Netmap not supported for Intel X553 driver in pfSense 2.5.0
-
@kiokoman said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
why are you using pfsense 2.5.0 and not 2.4.5 then? it's not ready for production and it migrated to freebsd 12.1 only a couple of weeks ago
also I don't think anyone here can help you with this, it's something that intel/freebsd should do upstreamI wanted to test 2.5.0, it's pretty solid besides the Netmap issue. Maybe pfSense 2.5.0 is not ready for production but what about FreeBSD 12.1, it isn't ready also? A great part of pfSense is still FreeBSD, and it seems nobody knows about this. If nobody will test, how we will find this issues?
Don't get me wrong, I'm not trying to point fingers, just to find a solution if possible, and if not just to report stuff, and if there is no solution, sure I will revert back to a previous version, but why shouldn't we benefit somehow from this in advance?
-
I got the following response from Intel:
The issue now is if I go with the driver included I got very low speeds ~150 Mbs/s, and I can't tune the interface because some parameters are missing:
sysctl hw.ix on 12.0-RELEASE: --- hw.ix.enable_rss: 1 hw.ix.enable_fdir: 0 hw.ix.unsupported_sfp: 0 hw.ix.enable_msix: 1 hw.ix.advertise_speed: 0 hw.ix.flow_control: 3 hw.ix.max_interrupt_rate: 31250 --- sysctl hw.ix on 11.3-RELEASE: --- hw.ix.enable_rss: 1 hw.ix.enable_legacy_tx: 0 hw.ix.enable_fdir: 0 hw.ix.unsupported_sfp: 0 hw.ix.rxd: 2048 hw.ix.txd: 2048 hw.ix.num_queues: 8 hw.ix.enable_msix: 1 hw.ix.advertise_speed: 0 hw.ix.flow_control: 0 hw.ix.tx_process_limit: -1 hw.ix.rx_process_limit: -1 hw.ix.max_interrupt_rate: 31250 hw.ix.enable_aim: 1
Also I found this issue with the same chipset:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239704How can I enable or fine tune the interface with the new iflib driver?
This is what I got from sysctl dev.ix.3:
dev.ix.3.iflib.driver_version: 4.0.1-k dev.ix.3.%parent: pci7 dev.ix.3.%pnpinfo: vendor=0x8086 device=0x15e5 subvendor=0x8086 subdevice=0x0000 class=0x020000 dev.ix.3.%location: slot=0 function=1 dbsf=pci0:8:0:1 handle=\_SB_.PCI0.VRP1.LAN3 dev.ix.3.%driver: ix dev.ix.3.%desc: Intel(R) PRO/10GbE PCI-Express Network Driver
How can I enable the missing parameters or fine tune the interface with the new iflib driver?
-
did you try https://www.freshports.org/net/intel-ix-kmod/
?already compiled available here https://drive.google.com/drive/folders/1fM-Jlmf8BY21kIEGueSxFWmrISZqcDj3
if_ix_updated.ko
it is built for freebsd 12.1 / pfsense 2.5.0 latest snapshot
copy to /boot/modules
create /boot/loader.conf.local with
if_ix_updated_load="YES"
reboot[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: kldstat Id Refs Address Size Name 1 30 0xffffffff80200000 38cefb0 kernel 2 1 0xffffffff83ad0000 58f30 if_ix_updated.ko 3 1 0xffffffff83d1a000 ff0 cpuctl.ko 4 1 0xffffffff83d1b000 2698 intpm.ko 5 1 0xffffffff83d1e000 b40 smbus.ko 6 1 0xffffffff83d1f000 8c90 aesni.ko 7 1 0xffffffff83d28000 10e48 dummynet.ko 8 1 0xffffffff83d39000 27d8 vmmemctl.ko 9 1 0xffffffff83d3c000 2e78 vmblock.ko
[2.5.0-DEVELOPMENT][root@pfSense.kiokoman.home]/root: cat /boot/loader.conf.local if_ix_updated_load="YES"
-
@kiokoman
I tried already, but I tried with your module also:[2.5.0-DEVELOPMENT][root@Entaro.Blueshift]/root: kldstat Id Refs Address Size Name 1 17 0xffffffff80200000 38cefc0 kernel 2 1 0xffffffff83acf000 eed8 aesni.ko 3 1 0xffffffff83adf000 58f30 if_ix_updated.ko 4 1 0xffffffff84011000 ff0 cpuctl.ko 5 1 0xffffffff84012000 37e8 cryptodev.ko 6 1 0xffffffff84016000 b28 coretemp.ko
The idea is if I load if_ix_kmod in /boot/modules/ or if I compile from Intel site and copy if_ix.ko to /boot/kernel, Netmap will not run in Native mode, so I achieve nothing. This process works well with FreeBSD 11.2, 11.3, but not above. The driver cannot be compiled with Netmap support, at least that I have understood from Eric's mail.
