Call for testing: official netmap kernel

Started by mb, September 16, 2020, 06:53:51 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6 7
User actions
September 24, 2020, 11:34:02 PM #60
Yep. Last test kernel, I promise.


Cheers,
Franco
September 25, 2020, 07:26:19 PM #61
OPNsense 20.7.3-amd64
FreeBSD 12.1-RELEASE-p10-HBSD
OpenSSL 1.1.1g 21 Apr 2020
AMD Athlon 3000G with Radeon Vega Graphics (4 cores)
8GB RAM and Intel E1G42ET Dual Ethernet
Virgin Gig1 Broadband

When downloading large files via an SSL encrypted connection with Sensei 1.6 in standard Routed Mode and the latest 20.7.3 netmap kernel, my download speed maxes out at about 450mbps, but running Speedtest I get about 930mbps. If I change Sensei to Routed Mode with generic netmap driver, SSL downloads peak at 580mbps. If I switch mode to Passive, then SSL downloads reach max speed about 980mbps.

Doing the same SSL download with 20.1 and Sensei in standard Routed Mode I will max out my broadband speed.

Hoping this info can help improve the netmap kernel.

Thanks for the great work being done!
September 25, 2020, 07:42:15 PM #62
Hi AceRickslick,

Thanks for the detailed information. What does ubench tell about your cpu score:

Code Select
ubench -cs

Which ethernet adapter are you using for Sensei-protected interfaces and for the WAN interface?

Can you get 930 Mbps with Sensei on during speedtest test?
September 25, 2020, 09:56:21 PM #63 Last Edit: September 25, 2020, 10:02:35 PM by AceRickslick
Hi mb,

ubench score is 574396.

For Sensei-protected it is igb0 and igb1 is used for WAN. It's an Intel 82576 Chipset ethernet adapter.

Yes, I can get 930 Mbps with Sensei turned on during a speedtest test. Just can't hit those speeds during SSL downloads where before on 20.1 it worked perfectly.
September 25, 2020, 10:22:13 PM #64 Last Edit: September 25, 2020, 11:33:03 PM by mb
Thanks, that's promising.

Can I ask for one more test: what happens if you put Sensei on bypass mode? This will tell if this is related to Sensei or netmap.
September 25, 2020, 11:34:47 PM #65
When Sensei is in Bypass Mode (Passive Mode), I get full speed on SSL downloads and Speedtest test, about 980 Mbps.
September 25, 2020, 11:40:28 PM #66 Last Edit: September 25, 2020, 11:42:27 PM by mb
Be aware, Passive and Bypass mode are different. Passive mode do not use netmap at all. You can enter Bypass mode via Sensei -> Status -> Enter Bypass Mode

Is it Bypass mode?
September 26, 2020, 09:18:08 AM #67 Last Edit: September 26, 2020, 09:30:34 AM by AceRickslick
My bad it was in Passive Mode, I have retested in Bypass Mode and I get full Gigabit speeds on Speedtest and SSL downloads, about 980 Mbps.

Also just to rule out busy network times/time of day, when I ran the above test, I also tested Sensei in the default Routed Mode, Speedtest hits about 980 Mbps but on the exact same SSL file download as above the speed never gets above 480 Mbps.
September 26, 2020, 08:18:37 PM #68
Hi @Ace,

No worries at all, and thanks for the update. Now it's clear. It looks like we need an optimization on SSL-based classifier.

I'll update the thread once we have some results.
September 26, 2020, 09:02:29 PM #69
question: when I try the test kernel with that command - "opnsense-update -kr 20.7.3-netmap" and reboot afterwards, how do I identify with "uname -a" if the "right" kernel (the netmap-test-kernel) is used?

currently I get the following:
FreeBSD OPNsenseTEST.test 12.1-RELEASE-p10-HBSD-FreeBSD 12.1-RELEASE-p10-HBSD #0 517e44a00df(stable/20.7)-dirty: Mon Sep 21 16:21:17 CEST 2020  root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64
September 27, 2020, 03:08:23 AM #70
I just upgraded to the latest 20.7.3 release from 20.1.9 now that this should be the last netmap test kernel.

