Call for testing: netmap on 20.7

[loganx1121]

Ok I'll reinstall sensei from the gui and then add the pkg from cli and report back.  Thanks

Now it's failing on installing the logstash database.  See below:

Code Select Expand

***ERROR: Elasticsearch service request returned error: Failed to parse mapping [conn]: No handler for type [array] declared on field [tags].***
***ERROR*** CODE:4***

I'm going to uninstall again, then reinstall, then go through the initial setup process, and then upgrade to the beta version and see if that works.  Will report back. 

[loganx1121]

Ok I'll reinstall sensei from the gui and then add the pkg from cli and report back.  Thanks

Now it's failing on installing the logstash database.  See below:

Code Select Expand

***ERROR: Elasticsearch service request returned error: Failed to parse mapping [conn]: No handler for type [array] declared on field [tags].***
***ERROR*** CODE:4***

I'm going to uninstall again, then reinstall, then go through the initial setup process, and then upgrade to the beta version and see if that works.  Will report back.

So I uninstalled sensei, reinstalled, went through initial configuration, restored my backup sensei config, then upgraded to the beta version, and it's still basically broken.  Still can't add whitelisted urls that belong to blocked categories. 

An interesting thing...if I go to firmware and check for updates, I see the following:

Code Select Expand


Package Name Current Version New Version Required Action
kernel 20.7.1-netmap4 20.7.1 upgrade

Even though

Code Select Expand

root@fw:~ # uname -a
FreeBSD Asgard-Wall.bifrost.local 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

Anyone have any suggestions?

[loganx1121]

I uninstalled sensei again.  Reinstalled from gui, then upgraded to the beta version, blocked a category, then tried to whitelist a URL within that category, still the same thing.  This time I didn't restore my sensei config to rule that out as a possible issue.  Screenshot attached.

[loganx1121]

- Ok so, uninstalled sensei...again.  Ran the firmware update since it struck me as weird that the firmware from github was showing AFTER I had followed the instructions to install the test kernel from this thread...after the reboot I was running:

Code Select Expand

root@fw:~ # uname -a
FreeBSD fw 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #2  505cf134d9b(stable/20.7)-dirty: Mon Aug 10 12:14:34 CEST 2020     root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

- Installed sensei again.
- Did NOT upload my sensei config backup
- Went through initial configuration.
- Activated my license file
- Blocked a category, tried to access a URL within that category and could not ( as expected)
- Whitelisted that URL and then was able to access it

So the above is normal behavior as I am used to it...

- ssh'd to firewall
-

Code Select Expand

cd /boot
-

Code Select Expand

fetch https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/kernel-12.1-0822-1.tar.gz
-

Code Select Expand

mv kernel kernel.stock.save
-

Code Select Expand

tar zxf kernel-12.1-0822-1.tar.gz

Rebooted from cli.  Output of kernel version after reboot:

Code Select Expand

root@fw:~ # uname -a
FreeBSD fw 12.1-RELEASE-p8-HBSD FreeBSD 12.1-RELEASE-p8-HBSD #6  39e30dc05(master)-dirty: Sat Aug 22 09:35:48 PDT 2020     root@sunnyvalley12.localdomain:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

- Confirmed previous sensei exception for the URL is still working
- Checked firmware updates again for funsies...said no updates
- From cli of firewall ran

Code Select Expand

pkg add -f https://updates.sunnyvalley.io/opnsense/updates/netmap-kernel/os-sensei-1.6.beta1.txz
- Went to sensei status page and stopped the packet engine, then started
- Tried to access the same URL again and I can't

So as soon as I install 1.6 beta, I can't access whitelisted URL's if they match a blocked category. 

[DenverTech]

Tested with latest kernel at two sites' firewalls and the beta Sensei at one site.
- Lockups and issues with missing interfaces are resolved with kernel/both.
- Some speed problems at both sites (new kernel, but with and without the beta Sensei), where Sensei is shaving a LOT of the bandwidth (way more than it did previously). 1000mbit gets reduced to 100mbit at both sites for downloads...uploads appear mostly fine. I'm working with support on figuring this one out.
- On the beta Sensei, the Web Controls page is blank. Nothing there at all. App Controls is fine. I haven't opened a ticket on this yet. I'm more worried about the bandwidth issue.

[Archanfel80]

The bandwidth issue is because the netmap and the kernel. The main issue is the way too paranoid "hardened" bsd project. I use freebsd on other systems too, this whole project is starting to get annoying and its more like pain in the ass. Much more sideeffect than benefit. I really dont like this where the freebsd developement is going.

