI 9 mit Tapatalk

[mb]

Yes, No Problem. Just to make sure, you'll need a pcap of suricata/pppoe wan interface traffic?

Yep.

[scream]

@mb

One more thing that happens with sensei on vmx:
If on 20.7 and sensei is active I see a performance degration to 100-150 Mbit/s. Without sensei I can reach about 350-400 Mbit/s (on same device connected to WiFi).
Before upgrade I was able to reach 450 Mbit/s with sensei running.

[mb]

Hi @scream, are you doing the tests with speedtest.net ? If so, can you repeat the test with scp ? Try scp'ing a (large) file to one of the IP addresses on sensei protected interfaces on the firewall (you'll basically copy a file to the firewall.)

Run this test with and without sensei and see how much it differs.

e.g.  scp 1gbfile root@fw-sensei-protected-interface-ip:/dev/null

[scream]

Hi @scream, are you doing the tests with speedtest.net ? If so, can you repeat the test with scp ? Try scp'ing a (large) file to one of the IP addresses on sensei protected interfaces on the firewall (you'll basically copy a file to the firewall.)

Run this test with and without sensei and see how much it differs.

e.g.  scp 1gbfile root@fw-sensei-protected-interface-ip:/dev/null

No. I‘m using iperf on a VM on another subnet and my iPhone.

[scream]

@mb

I did iperf testing now on two ubuntu vms on esx itself.

So...

vm1 (subnet1) -> opnsense vmx0 -> opnsense vmx1 -> vm2 (subnet2). Everything on esx. Sensei configured to be active on both vmx interfaces.

I did 4 tests:

1. opnsense 20.7 with sensei => 126 Mbit/s
2. opnsense 20.7 without sensei (stopped packet engine) => 904 Mbit/s
3. opnsense 20.1.9 with sensei => 918 Mbit/s
4. opnsense 20.1.9 without sensei (stopped packet engine) => 921 Mbit/s

Detail results:
https://paste.ubuntu.com/p/Vjqmrr5Z8m/

[mb]

@scream, thanks. that looks interesting. let us try to reproduce this here. currently we can attain 450-500 Mbps with or without sensei in our lab.

[scream]

@scream, thanks. that looks interesting. let us try to reproduce this here. currently we can attain 450-500 Mbps with or without sensei in our lab.

Probably just an issue with vmx interfaces?

May I did a mistake on the installation steps? I didn‘t reset the config, just updated from 20.1.9 to 20.7.
Then updated packages. After that I patched kernel an rebooted opnsense completly. After that I just startet elasticsearch and packet engine.
After that I saw that I can‘t see any Interface in configuration tab... so I patched also php file as described.
A simple revert to the snapshot I‘ve created before upgrading to 20.7 brings back the „wirespeed“ performance.

I can also try 1.6 beta, may it is fixed there?

[mb]

It is mostly related to the kernel. I would not expect 1.6 would do any difference.

What happens if you put sensei into bypass mode?

[scream]

It is mostly related to the kernel. I would not expect 1.6 would do any difference.

What happens if you put sensei into bypass mode?

20.1.9 sensei bypass mode => 855 Mbit/s
20.7 sensei bypass mode => 205 Mbit/s

Note that there is now some other traffic in the networks so 855 Mbit/s is normal.

https://paste.ubuntu.com/p/35v3HxmJrT/

[mb]

20.1.9 sensei bypass mode => 855 Mbit/s
20.7 sensei bypass mode => 205 Mbit/s

Note that there is now some other traffic in the networks so 855 Mbit/s is normal.

https://paste.ubuntu.com/p/35v3HxmJrT/

@scream, these tests are very helpful, thanks.

sensei in bypass mode does nothing than simply bridging packets back and forth. Hence, this looks like netmap performance.

However, in our labs we can attain 450-500 Mbps throughput between VMware guests (vmx).

Any chances that you can reach out? Send a PR via "Report Bug" menu on the upper right hand side of the screen. We would like to have a closer look.

[scream]

Any chances that you can reach out? Send a PR via "Report Bug" menu on the upper right hand side of the screen. We would like to have a closer look.

Done.
Any chance for the 1.6 link to test tun devices?

[mb]

Hi @scream,

Sure, please find it below

Code: [Select]

# fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
os-sensei-1.6.beta1.txz                                 25 MB 4688 kBps    05s
# pkg add os-sensei-1.6.beta1.txz
Please be noted, although this has been thoroughly tested and reached beta stage, it's still not meant for production use. Use carefully.

[scream]

Hi @scream,

Sure, please find it below

Code: [Select]

# fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
os-sensei-1.6.beta1.txz                                 25 MB 4688 kBps    05s
# pkg add os-sensei-1.6.beta1.txz
Please be noted, although this has been thoroughly tested and reached beta stage, it's still not meant for production use. Use carefully.

Did a clean upgrade from 20.1.9 to 20.7 agian, uninstalled sensei and installed it from the packet.
Also did a fresh clean configuration of 1.6 beta.
tun device does work and looks like performance of 100Mbit/s isn't a issue here. (Can't test faster at time as this is the speed limit of this uplink).

As expected this doesn't make any difference of the performance issue reported in combination of opnsense 20.7, sensei & vmx interface on my server. Still arount 100-130 Mbit/s. (If sensei is stopped wirespeed around 950 Mbit/s) is possible.

One thing I want to mention is that there is no "Web Control" in this 1.6beta?
On my installation "Web Control" doesn't show categories at all. I just can select between "Permissive" / "Moderate Control" ... but if I select "Moderate Control" for e.g. I can't save this. It is just hanging on the load bar.

Will test further.

[bunchofreeds]

Hi @mb,

When I try to apply the 1.6 package via SSH I get the following:

the most recent version of os-sensei-1.5.2_1 is already installed

Just to confirm, this is the latest Sensei version, do we also need the latest kernel version?
What versions do you recommend we test with?