6100 SLOW in comparison to Protectli FW6E

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks Like in Women "nice" is not always "good" :)

It's Valentine's Day today, so I will let that one lay lest I get myself in trouble with the lady in my life .

manilx

@bmeeks For the record and because I'm not english native:

With nice I meant good looking
With good I meant good heart

Valentine's day saved :)

stephenw10

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

Well after 3 hours and crashes after crashes

Urgh, I'm sorry about that. The 8200 is supplied with 22.05.1 by default because it required a point release to recognise the new hardware.
It looks like you're hitting a known issue there. Hold on....

manilx

@stephenw10 Yes I have seen that. And it wanted my to upgrade to the RC!!

I have until tomorrow morning to decide which unit to send back!

If you get me a solution in the next few hours I can try

stephenw10

Yeah this: https://forum.netgate.com/post/1080059
You can apply that patch using the system patches package and the commit ID or just copy/pasting the patch.

With that patch in place you should be able to import that config with the URL table aliases.

It's fixed in 23.01 which is imminent.

Steve

manilx

@stephenw10 OK. I will try again!

manilx

@stephenw10 Steve,

Did that. Applied patch and then the config restore.
Had issues because it didn't reinstall the packages as it should:

Also it again had the RC set as the update to load. Had to change it back to 22.05.1 release.
After that manually installed the missing packages (all in red).
No internet for me. Refreshed DHCP and all OK.

Seems running now!

Question about that patch. On reboot it's loaded automatically and I don't have to do anything?

stephenw10

When you apply the patch it is permanent unless the file(s) are replaced. So it will be lost at upgrade for example but it's fixed in 23.01 anyway so not a problem.

manilx

@stephenw10 Great. 6100 is going back then and 8200 is the keeper :)

manilx

@manilx Now back to the speed issue with Suricata:

I have no tested the speedest with my standard rules applied to WAN (yes, I know about better to do LAN but with the open ports I feel better like this).

Speed reaches full 900+ !!!!!!! This CPU is up to par now.

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@manilx Now back to the speed issue with Suricata:

I have no tested the speedest with my standard rules applied to WAN (yes, I know about better to do LAN but with the open ports I feel better like this).

Speed reaches full 900+ !!!!!!! This CPU is up to par now.

Once the stall/hang bug with "workers" mode is fixed in Suricata, the box should really fly then when you switch Suricata to runmode = workers and use Inline IPS Mode.

manilx

@bmeeks Looking forward to!

bmeeks

@manilx:
Do you still have your Protectli appliance and can you configure it with OPNsense again? If so, I would really be interested in how this test Suricata package from the OPNsense developer works for you in terms of eliminating the stall/hang when using Suricata in IPS mode.

Here is a link to the link for the package as posted on the Suricata Redmine site: https://redmine.openinfosecfoundation.org/issues/5744#note-69. The package was created by Franco for use on OPNsense, so it will not work on pfSense. A different user in that Redmine thread had been working with us for testing, but he seems to have dropped off the radar over the last week or so.

The test package at the link above contains the latest iteration of a fix for the stall/hang condition in netmap that happens during heavy traffic transfers such as speed tests when using IPS mode in Suricata. I have also included this fix in the next release of Suricata 6.0.10 on pfSense, but some early feedback would be helpful.

manilx

@bmeeks Hi

Yes have it with pfsense configured as backup.

Still have my OPNsense proxmox VM, which run for 9 months until....

I can test it there.

Tell me how I can install this patch and how you want me to test this.

manilx

@manilx P.S: I tried running OPNsense on the Protectli before but it got sporadic crashes with lost internet access and could not afford to debug that as VM was running fine.

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks Hi

Yes have it with pfsense configured as backup.

Still have my OPNsense proxmox VM, which run for 9 months until....

I can test it there.

Tell me how I can install this patch and how you want me to test this.

Suricata in OPNsense would be suffering from the bug this proposed patch corrects. It gets technical, but Suricata on OPNsense uses netmap with only a single pair of host stack rings while we have been using multiple host stack rings with Suricata on pfSense. The bug identified affects both, but due to having only a single pair of host stack rings OPNsense Suricata is more vulnerable to the stall.

Typical usage with sort of low data rates will not cause the bug to manifest when using Suricata on pfSense. But heavy traffic loading can lead to the stall as you experienced when I suggested earlier in this thread to switch to runmode = workers.

I am hoping the patch I provided in the Suricata Redmine thread solves the stall issue. The OPNsense developer prepared the test Suricata package to see, and that's the package I was hoping you might could test. I have never used OPNsense, so I can't tell you exactly how to install the test package. My guess is do it this way --

Get OPNsense up and running on the device with Suricata installed/enabled/configured (or whatever you normally do to use Suricata in OPNsense). Then, once it is running (I realize it quickly crashes), go to a shell prompt and install the test package using the pkg utility like so:

pkg install <package_name.pkg>

I would download the package using the URL in the link I provided and then store it locally on the firewall (maybe in /tmp or /root), then install it from there. What it should do is simply overwrite the existing Suricata binary with this new version.

After installing the new binary, repeat your speed tests and see if things are more stable. I'm hoping they will be. If you are using a virtual NIC (or unsupported hardware that results in netmap using its generic adapter), then it's possible you still get a hang. Work is continuing on some bugs in the way the generic netmap adapter works. We don't have that on pfSense because for now we limit within the GUI which network adapters are allowed when running Suricata in IPS mode. You can't select that mode in the GUI if your NIC does not support native-mode netmap operation.

manilx

@bmeeks OK. I'll try to do this saturday morning (GMT). Already restored the VM.

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks OK. I'll try to do this saturday morning (GMT). Already restored the VM.

Thanks! I will keep my fingers crossed that the patch helps.

manilx

@bmeeks I will install suricata, add a lot of rules and do Speedtest.net a few times.

Guess that should do it.

I'll report asap. If I can do it earlier I will.

bmeeks

@manilx said in 6100 SLOW in comparison to Protectli FW6E:

@bmeeks I will install suricata, add a lot of rules and do Speedtest.net a few times.

Guess that should do it.

I'll report asap. If I can do it earlier I will.

Thanks -- I did not mention it, but after installing the updated Suricata binary you will need to restart Suricata. In fact, it would be even better to stop it, install the updated package, then restart it.

On OPNsense I don't know what kind of manual control you have in the GUI for stopping and starting. Might take a reboot after updating the binary, but I just don't know having never used OPNsense.