Installing pfSense on a Supermicro 5018A-FTN4 SuperServer
-
That section of the guide is 100% aimed at troubleshooting, not tuning. If you're having trouble, try those things, if not, leave them alone.
nmbclusters only needs to be high enough to make sure you don't max out mbuf (visible on the main page of pfsense once you log in). My C2758 system at home uses 51200. My systems at work with 8 cores, (12) igb NICs, and (2) ix NICs use 262144. In any case, 655356 is way too high unless you've got a 32 core box, 24 NICs, or something similar.
As to the number of queues, there was a point where the igb NICs performed better and were more stable when limited to a single queue. It also meant that you could run with a lower nmbclusters value since the amount needed was bound to # CPU cores * # of NICs * # of Queues. Stability and performance are no longer valid reasons as in as far as I can tell, there is no longer any difference when dealing with 1Gb/s of traffic whether you're using 1 queue or 8 and the multi-queue stability issues disappeared with the newest 2.4.0 igb drivers in 2.1.1/2.1.2.
Basically, don't override a driver default unless you have a good reason. You probably don't.
-
Have the same board and setup however when trying to boot in single user mode i get stuck at
ACPI APIC TABLE < INTEL TIANO >
-
Have the same board and setup however when trying to boot in single user mode i get stuck at
ACPI APIC TABLE < INTEL TIANO >
Sounds like you're trying to use one of the USB 3.0 ports. Switch to a 2.0 port and give it another try.
-
Just to chime in:
We used the values in the link above (https://forum.pfsense.org/index.php?topic=74772.msg408961#msg408961) as we have a system with a octo-core CPU and a possible second CPU socket (ATM empty) as well as 10igb NICs in the system, so we had quite a few issues booting with mbufs and queues gone completely bonkers ;)
The values we used were taken from a redmine ticket months ago and nodded at by JimP and ChrisB in our special case. I only mentioned them for troubleshooting and diagnosis, not for general tuning :)Lower settings may apply for other devices (C2750 isn't quite as problematic as Xeon E5/7 we used).
Greets
-
Two questions:
- what's the max speed which can be achieved between two interfaces with this newer atom CPU?
- does the I354 nic handle VLAN tagging well?
-
Has anyone been able to get to the console via Serial-Over-LAN? Or are we all using KVM?
-
Two questions:
- what's the max speed which can be achieved between two interfaces with this newer atom CPU?
- does the I354 nic handle VLAN tagging well?
I haven't bothered to test more than 1Gbit/s of throughput (in one port, out the other). The numbers I saw were close enough to line-speed that I'd say it can do at least that much.
Yes, in as far as I've tested at home, which is to say that I have one test vLAN setup on a single port and it probably handles about 2MB of traffic a day. It's a high-end Intel NIC. It's fine.
Has anyone been able to get to the console via Serial-Over-LAN? Or are we all using KVM?
I just use the KVM since I'm running a full install.
-
dogbait,
did you have to change any settings in the bios of that board to get it to detect the drive with the ahci module? I have been unable to get my system to boot with the ahci_load line in my boot config. I did double check the bios settings and everything looks fine from the factory for those options. I also don't see any of my drives listed when it fails to find it during boot.
-
So I figured out the ahci issue when enabling trim for the SSD I was using. I attempted to use a Crucial M500 which uses a Marvell controller and no matter which settings I changed in the BIOS it refused to mount the / file system you had ahci enabled despite having the proper fstab entries.
I tried swapping the M500 out for a Samsung Evo 840 and it solved the problem. I was able to install then enable AHCI without any trouble.
Hope this helps others.
-
Hi cfipilot
Did you ever get pass that point?I too get stuck at:
ACPI APIC Table: <intel tiano ="" ="">I first install the system the the SSD. Then I start to do the modifications. When getting to the point of logging in as single-user the system hangs at the point above. It is an Intel SATA SSD.– SOLVED --
I could not boot the server in single-user mode, so I ended up reverting the patch that has made it difficult to enable TRIM.
I reverted this commit (jsut copy-pasted it back in place):
http://freshbsd.org/commit/pfsense/aa87bae5fc11a857c9dc7793fc4a932cc860e94aThen created the file (will make the code above enable TRIM):
/root/TRIM_setAnd did a reboot. That soves the "enable trim" without beeing in single-user mode..</intel>
-
Does pfSense 2.2 run well on this?
-
The 2.1.5 seems to install "as is".
The same seems to go for 2.2…You allways need to increase mbuf.
I have tried one upgrade from 2.1.5 to 2.2 that crashed the system and required a reinstall. So be close to your box when upgrading.
I have had two of these boxes running pfsense 2.2. One was (and is) running with no problems at all. The other had a serious DNS problem so clients on LAN could not resolve addresses. I think I caused the DNS error and not incompatibility between hardware and pfsense. But pay attention anyway.
Regarding TRIM if you use SSD then:
This part is tricke and could be subject to change…https://forum.pfsense.org/index.php?topic=66622.msg364411#msg364411
Login with SSH and open the shell.
