VMWare Pentest lab: Extremely high CPU on host
-
Just to chime in on this thread, as I'm seeing the same issues. I'm running the following release:
[2.0.1-RELEASE][root@pfSense.localdomain]/root(7): uname -a
FreeBSD pfSense.localdomain 8.1-RELEASE-p6 FreeBSD 8.1-RELEASE-p6 #0: Mon Dec 12 18:15:35 EST 2011 root@FreeBSD_8.0_pfSense_2.0-AMD64.snaps.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 amd64within ESXi 5. I installed open-vm-tools and vmware's provided drivers for VMXNET3 adapter. Both internal/extenal NICs are running with the VMXNET3 driver. The problem was exactly the same using E1000 drivers.
The attached screenshot shows what is happening when the network is pretty much idle. During load, this spikes up even higher, even though pFsense top reports almost no usage whatsoever. I tried both with powerd turned on and off.
-
Same issue on fresh pfSense 2.0.1 install running on KVM (Proxmox VE) with smp kernel. With only a couple of mbits of traffic the CPU usage increases massively on the physical host (above 50%) running on single virtual CPU and 512 MB RAM.
pfSense does not support virtio (the paravirtualized devices for KVM) so I thought using emulated NICs was the main reason for the bad CPU performance even under light load, but now I am starting to think that this is may be a more generic problem with pfSense in virtualized setups in general.
-
i too am having the same problem. pfsence 2.0 64, esxi 5.0 2 cores 2 nics vmtools
-
As most others on this thread, I too have run into this problem.
Something that is not clear to me is if using e1000 is the source of such increased cpu usage on esx.
And if that is the case, does switching to another adapter, such as flexible or vmxnet 2/3 help in reducing load for any of you? -
As most others on this thread, I too have run into this problem.
Something that is not clear to me is if using e1000 is the source of such increased cpu usage on esx.
And if that is the case, does switching to another adapter, such as flexible or vmxnet 2/3 help in reducing load for any of you?I tried all three virtual adapters and the behaviour was the same.
-
I'm seeing the same issues here on a DELL PowerEdge R310 Quad Core Xeon:
Using ESXi 4.1 and pfSense 2.0, 2.0.1, old-2.1-dev in i386/amd64 flavors
Using ESXi 5.0 and pfSense 2.0.1 and 2.1-dev in i386/amd64 flavors from feb/march/april.Same results on other host hardware also (Two DELL Servers with virtualized environment at home for testing purposes.)
Have not tried the VMXNET due to others not seeing any performance gain, only been using virtualized E1000 so far.
What I'm using a lot is VLANs, which might be a contributing culprit for some of us? Assigning VLANs directly in switch configuration in vSphere, or natively in pfSense has had "largely" the same results.
I absolutely love pfSense, now that I've got a hang of it, and have deployed quite a few in different scenarios past few months. But, not to sound negative here, there gotta be something we can do about these high loads in virtualized environments. I had to switch over to bare-metal, on slightly aged HW, on our lab network which is a bit unsatisfying. I loose a bit of my redundancy (if one VM or host fails, just fire up the copy or using HA Sync).
I suppose it's underlying FreeBSD issue?
I don't really know how to set up something similar in any of the *BSD flavors, and honestly can't find the time to learn currently, but surely one of you guys could test a simple routing setup using FreeBSD/OpenBSD/NetBSD and see if there's the same performance issue? (Maybe with/without VLAN incl. trunking/non-native.) -
Just let you know, there are one more case for reference.
I have tested the pfsense with the follow spec
- DELL 9200
i)Build-in LAN 82566DC Gigabit LAN Cards
ii)3 Intel 82541 Gigabit LAN Cards - VM under ESXi-5-U1
i)Setting: only one pfsense VM with FreeBSD 64bit
ii)2 e1000 virtual LAN Cards
iii)1 vCPU, 1024MB RAM - pfsense with "Open VM Tools package", "Snort" installed
i) Assigned one LAN for each interfaces(WAN, LAN)
Result:
I have just started the machine to test the stability, not even use it. It will freeze after a day. The freeze will only in the VM level, not affect the ESXi.Please let me know if you need any information from my setting as well. Since this is only a test machine, i wanna to put the pfsense in the DELL R610 later. But the migration will be on held at the moment. Thanks for any fix for the issue.
- DELL 9200
-
Have you tried enabling vt-d and passing the intel nics directly to pfsense?
-
So you want to risk frontend firewall with direct contact with the physical Nics on the server?
Uninstall the vmtools package and reboot. Sed if it solves the issue…
1.2.3 doesnt have any of this at all. Running in about 3% on the physical server.
-
Have you tried enabling vt-d and passing the intel nics directly to pfsense?
Just checked with test system (DELL 9200) is not support pass-thr even the motherboard is enabled vt-d.
But why can't i just use 2 virtual lan cards and connect each of them to a separate v-switch. And let other 2 real lan cards to connect the v-switches.
It will be the same as setting as you suggested. -
Anyone solved this???
Has anyone tried without the VmTools package??
-
I'm having the same problem running pfSense on ESXi 5.
