6100 SLOW in comparison to Protectli FW6E

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@manilx Will get a 8200 MAX tomorrow to replace this 6100. Will see how that one goes with my "normal" suricata setup (in comparision to Protectli).
Will post results......

More CPU horsepower will certainly help throughput, but I would not expect much of an improvement in stability when switching the runmode to "workers" in Suricata.

The throughput improvement will come from having extra CPU capacity to allocate to rules signature analysis while still leaving adequate processing for basic network I/O. A box with a more limited CPU can start to run out of juice for network I/O (read that as being able to quickly respond to NIC driver interrupts) if it is also heavily taxed analyzing network flows in Suricata.

manilx

@bmeeks Yes, I do not intend to switch to worker (hadn't also on the Protectli).
Just looking for more CPU to increase bandwidth at this point.....

manilx

@manilx Received the 8200 and imported the config. As it's all the same (networks) it should go without issues...

Well after 3 hours and crashes after crashes

it didn't reinstall the packages it should (and normally does). Had to install them all one by one again.

I gave up!
Either it's a bad herring or there's something fundamentally wrong here.

Will keep the stable 6100 with slower speed. I need to do something else with my time ;)

bmeeks

Just to close the loop here on this issue:

There has been some movement on the potential cause of the stall/hang bug with netmap and Suricata. Details can be found in the following Suricata Redmine tickets:

https://redmine.openinfosecfoundation.org/issues/5744#note-68
https://redmine.openinfosecfoundation.org/issues/5862

Short story is that both OPNsense and pfSense are subject to this bug, and the bug is most likely to present itself in heavy traffic scenarios (speed tests on Gigabit links definitely being one of those). The bug particularly adversely impacts Suricata when using Inline IPS Mode and runmode=workers.

Some further testing of the proposed fix is happening. If everything pans out, the fix will be applied to Suricata upstream in the upcoming 6.0.11 release (no release date established yet) and in Suricata "master" which is currently the 7.0-RC branch. I will roll the fix (if it proves out) into the 6.x Suricata used on pfSense. But deployment of the fix in pfSense will likely wait until AFTER the current 23.01-RC goes to production release because the Netgate team wishes to minimize changes in that branch while completing RC testing.

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@manilx Received the 8200 and imported the config. As it's all the same (networks) it should go without issues...

Well after 3 hours and crashes after crashes

it didn't reinstall the packages it should (and normally does). Had to install them all one by one again.

I gave up!
Either it's a bad herring or there's something fundamentally wrong here.

Will keep the stable 6100 with slower speed. I need to do something else with my time ;)

Would be helpful for you to post the content of the PHP error . Click the "here" link in the message displayed at the top of your pfSense screen to display the result. There you have the option of reporting it.

manilx

@bmeeks

Here is one I saved.

And I got no internet connection on the LAN. The 8200 had one.

[14-Feb-2023 16:28:32 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724
[14-Feb-2023 16:28:52 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724
[14-Feb-2023 16:31:40 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724
[14-Feb-2023 16:32:19 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724

Also had 100's of messages I receive via Pushover. I didnd't save those. They were different BUT weere about missing firewall rules or such.

manilx

@bmeeks Awesome

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks

Here is one I saved.

And I got no internet connection on the LAN. The 8200 had one.

[14-Feb-2023 16:28:32 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724
[14-Feb-2023 16:28:52 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724
[14-Feb-2023 16:31:40 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724
[14-Feb-2023 16:32:19 Europe/Lisbon] PHP Fatal error:  Uncaught Error: Call to undefined function isURL() in /etc/inc/pfsense-utils.inc:2724
Stack trace:
#0 /etc/rc.update_urltables(74): process_alias_urltable('pfB_Africa_v4', 'urltable', 'https://127.0.0...', '32', false)
#1 {main}
  thrown in /etc/inc/pfsense-utils.inc on line 2724

Also had 100's of messages I receive via Pushover. I didnd't save those. They were different BUT weere about missing firewall rules or such.

Yeah, these are all core to pfSense PHP itself and not related to Suricata. Perhaps the Netgate guys can respond to those. With a new SG-8200 you get some free initial support, so I would take advantage of it and open a TAC ticket here: https://www.netgate.com/tac-support-request.

manilx

@bmeeks I will return the 8200 and keep the 6100 and wait for the new suricata, I just don't have enough energy left after 3 months at this ;)

Putting the 6100 at work again after factory restart ro send back and fresh import of the config was 10min.

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks I will return the 8200 and keep the 6100 and wait for the new suricata, I just don't have enough energy left after 3 months at this ;)

Well, the 8200 is a nice box if you have the budget to keep it and the 6100 .

manilx

@bmeeks Like in Women "nice" is not always "good" :)

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks Like in Women "nice" is not always "good" :)

It's Valentine's Day today, so I will let that one lay lest I get myself in trouble with the lady in my life .

manilx

@bmeeks For the record and because I'm not english native:

With nice I meant good looking
With good I meant good heart

Valentine's day saved :)

stephenw10

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

Well after 3 hours and crashes after crashes

Urgh, I'm sorry about that. The 8200 is supplied with 22.05.1 by default because it required a point release to recognise the new hardware.
It looks like you're hitting a known issue there. Hold on....

manilx

@stephenw10 Yes I have seen that. And it wanted my to upgrade to the RC!!

I have until tomorrow morning to decide which unit to send back!

If you get me a solution in the next few hours I can try

stephenw10

Yeah this: https://forum.netgate.com/post/1080059
You can apply that patch using the system patches package and the commit ID or just copy/pasting the patch.

With that patch in place you should be able to import that config with the URL table aliases.

It's fixed in 23.01 which is imminent.

Steve

manilx

@stephenw10 OK. I will try again!

manilx

@stephenw10 Steve,

Did that. Applied patch and then the config restore.
Had issues because it didn't reinstall the packages as it should:

Also it again had the RC set as the update to load. Had to change it back to 22.05.1 release.
After that manually installed the missing packages (all in red).
No internet for me. Refreshed DHCP and all OK.

Seems running now!

Question about that patch. On reboot it's loaded automatically and I don't have to do anything?

stephenw10

When you apply the patch it is permanent unless the file(s) are replaced. So it will be lost at upgrade for example but it's fixed in 23.01 anyway so not a problem.

manilx

@stephenw10 Great. 6100 is going back then and 8200 is the keeper :)