Run: /usr/local/sbin/ufslabels.sh
pres 'y' to acceptAdd the line ahci_load="YES" to /boot/loader.conf.local
reboot the machine##EITHER REMOTE:
Revert patch by editing /root/rc
http://freshbsd.org/commit/pfsense/aa87bae5fc11a857c9dc7793fc4a932cc860e94a
Login with SSH and open the shell
touch /root/TRIM_set; /etc/rc.reboot
##ELSE IF YOU HAVE LOCAL ACCESS
Login as single user and run:
/sbin/tunefs -t enable /
/etc/rc.rebootOnce the machine has rebooted check the status with: tunefs -p /
See if trim enabled is in the output -
Nice boxes and I bought a pair on the basis of this thread but the network throughput seems poor.
I've got two of them with CARP enabled and doing an iperf test on the CARP interfaces (igb1 on both boxes connected by a 4" cable so no switch involved) I'm only seeing ~550Mb/s (larger iperf windows don't make any difference).
Client connecting to 10.10.1.1, TCP port 5001 TCP window size: 65.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.10.1.2 port 64350 connected with 10.10.1.1 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 654 MBytes 547 Mbits/sec
The NIC's are coming up at a gigabit as you'd expect:
igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=403bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,vlan_hwtso>ether 0c:c4:7a:32:5c:31 inet6 fe80::ec4:7aff:fe32:5c31%igb1 prefixlen 64 scopeid 0x2 inet 10.10.1.1 netmask 0xffffff00 broadcast 10.10.1.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,tso4,tso6,vlan_hwtso></up,broadcast,running,simplex,multicast>
I've increased the nmbclusters to 1,000,000 (as suggested on the pfSense website), tried playing with turning off TSO but never seem to see much more than half a gig.
I'm running pfSense 2.2.1-RELEASE (amd64), 8GB RAM and a pair of 128GB Samsung Evo pro drives in a GEOM Mirror.
As I have a gigabit fibre arriving in a few weeks and I've put these boxes together to replace our aging IPcop firewalls, I really would like to get them running as close to a gigabit as possible.
Anyone got any suggestions as to what I can try?
-
Don't know if this will do it. But if you use the shaper, then try to disable the "Explicit Congestion Notification". It seems to "eat" a lot of throughput in my networks at least.
-
That's a config issue somewhere, these are capable of way greater speeds than you are seeing. dont worry, we just need to find the turbo trigger :)
-
I wish I knew where this turbo trigger was! :)
For fun I connected igb2 on each box as OPT2 (so there was no chance of CARP interfering) and tried iperf on that link:
Client connecting to 10.9.8.2, TCP port 5001 TCP window size: 65.0 KByte (default) ------------------------------------------------------------ [ 3] local 10.9.8.1 port 54294 connected with 10.9.8.2 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 633 MBytes 531 Mbits/sec
so that's pretty much the same speed on a pair of ports being for used for nothing else than the test.
I also tried disabling the disabling (!) of the hardware TSO and LRO in Advanced->Networking. No difference.
I had ntopng installed on one of the boxes…. deleted that and no difference :(
MBuf usage is at 4%, CPU load near zero, 4% RAM used so the systems are basically twiddling their thumbs and doing nothing..... but they still can't pass data between themselves at gigabit speeds. I'm not using shaper.
Can anyone suggest what else I can try or do to get these NICs working?
-
Been doing some more testing and it looks like it's a packet filtering issue rather than the NICs themselves.
Using my test OPT2 'network' (igb2 on both machines connected with a short cable) if I disable all packet filtering (System->Advanced->Firewall) the speed reported by iperf leaps up to 900+Mbit/s
------------------------------------------------------------ Client connecting to 10.9.8.1, TCP port 5001 TCP window size: 129 KByte (WARNING: requested 128 KByte) ------------------------------------------------------------ [ 3] local 10.9.8.2 port 65147 connected with 10.9.8.1 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 1.06 GBytes 912 Mbits/sec
Turning off the packet filtering on just one of the two boxes doesn't improve things it has to be both.
Firewall wise the packet filtering on OPT2 is simply a pass rule for everything:
The systems are not heavily loaded (load average showing 0) or out of resource.
Quite where this now takes me I don't know. Turning off pfSense's packet filtering doesn't seem like a Good Move :(
-
Firewall wise the packet filtering on OPT2 is simply a pass rule for everything:
You aware the rule does not allow any traffic, right? The rule is for traffic that's never gonna hit the firewall in the first place. Fix the destination!
-
Errr no. ???
If I disable this one and only rule on OPT2 then iperf doesn't connected on the OPT2 network.
However, I've changed the destination to "OPT2 Address"…... and the Bandwidth is still ~550Mb/s unless I disable all packet filtering on both machines.
How do I start debugging this? Any suggestions will be most gratefully received.
-
Your rules are completely wrong, end of story.