Call for testing: official netmap kernel

[mb]

Dear OPNsense community,

It's my pleasure to announce that OPNsense team has shipped the official netmap test kernel today.

This kernel fixes important stability and reliability issues with regard to vmx(4), vtnet(4), ixl(4), ix(4) and em(4) ethernet drivers.

The  kernel also adds long-awaited support for tun(4) and lagg(4) interfaces.

The end benefit of this kernel is that you'll be able to run Sensei or Suricata on the following:

• OpenVPN and other VPNs which use tun(4) interface
• Link Aggregation Groups (lagg)
• QEMU/KVM guests with performant vtnet driver
• VMware guests with vmx driver
• Intel 10 Gbps Ethernet drivers
• Intel 1 Gbps Ethernet (em driver) with VLANs

To deploy the new kernel just run below command and restart your firewall.

Code: [Select]

# opnsense-update -kr 20.7.3-netmap
Patches which went into this kernel have been under heavy testing by us (Sunny Valley Networks) and by the OPNsense team for a few weeks now.

We'd very much appreciate your further testing and feedback. If no further issues pop up, OPNsense team will be shipping all these functionality with 20.7.4 or later releases.

As Sunny Valley Networks, we'd very much like to thank OPNsense/HardenedBSD team, netmap team (Universita di Pisa) and the FreeBSD team for their awesome collaboration and precious efforts. With their full coordination and co-operation, we are able to provide this today.

[mimugmail]

Good news! Today in Webinar I was asked about vmx driver status. Thanks for your efforts!!

[mb]

All welcome @mimugmail. Enjoy

[andrema2]

# opnsense-update -kr 20.7.2-netmap

Just one question, maybe a silly one, is this reversable in case of problems ?

Thanks

[binaryanomaly]

Awesome!

[mb]

Just one question, maybe a silly one, is this reversable in case of problems ?

No, actually a good question. Yes, you can:

Code: [Select]

# opnsense-update -kr 20.7.2

[GreenMatter]

# opnsense-update -kr 20.7.2-netmap

Just one question, maybe a silly one, is this reversable in case of problems ?

And can I apply this update directly on 20.1.9 or it's better to wait for 20.7.3?

[binaryanomaly]

@mb

Is it to be expected that now with "20.7.2-netmap" the update functionality proposes to update to "20.7.2"

[mb]

And can I apply this update directly on 20.1.9 or it's better to wait for 20.7.3?

Nope, this is only for 20.7.x releases.

[mb]

Is it to be expected that now with "20.7.2-netmap" the update functionality proposes to update to "20.7.2"

Yes, that's normal. Because you're not running the standard 20.7.2 kernel.

[heresjody]

Kernel update worked fine with me.

    OPNsense 20.7.2-amd64
FreeBSD 12.1-RELEASE-p9-HBSD
OpenSSL 1.1.1g 21 Apr 2020

To doublecheck I'm providing valid testing results for you (PPPoE WAN / Suricata)
1. Only select interface: In my case LAN (vtnet) and don't select WAN (vtnet vlan 6)
2. Add public IP to home networks.

Correct?

[almodovaris]

Nope, it did not change the download speed in APU2. If anything, it got even lower. I use Sensei 1.6 with September definitions.

[DanMc85]

With the new build, should Interfaces Selection for Protected Interfaces be LAN only or can I add vmx0_VLAN's and ovpns OpenVPN Server interfaces also. Wasn't sure if LAN covered them all or not.
-I do have internal DNS server running on a Domain Controller on the LAN. Not sure if that matters for config.

This is a VMWare ESXi 7 environment if the VMX didn't give it away

[mb]

To doublecheck I'm providing valid testing results for you (PPPoE WAN / Suricata)
1. Only select interface: In my case LAN (vtnet) and don't select WAN (vtnet vlan 6)
2. Add public IP to home networks.

Hi @heresjody:

1- Correct. Though we have not touched pppoe+netmap yet. Use Sensei on LAN.
2- Not sure if I understood correctly. Can you elaborate?

[mb]

With the new build, should Interfaces Selection for Protected Interfaces be LAN only or can I add vmx0_VLAN's and ovpns OpenVPN Server interfaces also. Wasn't sure if LAN covered them all or not.
-I do have internal DNS server running on a Domain Controller on the LAN. Not sure if that matters for config.

This is a VMWare ESXi 7 environment if the VMX didn't give it away

Yes, do not put Sensei on WAN interface; or any interface that Suricata is also running on.

Otherwise, you can add vmx parent/vlan interfaces. You can also add openvpn interfaces.

If you have an internal DNS, try the new realtime dns mapping feature