I disabled Suricata and Sensei first and then proceeded with the upgrade. The upgrade had no issues and the 20.7.3-Netmap kernel installed successfully as well. I then re-enabled Suricata and Sensei, however after everything was back up and running I noticed that my download bandwidth has been reduced considerably as others have mentioned in previous posts as well. Below are my results including general configuration details.

Host: ESXi 6.7 Update 3 (Build 16713306)
OPNsense VM: 4 vCPUs and 8GB RAM
Physcial CPU: Intel Core i7-4790S
Interfaces: vmx0 (LAN - Sensei), vmx1 (WAN - Suricata), no VLANs
Max Download Speed: 750mbps

OPNsense 20.7.3 with 20.7.3-Netmap Kernel:
Suricata Disabled and Sensei PE Stopped (Native) - 720mbps
Suricata Disabled and Sensei PE Bypassed (Native) - 600mbps
Suricata Disabled and Sensei PE Enabled (Native) - 320mbps
Suricata Enabled (Hyperscan/High Profile) and Sensei PE Stopped (Native) - 440mbps
Suricata Enabled (Hyperscan/High Profile) and Sensei PE Bypassed (Native) - 600mbps
Suricata Enabled (Hyperscan/High Profile) and Sensei PE Enabled (Native) - 420mbps

Odd that with Suricata Disabled the throughput goes down, and with Suricata Enabled with the Sensei packet engine bypassed the throughput actually goes up when compared to the stopped state.

OPNsense 20.1.9:
Suricata Enabled and Sensei Enabled - 720mbps

Speedtest was run 3 times in each configuration using the same speedtest server.
I also tried Suricata with the Medium/High & Custom Profile's with no effect on throughput, so I left it on High.

I tested the "generic/emulated" netmap driver through the Sensei config, and the throughput on that was atrocious by dropping the download speed to 15mbps. This is the only setting that also affected my upload throughput.

With Sensei 1.6 my Wireguard interface does not show up as an available interface to add as a protected interface, this should now be possible with Sensei 1.6 correct?

I noticed that once Suricata starts it uses 1 CPU core @ 100% for about 5mins (After Boot as well), during this time you can not run a speedtest as it affects throughput by about 100-150mbps in my setup. Not sure this is relevant, but figured I would mention it as this is new from my OPNsense 20.1.9 install.
September 27, 2020, 04:07:52 PM #71
Quote from: the-mk on September 26, 2020, 09:02:29 PM
question: when I try the test kernel with that command - "opnsense-update -kr 20.7.3-netmap" and reboot afterwards, how do I identify with "uname -a" if the "right" kernel (the netmap-test-kernel) is used?

Hi @the-mk, mine shows the following

# opnsense-update -kr 20.7.3-netmap
Your system is up to date.
# uname -a
FreeBSD fw.local 12.1-RELEASE-p10-HBSD FreeBSD 12.1-RELEASE-p10-HBSD #1  ebb8c1489c7(master)-dirty: Mon Sep 21 13:50:27 CEST 2020     root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64
September 27, 2020, 04:09:28 PM #72
Hi @xpendable, thank you for the detailed test results.

Can you reach out to us via "Report Bug" menu from the Sensei UI? We'd like to have a closer look at your configuration & system.

PS: Make sure you check all options and share relavent information.
September 28, 2020, 09:01:19 AM #73
Using Netmap, e.g. by turning on Sensei on LAN or Suricata in IPS mode on WAN, the traffic graph on the dashboard stops working for those interfaces, and Zabbix agent is unable to gather interface statistics, too.
September 28, 2020, 06:21:02 PM #74
Hi @athurdent,
Traffic Graph problem existed with the early 20.7 release but it isn't anymore with 20.7.2 and 3.What is your OPNsense version?
Print
Go Up Pages 1 ... 3 4 5 6 7
User actions