Call for testing: official netmap kernel

Started by mb, September 16, 2020, 06:53:51 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3 ... 7
User actions
September 16, 2020, 06:53:51 PM Last Edit: September 25, 2020, 04:11:08 PM by mb
Dear OPNsense community,

It's my pleasure to announce that OPNsense team has shipped the official netmap test kernel today.

This kernel fixes important stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers.

The  kernel also adds long-awaited support for tun(4) and lagg(4) interfaces.

The end benefit of this kernel is that you'll be able to run Sensei or Suricata on the following:

  • OpenVPN and other VPNs which use tun(4) interface
  • Link Aggregation Groups (lagg)
  • QEMU/KVM guests with performant vtnet driver
  • VMware guests with vmx driver
  • Intel 10 Gbps Ethernet drivers
  • Intel 1 Gbps Ethernet (em driver) with VLANs

To deploy the new kernel just run below command and restart your firewall.

Code Select
# opnsense-update -kr 20.7.3-netmap

Patches which went into this kernel have been under heavy testing by us (Sunny Valley Networks) and by the OPNsense team for a few weeks now.

We'd very much appreciate your further testing and feedback. If no further issues pop up, OPNsense team will be shipping all these functionality with 20.7.4 or later releases.

As Sunny Valley Networks, we'd very much like to thank OPNsense/HardenedBSD team, netmap team (Universita di Pisa) and the FreeBSD team for their awesome collaboration and precious efforts. With their full coordination and co-operation, we are able to provide this today.
September 16, 2020, 09:44:01 PM #1
Good news! Today in Webinar I was asked about vmx driver status. Thanks for your efforts!! :)
September 16, 2020, 09:46:04 PM #2
All welcome @mimugmail. Enjoy ;)
September 16, 2020, 09:59:27 PM #3
Quote from: mb on September 16, 2020, 06:53:51 PM
# opnsense-update -kr 20.7.2-netmap

Just one question, maybe a silly one, is this reversable in case of problems ?

Thanks
September 16, 2020, 10:34:26 PM #4
Awesome!
September 16, 2020, 10:35:40 PM #5
Quote from: andrema2 on September 16, 2020, 09:59:27 PM
Just one question, maybe a silly one, is this reversable in case of problems ?

No, actually a good question. Yes, you can:

Code Select
# opnsense-update -kr 20.7.2
September 16, 2020, 11:03:36 PM #6
Quote from: andrema2 on September 16, 2020, 09:59:27 PM
Quote from: mb on September 16, 2020, 06:53:51 PM
# opnsense-update -kr 20.7.2-netmap
Just one question, maybe a silly one, is this reversable in case of problems ?
And can I apply this update directly on 20.1.9 or it's better to wait for 20.7.3?
OPNsense on:
Intel(R) Xeon(R) E-2278G CPU @ 3.40GHz (4 cores)
8 GB RAM
50 GB HDD
and plenty of vlans ;-)
September 16, 2020, 11:04:07 PM #7
@mb

Is it to be expected that now with "20.7.2-netmap" the update functionality proposes to update to "20.7.2"

September 16, 2020, 11:20:58 PM #8
Quote from: GreenMatter on September 16, 2020, 11:03:36 PM
And can I apply this update directly on 20.1.9 or it's better to wait for 20.7.3?

Nope, this is only for 20.7.x releases.
September 16, 2020, 11:21:40 PM #9
Quote from: binaryanomaly on September 16, 2020, 11:04:07 PM
Is it to be expected that now with "20.7.2-netmap" the update functionality proposes to update to "20.7.2"

Yes, that's normal. Because you're not running the standard 20.7.2 kernel.
September 16, 2020, 11:22:00 PM #10
Kernel update worked fine with me.

   OPNsense 20.7.2-amd64
FreeBSD 12.1-RELEASE-p9-HBSD
OpenSSL 1.1.1g 21 Apr 2020

To doublecheck I'm providing valid testing results for you (PPPoE WAN / Suricata)
1. Only select interface: In my case LAN (vtnet) and don't select WAN (vtnet vlan 6)
2. Add public IP to home networks.

Correct?
September 16, 2020, 11:40:47 PM #11 Last Edit: September 16, 2020, 11:45:43 PM by almodovaris
Nope, it did not change the download speed in APU2. If anything, it got even lower. I use Sensei 1.6 with September definitions.
OPNsense HW:

Minisforum Venus series UN100C, 16 GB RAM, 512 GB SSD
T-bao N9N Pro, 16 GB RAM, 512 GB SSD
September 17, 2020, 12:54:22 AM #12
With the new build, should Interfaces Selection for Protected Interfaces be LAN only or can I add vmx0_VLAN's and ovpns OpenVPN Server interfaces also. Wasn't sure if LAN covered them all or not.
-I do have internal DNS server running on a Domain Controller on the LAN. Not sure if that matters for config.

This is a VMWare ESXi 7 environment if the VMX didn't give it away :)
September 17, 2020, 03:18:01 AM #13
Quote from: heresjody on September 16, 2020, 11:22:00 PM
To doublecheck I'm providing valid testing results for you (PPPoE WAN / Suricata)
1. Only select interface: In my case LAN (vtnet) and don't select WAN (vtnet vlan 6)
2. Add public IP to home networks.

Hi @heresjody:

1- Correct. Though we have not touched pppoe+netmap yet. Use Sensei on LAN.
2- Not sure if I understood correctly. Can you elaborate?
September 17, 2020, 03:20:04 AM #14
Quote from: DanMc85 on September 17, 2020, 12:54:22 AM
With the new build, should Interfaces Selection for Protected Interfaces be LAN only or can I add vmx0_VLAN's and ovpns OpenVPN Server interfaces also. Wasn't sure if LAN covered them all or not.
-I do have internal DNS server running on a Domain Controller on the LAN. Not sure if that matters for config.

This is a VMWare ESXi 7 environment if the VMX didn't give it away :)

:)

Yes, do not put Sensei on WAN interface; or any interface that Suricata is also running on.

Otherwise, you can add vmx parent/vlan interfaces. You can also add openvpn interfaces.

If you have an internal DNS, try the new realtime dns mapping feature ;)
Print
Go Up Pages1 2 3 ... 7
User actions