Zenarmor causes long outages with native netmap driver

Started by JasMan, August 25, 2023, 11:42:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 25, 2023, 11:42:51 PM
Hi,

Since some month I noticed that my OPNsense needs a long time until all services are fully up after a complete reboot (up to 10 minutes).
The other day I noticed the same behaviour when I restart the Zenarmor engine.

Today I found some time to digging into this.

When I restart the Zenarmor engine several services like Unbound and NTP stop and start several times immediatly after Zenarmor is up again.
The log shows a lot of the following errors for this range of time:

/usr/local/etc/rc.linkup: dhcpd_dhcp4_configure() found no suitable IPv4 address on INTERFACE_NAME

When all calmed down, everything works fine.

I played arround and found out, that this issue is solved as soon as I choose the emulated netmap driver for Zenarmor.
The interfaces of my system are all Intel I211.

Is this an expected behaviour when the hardware/driver doesn't support the native netmap driver? Or did I configured something wrong?


Jas Man
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
August 26, 2023, 12:15:28 AM #1
Hi JasMan,

When you start/stop zenarmor engine, zenarmor (same with suricata in IPS mode) issues a call to netmap to start/stop inspecting packets for your protected interfaces respectively.

Once this is requested, netmap re-initializes the interface causing down/up events for the particular ethernet interface.

When OPNsense code notices a link down/up event; it tries to re-initialize and refresh interfaces and services.

This is expected. The thing I'm surprised in your case is that it takes so long for things to "calm down".

Quick question: do you have IPv6 enabled in your network or is it just IPv4?

August 26, 2023, 11:11:02 AM #2
Hi mb.

IPv6 is enabled for all interfaces in tracking mode.


Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
August 26, 2023, 06:05:22 PM #3
Got it, with IPv6+wan tracking interface initialization take a bit more longer because OPNsense tries to re-initialize the WAN interface as well.

Another question: when you use emulated netmap mode, is it better?
August 26, 2023, 08:00:15 PM #4
Yep, with the emulated mode the downtime is near zero, and no errors appear in the log ( found no suitable IPv4 address )
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
August 26, 2023, 08:59:20 PM #5
That's good to hear indeed. Another reason why we should focus on improving emulated mode.

Let us check this on our lab as well.
Print
Go Up Pages1
User actions