From Suricata log:
31/5/2020 -- 16:28:38 - <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - Couldn't query netmap for ix3, error Operation not supported 31/5/2020 -- 16:28:38 - <Info> -- Going to use 1 thread(s) 31/5/2020 -- 16:28:38 - <Error> -- [ERRCODE: SC_ERR_NETMAP_CREATE(263)] - opening devname netmap:ix3/R failed: Operation not supported
I started netmap with dev.netmap.admode:1 in loader.conf.local which forces Netmap to start in Native mode, or otherwise fail.
-
did you try snort ?
-
@kiokoman I've installed it just now, the speed is actually worse ~ 98 Mbs/s. I don't see any startup entries or logs like Suricata have. There is one alert.log which is a txt format, and two logs in pcap format that I have read with tcpdump, but I cannot find nothing related to Netmap.
Maybe if you are more familiar with Snort:[2.5.0-DEVELOPMENT][root@Entaro.Blueshift]/var/log/snort/snort_ix322137: ls -al total 488 drwxr-xr-x 3 root wheel 512 May 31 18:15 . drwxr-xr-x 3 root wheel 512 May 31 18:13 .. -rw-r--r-- 1 root wheel 101523 May 31 18:21 alert -rw-r--r-- 1 root wheel 0 May 31 18:13 app-stats.log drwxr-xr-x 2 root wheel 512 May 31 18:13 barnyard2 -rw------- 1 root wheel 100 May 31 18:15 snort.log.1590938061 -rw------- 1 root wheel 377805 May 31 18:21 snort.log.1590938143
-
Netmap has turned out to be a big disappointment to me. I had very high hopes in the beginning when I first included netmap support in Suricata, and later in Snort on pfSense-2.5, that Inline IPS Mode with netmap would be a fantastic feature in both packages. However, the reality has been that the various NIC drivers seem to haphazardly support netmap operation, and the internal coding and exposed API of the netmap kernel device itself has changed several times over the last couple of years or so. Based on that, no wonder the NIC drivers have a hard time keeping up. So netmap operation is failing to live up to its promise.
Snort probably has the slower performance under emulation mode than Suricata due to the fact the Snort implementation is a bit older and uses the API version that only exposed a single host ring. The latest netmap API exposes multiple host rings if the NIC driver supports them.
-
The ideea is as I'm testing it right now, it will be impossible to run Suricata or Snort anymore, with this ifllib framework. On Linux works ok, I can reach from 620 to 960 Mbps so it's not a hardware issue.
Also it worked at full speed on FreeBSD 11.2, I think maybe it's not only Netmap but this iflib framework that Intel talks about.
I used Snort only to respond to @kiokoman for testing, but I'm not able to tell from logs in which mode NETMAP started like in Suricata. Do you know how?
Also there is somehow the possibility that NETMAP will start to emulated mode regardless of dev.netmap.admode:1 setting with iflib framework? I'm thinking maybe this iflib framework hides or doesn't report correctly the starting mode?
On FreeBSD 11.2 for example I achieved full speed only after I compiled my own driver, so I had:
- NETMAP native mode : 600 - 960 Mbs/s - with Intel compiled driver
- NETMAP emulated mode: 150 Mb/s - with included FreeBSD driver in pfSense installation
On FreeBSD 12.1 I have:
- Netmap native mode(at least that's what the system reports) : 150 Mbs/s - with included FreeBSD driver in pfSense installation
- Netmap emulated mode: 150 Mbs/s - with Intel driver compiled from Intel site, or from FreeBSD source: intel-ix-kmod
I don't know what to ask anymore. Only one question, what will we do with Suricata or Snort when pfSense 2.5.0 will be production ready?
-
Be careful with the term "pfSense driver" as that is not really accurate. There are no "pfSense drivers" at all. They simply use what is included by default from upstream FreeBSD according to the FreeBSD version they are using.
