Zenarmor & Wireguard = High CPU

Started by w9hdg, March 30, 2025, 04:48:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 30, 2025, 04:48:27 AM
Hello Everyone,

Been scratching my head on this one for a few days now. The other day I noticed that my firewall's CPU utilization was running at a constant 15% even with very little traffic flowing through the system.

I restarted zenarmor and the CPU utilization dropped back down to near idle and all was good in the world...until I also noticed that I was having trouble routing IPv6 through my wireguard instance from my phone to home (I have my phone call home and route all its traffic through my home when I'm out and about).

Restarted the wireguard server instance and ipv6 started working again...and then I noticed that the CPU utilization was backup. It didn't matter if I was connected to the server or not...it was high

Restart zenarmor, cpu goes down, ipv6 stops working. Restart wireguard, cpu goes up ipv6 starts working again.

I should clarify that ipv6 on the non-wireguard stuff (so my other vlans) worked fine the entire time so it is only affecting the ipv6 setup of the wireguard instance.

I would appreciate any thoughts or ideas that the hive mind might have because I'm at a complete loss at this point.

Thanks,

~T
March 30, 2025, 04:57:55 AM #1
Just a quick follow up...if I remove the wireguard interface from zenarmor...all is good in the world so it seems like there is something wonky going on between wireguard and zenarmor.
March 31, 2025, 08:07:40 AM #2
Hi,

Kindly protect the WireGuard interface and set Zenarmor to bypass mode instead of rebooting when the issue reoccurs. We will determine if the problem is associated with Zenarmor or netmap.

April 01, 2025, 01:02:34 AM #3
I did figure out the IPv6 thing...I redid some of the clients and the addresses changed which mean that Zenarmor was treating the IPv6 stuff as "unknown" devices and applying the default policy which I have set to block unknown clients.

I did reapply zenarmor to the WG0 interface. Restarted Zenarmor and Wireguard to make sure everything was happy. Verified proper connectivity, CPU utilization spiked (as expected). There was no observable difference in CPU Utilization when in bypass mode.
April 01, 2025, 08:58:15 AM #4
Hi,

Thank you for your assistance. It appears that the issue is linked to Netmap. We will investigate it and update the team accordingly.
Print
Go Up Pages1
User actions