Cryptographic Accelerators boards support in pfSense ?

sullrich

Doesn't look like we had device safe in our kernel configuration file.  I just added it and it will show up in future versions.

jmcentire

Is there any way I can update that on one of my systems, at least for testing?

Thanks

sullrich

Rebuild the kernel, but you are on your own.

jmcentire

I guess I will wait for the next version  ;)
Thanks

dotdash

You could try copying safe.ko from a stock FreeBSD 6.2 install into your /boot/kernel directory, then adding safe_load="YES" to loader.conf

jmcentire

dotdash:  Tried what you said, here is what I get on boot up:

safe0 mem 0xefbfe000-0xefbfffff irq 3 at device 6.0 on pci2
safe0: cannot allocate DMA tag
device_attach: safe0 attach returned 6
re0: <realtek 10="" 8139c+="" 100basetx="">port 0xd500-0xd5ff mem 0xefefa000-0xefefa1ff
irq 10 at device 9.0 on pci2
re0: could not allocate dma tag

Fatal trap 12: page fault while in kernel mode
fault virtual address  = 0x60
fault code              = supervisor read, page not present
instruction pointer    = 0x20:0xc057c995
stack pointer          = 0x28:0xc0c20b5c
frame pointer          = 0x28:0xc0c20b70
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process        = 0 (swapper)
trap number            = 12
panic: page fault
Uptime: 1s
Automatic reboot in 15 seconds - press a key on the console to abort</realtek>

sullrich

@dotdash:

You could try copying safe.ko from a stock FreeBSD 6.2 install into your /boot/kernel directory, then adding safe_load="YES" to loader.conf

Nice can of worms you just opened :)

jmcentire

Worth a try, don't really feel like doing real work on a friday afternoon anyway  ;D

BTW popped out the card and it boots just fine, so don't worry about causing any problems dotdash.

sullrich

:) :)

dotdash

@jmcentire:

dotdash:  Tried what you said, here is what I get on boot up:
Fatal trap 12: page fault while in kernel mode
fault virtual address  = 0x60
fault code              = supervisor read, page not present

Whoops. Well, I didn't say it was a good idea…
If you're still feeling brave, it would be interesting to see what happened if you removed it from loader.conf and tried loading it after the system was booted with 'kldload safe'
Is the card in the original slot? It almost looks like an IRQ conflict?

jmcentire

@dotdash:

If you're still feeling brave, it would be interesting to see what happened if you removed it from loader.conf and tried loading it after the system was booted with 'kldload safe'
Is the card in the original slot? It almost looks like an IRQ conflict?

Yup, in the original slot.

kldload safe

safe0 mem 0xefbfe000-0xefbfffff irq 3 at device 6.0 on pci2
safe0: cannot allocate DMA tag
device_attach: safe0 attach returned 6

dotdash

This appears to be a known bug in 6.2
http://www.freebsd.org/cgi/query-pr.cgi?pr=110662&cat=kern

sullrich

Ahh yes, now I remember why I took the option out to begin with.  Give me a second and I'll post the module with the fix.

mrzaz

Hehe, think I opened up a "old/new" area to explore more for sullrich and the guys.  :)

It is an interesting topic and could improve the performance for VPN for many users
for a reasonable price.  just like 50 euro or something for a board.

sullrich, maybe it would be worth having people with accelerator boards
come back with feedback on how good they work / don't work, and maybe
weeding out some bugs for the non-working.

Also update the "VPN"-section in the Feature-page highlighting that it actually
supports Crypto-accelerator boards and maybe do some update of the
"Hardware Sizing Guidance" with some tests on how much gain you would get
adding such boards.

This would give the pfSense even more cred for beeing a serious alternative
to way more expensive system like Cisco, Watchguard or similar.

And if you get some more companies with better budget, they will also have
the better budget for Commercial support and maybe also putting up bountys
of a bit higher figures. Of course this is speculation from my part but could
very much so be a reality.

Best regards
Dan Lundqvist
Stockholm, Sweden

Klug

There's a ubsec(4) in the Nokia IP130 (and maybe in all IP1x0) that is seen by the kernel.

Is there anything special to be done in order to use it (in a VPN) ?