Now on to the topic at hand --
I am not a netmap device expert by any means. I have also read a limited amount about the iflib framework. Still have not fully digested what little bit I did read about it, but I understand it to be yet another new gizmo for abstracting stuff. That seems to be the favorite pastime of developers these days -- abstracting things in layer upon layer of additional software to supposedly make it all easier to use. Well, I'm not 100% convinced, but then nobody asked me anyway ... .
When it comes to trendy hardware support (and that would include things like netmap, NIC drivers and so forth), Linux is better than FreeBSD. So living with less than optimum hardware support is just one of the things we must accept when using a FreeBSD platform.
As for what happens with Snort and Suricata in pfSense-2.5, well, Legacy Mode still works and should continue working. Of course it is not ideal when it comes to IPS. On the other hand, the utility of an IDS/IPS is steadily diminishing as more and more traffic becomes end-to-end encrypted. The rules have less and less traffic to actually inspect in any meaningful way.
-
By pfSense driver I've meant the default driver, and to point out I did nothing to change it. You are correct it comes from FreeBSD not from pfSense. I will change the term.
For the rest, what is to be said. I like your diplomacy
-
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
I understood that NETMAP is disabled on FreeBSD 12.1, as someone kindly provided this line:
That is not true ... in FreeBSD 12.0/12.1, Netmap had been moved to IFLib.
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
How can I enable or fine tune the interface with the new iflib driver?
You cannot. The problem is currently FreeBSD 12.0 and 12.1 is still using the old Intel Pro1000 driver instead of Intel 25 driver released in January 2020. The solution is either wait for FreeBSD to incorporate the new driver into FreeBSD 12.1 or encourages pfSense to incorporate it in pfSense 2.5 final release.
I really wished it was easy for us to install driver updates than having to wait for it to be compiled by FreeBSD ... that's why I am encouraging pfSense to do it since the NIC is the essence of a firewall.
-
- Why we must wait for upstream, the driver and the framework it's not open source? Or maybe not the Intel driver.
- It requires recompilation of the kernel?
- There is no new compatible driver with iflib from Intel?
I noticed that you talked with Luigi. I sent an email to him and he introduced me to two of his friends: Vincenzo Maffione and Giuseppe Lettieri. Should I go further with asking them for a solution, or your investigation with Luigi points to the conclusion that the Netmap implementation is fine?
What about the parameters that we used to tune for getting the right buffers, queues, etc. My understanding is that all of those have different names now, and we have to tune them through iflib, before Intel driver is even loaded. All the tutorials are now obsolete?
I don't think it's ok for us to play a waiting game here, we may see the final version omitting this issue, due to lack of upstream implementation
I also started a topic on FreeBSD forums here https://forums.freebsd.org/threads/intel-x553-driver-support-for-freebsd-12-1.75588/ maybe you can drop a line there also, someone may see it.
I will also sent this issue to FreeBSD e-mail group freebsd-net@freebsd.org if you didn't do this already
Thank you
-
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
It requires recompilation of the kernel?
Yes, I wish I knew how to do it ... it can take up to 18Hrs to compile. The compatible driver is the Pro1000 which I am using now.
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
he introduced me to two of his friends: Vincenzo Maffione and Giuseppe Lettieri
I had communicated with Vincenzo ... cool dude, went out-of-his way to explain the situation.
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
I don't think it's ok for us to play a waiting game here, we may see the final version omitting this issue, due to lack of upstream implementation
That why I believe it is pfSense responsibility to make sure releases have the latest drivers for NIC and stop leaving it up to FreeBSD ... without the NIC, the firewall is useless. Unfortunately, addressing the issue on FreeBSD forum is a moot point because they think or believe it's pfSense responsibility. They don't encourage discussion on pfSense. Pretty soon pfSense 2.5RC will be out; so, we need folks making noise.
-
@NollipfSense Thank for your input, but I'm not following on the following:
@NollipfSense said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
You cannot. The problem is currently FreeBSD 12.0 and 12.1 is still using the old Intel Pro1000 driver instead of Intel 25 driver released in January 2020.
