Pfsense high cpu usage KVM (Unraid)
-
Hi, i am trying to figure out a nice set-up for all my virtual servers.
Right now i have put all my VM's in a virtual network (vibr0) and added the pfsense to it as a firewall for all the VM's.The issue i am having right now is that the cpu usage is insane high when doing transfers/ speedtests over the firewall or even in the firewall terminal itself.
Altough sometimes the speed i am supposed to get (250mbit/s download) is nearly reached, it comes with 100% cpu usage.
I have done a check were i use speedtest-cli in the command line of the pfsense, and check in another window the cpu usage with top -S -H. This shows the following:
The speed that i got with this test is 150mbit/s download.And according to unraid the cpu usage on the cores was around80% all used by pfsense VM.
I tried:
Switching virtual nic (i started with a virtual intel nic, but have the same results with a vmware network card (vmnetx3)).
Shutting down all other vm's during the testing -> got me better results but still high cpu usage.Does anyone have any clue what might cause this or how to fix?
fyi: i only have one physical nic in my server, which is bridged to my pfsense vm for the network connection. All the other VM's and the pfsense have a connection to vibr0, where IP's are set static.If anyone knows how to fix my issue or can help me i would really appriciate it.
-
What CPU actually is it? What speed is it running at?
If it was an older CPU stuck at, say, 800MHz you might see that sort of usage.
Steve
-
@stephenw10 I am running on an (old-school) FX-8350. Stock speeds, water cooled running at 4ghz max (nearly always at maximum). I pass it trough 2 out of 8 cores, so i was thinking like 2*4000MHz would be enough.
-
Hmm, yeah if that's what it's really getting it should be far more than what is needed for 250Mbps.
What is the output of
sysctl hw.clockrateorsysctl dev.cpu.0?Steve
-
@stephenw10 Heres the output:
Default clock of an fx 8350 is 3.6Ghz. Just know that this is a Virtual Machine. Unraid config over here:
During a speedtest on the pfsense (speedtest-cli with 150mbit download) the clock rates are this on unraid (8 core cpu so 8 speeds):
-
Also a little addon on how it looks in the pfsense WebGui when the firewall is at idle and when doing a speedtest:
During a speedtest top -S -H:
-
From what i have found so far i think this has to do because i am using virtual nic and not a physical nic. Can someone confirm this?
-
It should not just of itself. There are many people running virtualised and not seeing that, including in KVM.
Something about Unraids setup perhaps? I've never run that personally.
Steve
-
indeed , i'm using kvm on my ubuntu server and i don't have this. idk what unraid is so i can't be of any help
-
Maybe i should just try to reïnstall it. Shouldn't be that hard to do. Ill post more after some more testing.
-
A reïnstall made no change, the cpu usage went up on 1 of the cores. during this test i even gave it 8 Cpu core's (4.0ghz) and 4GB of RAM. Download speed was 150mbit. So i have no clue what the option is other than the virtual nic or something...
Sadly i dont have any other nics available to test with. Any suggestions on a step i might try out?Thanks!
-
With vmx NICs you will need to add the following line to /boot/loader.conf.local to get multiple queue support:
hw.pci.honor_msi_blacklist=0Reboot to apply that. Check the output of
vmstat -ito be sure it's creating multiple queues.Be sure all hardware offloading support is disabled in Sys > Adv > Networking.
Steve
-
Hi, Thanks for your reply,
I tried to find the /boot/loader.conf.local file but could only find a /boot/loader.conf
I tried adding it into there ( hw.pci.honor_msi_blacklist=0 ) but still no change.
It has done something because it moved up in the file.During speedtest i get these results with vmstat -i:
And when using the top -S -H command still get the same results.Any other suggestions?
Thanks!
-
you need to create the file
/boot/loader.conf.local
if it's missing
copy inside
hw.pci.honor_msi_blacklist=0
save and reboot -
Yup create the file if it doesn't exist. If you put it in loader.conf it may get overwritten.
However that will only do anything for vmx NICs. You have em NICs there currently.
Steve
-
@stephenw10 Allright, will set them to VMXNET3, reboot, create the file with the line and inform if there are any changes.
Thanks for the help @kiokoman & @stephenw10 !
Creating config file:
-
Okay so further testing will come in later but for now i seem to reach my maximum provider speed on my linux server behind the firewall:
BUT it did drop back down to 14.4Megabyte's per second and go up and down all the time:
Cpu usage seems to have set a bit:
Using SMB protocol i get this from moving a file WAN to LAN:
It's 2 virtual cores are running at nearly full power (cpu 6/7) (cpu 4 is being used on the server side in the LAN network.):
I don't know if this is just a performance bug but speeds seem to have increased, altough cpu usage is still high (compared to the hardware specifications of pfsense)
Changing to a quad core (virtual processor) did not change much either, cpu usage stays high on 2 cores:
Wish i could put my finger on the issue.
-
I still only see one tx queue and one rx queue on each NIC. Does
vmstat -ishow more?I assume you created that file in /boot
Steve
-
yep its placed under /boot/loader.conf.local
vmstat -i during speedtest on server in lan side:
-
I actually don't know how to read the vmstat -i, but i hope you might know more @stephenw10
