Zenarmor performance expectation

[jaykumar2005]

I am running OPNsense on Lenovo P330 Intel i5-8500 CPU @ 3.00GHz, with Zenarmor Free tier, with basic default policy with few rules.

My upstream bandwidth is around 1Gbps, get around 900+mbps on interface/VLAN excluded on Zenarmor

The bandwidth I get on Zenarmor monitored VLAN doesn't exceed 650mbps at all

Is this the expected penalty of running a single core single thread zenarmor?

Did someone did a benchmark of Zenarmor performance on different CPU? What is your bandwidth perfomance with zenarmor enabled?

[sy]

Hi,

Can you share the interface type and are you using Zenarmor with Emulated Netmap driver or Native Netmap driver?

[jaykumar2005]

I am using Routed Mode (L3 Mode, Reporting + Blocking) with Emulated Netmap driver

[sy]

Hi,

Is the interface igc or? Can you share "sysctl -a | grep netmap" command output?

[jaykumar2005]

Here is the details,  igb0 is WAN (pppoe) and igb1 is LAN (pvid1/untagged), igb2 is Trunk interface with multiple tagged VLAN

I see bandwidth issue with igb1 LAN interface only

Code Select Expand

sysctl -a | grep netmap
<6>[1] igb0: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] igb1: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] igb2: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] igb3: netmap queues/slots: TX 6/1024, RX 6/1024
<6>[1] em0: netmap queues/slots: TX 1/1024, RX 1/1024
[92] 913.575921 [1167] generic_netmap_attach     Emulated adapter for igb1 created (prev was igb1)
[92] 913.575934 [1068] generic_netmap_dtor       Native netmap adapter for igb1 restored
[92] 913.575941 [1072] generic_netmap_dtor       Emulated netmap adapter for igb1 destroyed
[92] 913.576009 [1167] generic_netmap_attach     Emulated adapter for igb1 created (prev was igb1)
[92] 913.829018 [ 319] generic_netmap_register   Emulated adapter for igb1 activated
[92] 913.829113 [1167] generic_netmap_attach     Emulated adapter for vlan0.40 created (prev was NULL)
[92] 913.829124 [1072] generic_netmap_dtor       Emulated netmap adapter for vlan0.40 destroyed
[92] 913.829234 [1167] generic_netmap_attach     Emulated adapter for vlan0.40 created (prev was NULL)
[92] 913.829307 [ 319] generic_netmap_register   Emulated adapter for vlan0.40 activated
device netmap
dev.netmap.iflib_rx_miss_bufs: 0
dev.netmap.iflib_rx_miss: 0
dev.netmap.iflib_crcstrip: 1
dev.netmap.max_bridges: 8
dev.netmap.bridge_batch: 1024
dev.netmap.default_pipes: 0
dev.netmap.port_numa_affinity: 0
dev.netmap.priv_buf_num: 4098
dev.netmap.priv_buf_size: 2048
dev.netmap.buf_curr_num: 1000000
dev.netmap.buf_num: 1000000
dev.netmap.buf_curr_size: 2048
dev.netmap.buf_size: 2048
dev.netmap.priv_ring_num: 4
dev.netmap.priv_ring_size: 20480
dev.netmap.ring_curr_num: 1024
dev.netmap.ring_num: 1024
dev.netmap.ring_curr_size: 36864
dev.netmap.ring_size: 36864
dev.netmap.priv_if_num: 2
dev.netmap.priv_if_size: 1024
dev.netmap.if_curr_num: 100
dev.netmap.if_num: 100
dev.netmap.if_curr_size: 1024
dev.netmap.if_size: 1024
dev.netmap.ptnet_vnet_hdr: 1
dev.netmap.generic_rings: 1
dev.netmap.generic_ringsize: 1024
dev.netmap.generic_mit: 100000
dev.netmap.generic_hwcsum: 0
dev.netmap.admode: 2
dev.netmap.fwd: 0
dev.netmap.txsync_retry: 2
dev.netmap.no_pendintr: 1
dev.netmap.no_timestamp: 0
dev.netmap.verbose: 0


[sy]

Hi,

Please add the following tunables in System - Settings - Tunables and check again.

Tunable: dev.netmap.generic_rings, Value: 6

[jaykumar2005]

Updated the Tunables, rebooted the firewall, but I am afraid it did not make much of a difference

Tunable: dev.netmap.generic_rings, Value: 6

[sy]

Hi,

Could you please provide the logs and configuration by following the steps outlined in the link below? I kindly request that you select all checkboxes. 
https://www.zenarmor.com/docs/support/reporting-bug
 

[jaykumar2005]

Sure, done

[Greg_E]

Please come back and share what you find. I have a slightly lower end Xeon (closest to i3 about the same generation) and getting around the same download on monitored interfaces. It's probably just the work that needs to be done to monitor and the result is going to stay the same. Might be different with multithreaded performance.