Error about misconfigured interfaces

Started by tigo003, April 27, 2024, 08:20:31 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
July 28, 2024, 12:53:00 PM #15
Hi,

It could be an insufficient CPU issue. You can check Zenarmor HW requirements for 1Gbps with Zenarmor.

https://www.zenarmor.com/docs/introduction/hardware-requirements

What is your CPU model?
July 31, 2024, 02:50:35 AM #16
Hi
actually the dropped packets just disappeared with the new BSD14 kernel. Wireguard is faster.👍
I've Pentium Gold 8505, 12GB RAM, NVME. Few dozen devices. Should be fine for WAN but I don't use it for anything other than firewall contacting DNS. So i need to accomodate both ZenArmor and Wireguard for 2Gb/s line. The VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard. I wish there was a calculator:)
July 31, 2024, 01:05:21 PM #17
Hi,

For the dropped packest, can you check dev.netmap.buf_num in ""sysctl -a | grep netmap" command if it is 1000000 or not?

To use Zenarmor in mix mode is not possible. Passive mode uses pcap instead of netmap.

August 01, 2024, 10:10:32 AM #18
Quote from: 36thchamber on July 31, 2024, 02:50:35 AM
Hi
actually the dropped packets just disappeared with the new BSD14 kernel. Wireguard is faster.👍
I've Pentium Gold 8505, 12GB RAM, NVME. Few dozen devices. Should be fine for WAN but I don't use it for anything other than firewall contacting DNS. So i need to accomodate both ZenArmor and Wireguard for 2Gb/s line. The VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard. I wish there was a calculator:)

For ZA related interface errors and why those happen you can read here >
https://forum.opnsense.org/index.php?topic=41230.msg202594#msg202594
https://forum.opnsense.org/index.php?topic=41230.msg202554#msg202554

In regards of the other question
QuoteThe VPN speed gets reduced from 2000Mb/s to 1250Mb/s in netmap mode, it's really hard to guess what CPU could handle the full speed, 100% Wireguard.

They have a hardware scaling table.
https://www.zenarmor.com/docs/introduction/hardware-requirements

You would need to keep a certain higher freq constantly in order to achieve such huge throughput. The HW sizing they have I believe is done for pure port-2-port throughput not including WG. But you can do an educated guess. Anyway as long we are still locked to single core/thread operations for ZA, its doesn't matter. It will always bottleneck and create back pressure.

However there is a light on end of the tunnel, ZA finished their SASE product (more or less) and we were told that devs started to work on multicore/thread support for ZA. There is a topic in regard of this on the forum.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages 1 2
User actions