[mimugmail]

The bandwidth issue is because the netmap and the kernel. The main issue is the way too paranoid "hardened" bsd project. I use freebsd on other systems too, this whole project is starting to get annoying and its more like pain in the ass. Much more sideeffect than benefit. I really dont like this where the freebsd developement is going.

Noone is forced to use netmap. On fast hardware you get perfect peflrformance, also with 20.7.

And the relation to HBSD compared to FreeBSD is just a guess ..

[franco]

Huh, netmap is not hardened / slowed down. It's just general netmap performance implications. You can compare with FreeBSD 12.1 if you want on the same hardware, just set up a test lab?


Cheers,
Franco

[mimugmail]

https://forum.opnsense.org/index.php?topic=18754.msg86216#new

There is enough performance. Of course devs can not Test every hardware but I think with 20.7.4 theres a solution

[packetmangler]

The bandwidth issue is because the netmap and the kernel. The main issue is the way too paranoid "hardened" bsd project. I use freebsd on other systems too, this whole project is starting to get annoying and its more like pain in the ass. Much more sideeffect than benefit. I really dont like this where the freebsd developement is going.

Noone is forced to use netmap. On fast hardware you get perfect peflrformance, also with 20.7.

And the relation to HBSD compared to FreeBSD is just a guess ..

What would you consider fast hardware?  I have an i7-2600 with 16GB of ram running OPNsense and I'm seeing my speeds almost cut in half when Sensei is enabled - from 900+ Mb/sec down to about 550+ Mb/sec.

This is quite the drop from 20.1 where I was able to max out my connection with both Suricata and Sensei enabled.

[mimugmail]

The main problem in this thread is ppl mixing their issues. Sensei iscthird party plugin, core team wont do any testing here. I'm quite sure there is space for improving the kernel, but maybe for 20.7.4 or .5.

OPNsense has fixed releases and sensei stuff may be not ready enough. But on the other side the community is too low for broad testingw. So what is the best way? Wait ages for testers and stick with old OS or go for a bit risk (which can also fail)?

P.S. I'm not core, just guessing

[mb]

Hi, I'm from Sensei team.

For a month now, we've been doing a lot of testing on quite many deployments, hardware etc. I would like to share our findings.

There is a bunch of variables: OS, firewall hardware, ethernet adapter, ethernet adapter compatibility with netmap, test tool, test hardware, test device connectivity (wi-fi, wired), ISP being used etc.

Results can greatly vary in each particular test setting where one or more variable can affect the total throughput.

That being said, for our tests, I can say that; HardenedBSD did not have any significant effect. We found a %1-%2 difference between a FreeBSD 12/Stable kernel and stock OPNsense 20.7 kernel. This difference might also be a testing error.

Real problem is that iflib(4), the new network interface subsystem in FreeBSD, received a code refactoring. When I look at stable/12 commits, I can still - from time to time - see fixes for major issues.

The other thing is; this refactoring also severely affected netmap system. It was mostly incompatible with the new iflib code.

Good news is, we've come a long way in this short period of time. Most serious issues have been handled. I guess OPNsense team will be delivering these fixes with the upcoming releases.

Resources for open source projects can be constrained, so we're helping OPNsense team to create a netmap-iflib-stable kernel. We have sponsored another round of work on netmap side for new drivers and these bug-fixes.  OPNsense team has been very cooperative and hard-working in trying to incorporate suggested commits. OPNsense version of 12.1 is likely to be more stable than the upstream.

The latest test kernel looks very promising. iflib work, although it creates a bit of headache now, has great implications for the future, which we'll all enjoy in the mid and long term.

Our initial focus is fixing the reliability problems. Next is performance. Latter is also a bit related to the former.

I'll keep you posted about the developments.

[mimugmail]

Thanks Murat, I'm quite sure with a .4 or .5 most of the issues are gone :)
But this can't work without the community and their responses.

[scream]

@mb

Did you saw my message here: https://forum.opnsense.org/index.php?topic=17363.msg85741#msg85741

Exept of the performance stuff there is also an issue at all with "Web Controls" that are not  configureable at all.
It's empty and can't be used. I do not have installed a license at this node so it is a "free" version in this case.

[mb]

Hi @scream,

That was a a bug in 1.6.beta1, which got fixed. Stay tuned for the next beta.