I have also tried without vmTools package installed but the result is the same, CPU usage is extremely high.Things that needs to be sorted out:
Does everybody running pfSense on ESXi 4/5 see this high CPU usage?
Is this problem related to FreeBSD or is it related to pfSense? -
I dont see it on the 1.2.3 version.
Pls test on your system to verify.
-
Certainly no problem here.
ESXi 5.0.0 build 623860
2.0.1-RELEASE (i386) built on Mon Dec 12 18:24:17 EST 2011 with VMtools package installed
HP dc7900 SFF Core2 duo E7600 3.06 GHz with 8 GB and four Intel NICs (inc. 1 on board) -
test the performance graph instead in ESXi instead of the one in PFSense….
-
Hi everyone,
I had the same issue running pfsense V2.0.1 on KVM.
I noticed that I had some systeme- time issues (I'm running on a mobile CPU).
I resolved it with the following options:
Go to the shell, and with vi edit the following files:- /etc/sysctl.conf: append: kern.timecounter.hardware=TSC ….at the end
- /boot/loader.conf: append: kern.hz="100" ....at the end
...restart, so far - CPU usage OK ;)
Good luck,
Cheers,
Chris -
- /etc/sysctl.conf: append: kern.timecounter.hardware=TSC ….at the end
- /boot/loader.conf: append: kern.hz="100" ....at the end
...restart, so far - CPU usage OK ;)
Thanks for the tip :).
But no-go on my end ???. Still the same, running @ 1800-2400 MHz(according to ESXi) for only 20 Mbps traffic.
pfSense shows only 4% CPU usage.It sounds to me that it must be close to the network part between the guest(pfSense higher than 1.2.3) and host.
Because my 1.2.3 guest that only has approx. 1,2 Mbps of traffic shows approx. 29 MHz according to ESXi.I am running a Sony Ericsson USB connected UMTS cellular phone as a backup WAN. Have not excluded it as
the culprit. That is the reason why i have a pfSense 2.x running, because of the UMTS backup.
1.2.3 did not have support for these kind of connections so it takes care of a different part of the network. -
I would try "harder" to eliminate the VMWare CPU throttling effects… did you try something like this: http://communities.vmware.com/thread/87794
...reading:
Add in /boot/loader.conf:Disable CPU frequency/voltage throttling control
hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1Disable local APIC timers (FreeBSD 8+)
hint.apic.0.clock=0
Reduce interrupt rate (at the cost of slightly increases response time)
kern.hz=100
Saves 128 interrupts per second per core at the cost of reduced scheduling precision
hint.atrtc.0.clock=0
Add in /etc/rc.conf:
Turn off all CPU core clocks on idle
performance_cx_lowest="C2"
economy_cx_lowest="C2"Disable background fsck at boot
background_fsck="NO"
also, are you getting the high CPU only on traffic or also when there is zero activity?
Did I get that right that you forward the USB- modem to the guest?Cheers,
Chris -
I would try "harder" to eliminate the VMWare CPU throttling effects… did you try something like this: http://communities.vmware.com/thread/87794
...reading:
Add in /boot/loader.conf:Disable CPU frequency/voltage throttling control
hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1Disable local APIC timers (FreeBSD 8+)
hint.apic.0.clock=0
Reduce interrupt rate (at the cost of slightly increases response time)
kern.hz=100
Saves 128 interrupts per second per core at the cost of reduced scheduling precision
hint.atrtc.0.clock=0
Add in /etc/rc.conf:
Turn off all CPU core clocks on idle
performance_cx_lowest="C2"
economy_cx_lowest="C2"Disable background fsck at boot
background_fsck="NO"
Will give it a try in the morning(in about ten hours).
also, are you getting the high CPU only on traffic or also when there is zero activity?
Don't know. Will have to pull the plug to the primary, secondary and tertiary routes to get zero activity. Will give it a try in the morning.
Did I get that right that you forward the USB- modem to the guest?
Correct. Using it as a tertiary WAN for my personal network part.
-
Add in /boot/loader.conf:
Disable CPU frequency/voltage throttling control
hint.p4tcc.0.disabled=1
hint.acpi_throttle.0.disabled=1Disable local APIC timers (FreeBSD 8+)
hint.apic.0.clock=0
Reduce interrupt rate (at the cost of slightly increases response time)
kern.hz=100
Saves 128 interrupts per second per core at the cost of reduced scheduling precision
hint.atrtc.0.clock=0
Add in /etc/rc.conf:
Turn off all CPU core clocks on idle
performance_cx_lowest="C2"
economy_cx_lowest="C2"Disable background fsck at boot
background_fsck="NO"
No-go. Same result. Did not set background_fsck="NO".
also, are you getting the high CPU only on traffic or also when there is zero activity?
pfSense 2.0.1 346-373 MHz when there is zero activity. About 4905 MHz when download client(Windows guest inside on the same host) only uses 1706 MHz. Pressed the disconnect button inside interfaces to disconnect the USB WWAN connection. pfSense 1.2.3 0 MHz when there is zero activity.
Both guests on same host. They share the same physical interfaces for primary WAN, secondary WAN and LAN. pfSense 2.0.1 also uses a physical interface for WLAN network for passthrough to Captive Portal.