Change in memory management/usage?

mvikman

I have 8GB RAM and so far have never seen my system use swap, though not running pfblocker etc.
After upgrades, the memory usage jumps to somewhere between 25-35%, but after a second reboot it goes back to the normal 6-7%

RobbieTT

@pfsjap I agree with the above and that swap usage like you are experiencing is not normal, especially with 8GB on Netgate hardware.

I also run a 6100 Max and I guess you are more familiar with the memory use shown on mine:

Mem: 125M Active, 398M Inact, 622M Wired, 40K Buf, 6635M Free
ARC: 223M Total, 48M MFU, 167M MRU, 1490K Header, 6081K Other
     191M Compressed, 518M Uncompressed, 2.72:1 Ratio
Swap: 1024M Total, 1024M Free

There has to be a ripple in that particular load, which is good data for Netgate. Did you try a full restart from cold and log those details too?

️

pfsjap

@robbiett Swap usage starts at 0% after restart, but increases later on. I haven't taken up any figures, but after restart memory usage might be 40-50%, but then goes down. Upgraded earlier today to 23.05.r.20230521.0305 and now memory usage is 23% and swap usage 2%.

I have these packages installed:

pfBlocker has 23 IP and DNSBL groups configured. IPS policy is set to Security in Snort with 22 categories enabled in ET Open Rules.

Patch

@pfsjap said in Change in memory management/usage?:

parameters in FreeBSD

See https://redmine.pfsense.org/issues/14030 and
https://forum.netgate.com/topic/177886/23-1-using-more-ram

When disk intensive activities occur (such as software update), the zfs file system cache increases. The cache will be released if required but not immediately forcing use of swap. The solution is to limit the cache size down from the very generous default.

pfsjap

@patch In 23.01 I had set vfs.zfs.arc.max to 419430400. With 23.05 RC I had already decreased that and at the moment it's 400000.

RobbieTT

@pfsjap Could you run top -aS -o res for us so we can look at how the memory is being used?

️

pfsjap

@robbiett Sure, looks like Snort is using a lot of memory:

last pid: 85727;  load averages:  0.25,  0.55,  0.47                                                                                                            up 0+09:12:12  18:28:07
93 processes:  2 running, 89 sleeping, 2 waiting
CPU:  0.1% user,  0.2% nice,  0.1% system,  0.0% interrupt, 99.6% idle
Mem: 1520M Active, 2240M Inact, 124M Laundry, 756M Wired, 3148M Free
ARC: 257M Total, 164M MFU, 83M MRU, 920K Anon, 2009K Header, 7051K Other
     223M Compressed, 546M Uncompressed, 2.44:1 Ratio
Swap: 2048M Total, 43M Used, 2005M Free, 2% Inuse

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
83927 root          3  52   20  1421M  1079M bpf      3   1:16   0.23% /usr/local/bin/snort -R _34675 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -
13140 root          2  52   20  1421M  1063M bpf      0   0:23   0.05% /usr/local/bin/snort -R _8486 -D -q --suppress-config-log --daq pcap --daq-mode passive --treat-drop-as-alert -l
 6934 unbound       4  20    0   822M   756M kqread   3   0:11   0.26% /usr/local/sbin/unbound -c /var/unbound/unbound.conf
28523 root          1  68    0   147M    69M accept   0   0:26   0.00% php-fpm: pool nginx (php-fpm)
72038 root          1  44    0   153M    65M accept   3   0:43   0.00% php-fpm: pool nginx (php-fpm)
 1040 root          1  68    0   147M    62M accept   0   0:48   0.00% php-fpm: pool nginx (php-fpm)
 1041 root          1  68    0   147M    55M accept   0   0:38   0.00% php-fpm: pool nginx (php-fpm)
85623 root          1  20    0    47M    37M bpf      0   0:00   0.00% /usr/local/sbin/arpwatch -Z -f /usr/local/arpwatch/arp_igc2.dat -i igc2 -w digger909@hotmail.com
85048 root          1  20    0    47M    37M bpf      2   0:00   0.00% /usr/local/sbin/arpwatch -Z -f /usr/local/arpwatch/arp_igc0.dat -i igc0 -w digger909@hotmail.com
93605 root          1  20    0    72M    36M piperd   3   0:01   0.01% /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog
 1039 root          1  20    0   112M    17M kqread   1   0:01   0.00% php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm)
 3716 dhcpd         1  20    0    25M    10M select   0   0:01   0.01% /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid igc

Dobby_

@mvikman said in Change in memory management/usage?:

I have 8GB RAM and so far have never seen my system use swap, though not running pfblocker etc.

I run something nearly a fully UTM and you run a
pure firewall there is for sure a difference as I see it.

• Squid & SquidGuard (DNSBL)
• pfBlocker-NG (Feeds)
• ClamAV (AV Signatures)
• Snort (Rules)

This will be fresh load after a reboot, and in my eyes there
is nothing wrong with and so I am happy that swap will be used in such cases.

After upgrades, the memory usage jumps to somewhere between 25-35%,

But from your 8 GB will 35% are 2.8 GB and this is nearly
70% of my RAM you have forgotten in your counting.

but after a second reboot it goes back to the normal 6-7%

Only after several hours here, look at the picture from today morning (11 hours) and from now (below) all is balanced fine.

mvikman

@dobby_

The original poster asked about swap usage / change in swap usage from 23.01 to 23.05RC, also didn't specify what packages were running in system.

I just provided my experience with my system, which is that I have never seen swap usage in it.
I haven't bothered to change the ZFS ARC cache limits because it hasn't been a problem in my system.

Of course you can directly compare systems with 4GB and 8GB RAM.

jimp

All of this (and more) is covered in recent docs updates:

https://docs.netgate.com/pfsense/en/latest/hardware/memory.html