Issues with device polling (alix2d13, 2.0-RELEASE, 100/7 WAN)
-
@onhel:
[…] I would say you are very underpowered for your network.
Thxs for you rating.
OT: And hey, no need to be jealous… the uplink has only 7Mbit. ::)
@onhel:
If power consumption/size of a pfSense box is of a concern, then your next best option would be a mitx Atom setup but thats going to set you back a few hundred.
If I don't get a better result with comparing the sysctl settings (m0n0wall vs. pfSense) I will take a look to available hardware in Switzerland…
-
FYI- on ALIX your performance with and without polling is going to be comparable. The bottleneck is the CPU in both cases, there isn't any wiggle room on that device.
Polling uses CPU to poll the NICs for data. It will always show 100% usage since it polls in the idle loop.
It will give up CPU to other tasks if they need it, that's just how polling works.
That said, polling won't buy you anything on ALIX really. You may as well turn it off.
I've passed about 87Mbit/s through an ALIX last time I tested it. That's in the clear though. Any amount of VPN traffic that the device has to handle will bring that way down. As will anything else that uses up CPU.
-
I suggest you get the values of the kern.polling sysctl variables when running m0n0wall and compare them with the values when pfSense is running.
I have compared the both kern.polling settings between m0n0wall and pfSense and the the difference ("static" entries) is:
kern.polling.idlepoll_sleeping: 1
kern.polling.phase: 2
kern.polling.handlers: 2
kern.polling.burst: 150But is seems that it makes unfortunatly no difference for pfSense. Speed (with activated device polling) is fine, but CPU usage, while beeing idle, is all the time at maximum. But m0n0wall hasn't this behavior during my tests, means that CPU usage went down while beeing idle. m0n0wall would solve this issue, but it's not that firewall I'm searching for. Even though I'm new to pfSense… I really like it, it's great!
-
@jimp What a honor to me, that you did reply to me. 8)
Polling uses CPU to poll the NICs for data. It will always show 100% usage since it polls in the idle loop.
At the moment I try to understand why on m0n0wall the CPU usage goes really down when being idle, but not on pfSense…
The only reason – with my little knowledge – I could think about, is, that sysctl kern.polling.idlepoll_sleeping=1 does NOT work, means that on pfSense it stays always at kern.polling.idlepoll_sleeping: 0.
If I try to enable idlepoll_sleeping via ssh shell, I get this message in return:
sysctl kern.polling.idlepoll_sleeping=1
sysctl: oid 'kern.polling.idlepoll_sleeping' is read onlyAs I have read here this settings seems to be responsible for the high CPU usage during idle:
kern.polling.idle_poll
Controls if polling is enabled in the idle loop. There are no
reasons (other than power saving or bugs in the scheduler's han-
dling of idle priority kernel threads) to disable this.What du you think about?
That said, polling won't buy you anything on ALIX really. You may as well turn it off.
On my alix2d13 there's a difference: ~30Mbit/s (turned off: 46-50Mbit/s; turned on: 74-82Mbit/s)
PS: Sorry for my english, I'm not a native speaker. :-[
-
try to add that line on /boot/loader.conf.local file and reboot
EDIT: and I tried to mean: kern.polling.idlepoll_sleeping=1
-
try to add that line on /boot/loader.conf.local file and reboot
OK, will try this. Really loader.conf.local an not (already existing) loader.conf?
EDIT: Have found this, so… think my question is obsolete.
-
try to add that line on /boot/loader.conf.local file and reboot
I have tried to add it via System Tunables, but after reboot it's still off.
Then I have figured out that I have to add it via exce.php (echo "kern.polling.idlepoll_sleeping=1" >> /boot/loader.conf.local). After that I did reboot the pfSense, but it's still off too.
After reboot:
$ sysctl kern.polling
kern.polling.idlepoll_sleeping: 0 -
i'm out of ideas. maybe someone else knows better
-
A quick scan of the FreeBSD source code suggests:
-
kern.polling.idlepoll_sleeping is a status variable reporting whether the network device polling loop is sleeping (1) or polling (0). Since it is reporting a kernel status it is read only to a user.
-
kern.polling.idle_poll is a kernel variable specifying whether the network polling loop should take a brief nap (0) after polling all devices or immediately go back and poll all devices to see if they have work to do (1).
The device polling loop is supposed to run as the lowest priority task in the system apart from the idle loop.
If I enable "device polling" I'm able to max out my WAN connection (75-106 Mbit, depending on my ISP), but CPU usage is all the time at about 90-100% – even if system is idle – and webGUI access is very sluggish or even unresponsible. :o
You are probably running at about maximum throughput. Your original post shows kern.polling.idle_poll is 1 so your system will always be busy because it will be polling network devices when there is nothing else to do. Try setting kern.polling.idle_poll to 0 and see what happens to both throughput and GUI responsiveness. It might also be worth trying setting kern.polling.burst_max down from 150 to say 75 or even 40 to see what happens.
-
-
FYI- on ALIX your performance with and without polling is going to be comparable. The bottleneck is the CPU in both cases, there isn't any wiggle room on that device.
Polling uses CPU to poll the NICs for data. It will always show 100% usage since it polls in the idle loop.
It will give up CPU to other tasks if they need it, that's just how polling works.
That said, polling won't buy you anything on ALIX really. You may as well turn it off.
I've passed about 87Mbit/s through an ALIX last time I tested it. That's in the clear though. Any amount of VPN traffic that the device has to handle will bring that way down. As will anything else that uses up CPU.
Damn thats what im seeing too(87) on my 100 meg link with Virgin in the UK. I really like my alix but will get upset about not using all the bandwidth on offer.
Guess its a atom board for me. Can anyone recomend a nice firewall enclosure for me? Slim as possible.
-
Yeah 100Mbit/s is just beyond what the ALIX is capable of.
As for Atoms, there are pre-built ones out there like the FW-7535 from Netgate, and the new Soekris net6501. Otherwise, I'd go for a nice Supermicro 1U atom setup.
I have a net6501 here that just arrived a couple days ago. It's humming along nicely so far but I have yet to make any real tests happen on it (E_NOTIME).
-
Looking at the other posts i might go for a sandy bridge setup. At 500mhz for 87 1000meg network equils roughly 5750 mhz. Assuming the network card drivers can at least have a thread per processor per card thats a 2.87 ghz duel core or above.
I know we wont have gig too soon but my mate in sweeden is already on a 1 gig connection just as i got my 100 lol. (he only see's 300 currently no dobt because of his network gear)
Might as well build it to last.
I was thinking about a a Pentium G850 (duel core) which is rated at 2.90GHz. Is this thinking sound?
How does pfsense or rather BSD make use of the cores with network cards? Would a quad give more headroom for the firewall if it was only running the two interfaces (with an intel or other nice onboard network).