How do you know what driver version FreeBSD 12 is using? All I can see is:
dev.ix.3.iflib.driver_version: 4.0.1-k dev.ix.3.%desc: Intel(R) PRO/10GbE PCI-Express Network Driver
By 25 version of the driver I think you are referring to this ?
https://downloadcenter.intel.com/download/22283/Intel-Ethernet-Adapter-Complete-Driver-PackBut if go for PRO 1000 specifically you will find that the latest version for FreeBSD is 2.5.14 or 7.7.8 depending the card
For my chipset X553 it uses PROXGB driver:
and the last version is from last year:
https://downloadcenter.intel.com/download/14688/Intel-Network-Adapters-Driver-for-PCIe-10-Gigabit-Network-Connections-Under-FreeBSD-?wapkw=intel%20x550%20networkSo I think it should have been included by now, but I can't tell because the system reports 4.0.1-k.
What is your status now, are you using NETMAP in emulated mode, not at all and you are waiting for this to get fixed?
Thank you
-
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
How do you know what driver version FreeBSD 12 is using?
I have been trying to remember the command since you had sent me a message.
[2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root: dmesg igb0 grep
usage: dmesg [-ac] [-M core [-N system]]
[2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root: dmesg igb0 | grep
usage: dmesg [-ac] [-M core [-N system]]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
[2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root:I know I had used: dmesg
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
What is your status now, are you using NETMAP in emulated mode, not at all and you are waiting for this to get fixed?
Yes, I am using Netmap; however, it in default mode and not in-emulated mode. My NIC is the Intel i350, and I am using Netmap on WAN - Suricata as well as on LAN - Snort, both in-line mode. That's why I had switched to pfSense 2.5.
-
@NollipfSense said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
How do you know what driver version FreeBSD 12 is using?
I have been trying to remember the command since you had sent me a message.
[2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root: dmesg igb0 grep
usage: dmesg [-ac] [-M core [-N system]]
[2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root: dmesg igb0 | grep
usage: dmesg [-ac] [-M core [-N system]]
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
[2.5.0-DEVELOPMENT][admin@NollipfSense.nollipfsense.lan]/root:I know I had used: dmesg
Maybe I should've told you in advance, I already tried dmesg, but I appreciate your intention to help
If I run : dmesg | grep ix3 I will get:
[2.5.0-DEVELOPMENT][root@Entaro.Blueshift]/root: dmesg | grep ix3 ix3: <Intel(R) PRO/10GbE PCI-Express Network Driver> mem 0x7d7f400000-0x7d7f5fffff,0x7d7f800000-0x7d7f803fff at device 0.1 on pci7 ix3: Using 2048 TX descriptors and 2048 RX descriptors ix3: Using 4 RX queues 4 TX queues ix3: Using MSI-X interrupts with 5 vectors ix3: allocated for 4 queues ix3: allocated for 4 rx queues ix3: Ethernet address: ac:1f:6b:45:fa:8b ix3: netmap queues/slots: TX 4/2048, RX 4/2048 ix3: link state changed to UP ix3: link state changed to DOWN ix3: link state changed to UP
So I will not get anything.
The only way I can get something is using sysctl like this sysctl dev.ix.3
The result is:ev.ix.3.iflib.driver_version: 4.0.1-k dev.ix.3.%parent: pci7 dev.ix.3.%pnpinfo: vendor=0x8086 device=0x15e5 subvendor=0x8086 subdevice=0x0000 class=0x020000 dev.ix.3.%location: slot=0 function=1 dbsf=pci0:8:0:1 handle=\_SB_.PCI0.VRP1.LAN3 dev.ix.3.%driver: ix dev.ix.3.%desc: Intel(R) PRO/10GbE PCI-Express Network Driver
Yes, I am using Netmap; however, it in default mode and not in-emulated mode. My NIC is the Intel i350, and I am using Netmap on WAN - Suricata as well as on LAN - Snort, both in-line mode. That's why I had switched to pfSense 2.5.
But if you are using Netmap in NATIVE mode, what is your issue then ? Or it got fixed after you updated to FreeBSD 12.1 by default? What speeds do you achieve?
My issue is that I have a very high speed penalty.
With FreeBSD 12.1 default driver I get 150 Mbs/s, and NETMAP starts in NATIVE mode
If I compile my own driver I will get the same speed, but NETMAP will not start in NATIVE mode, only in emulated mode
In comparison with FreeBSD 11.2 where I got between 800-960 Mbs/s it's a huge difference.Thank you
-
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
But if you are using Netmap in NATIVE mode, what is your issue then ?
The current driver when in iflib does not allow traffic graph to show. That's great info to have on the WebGUI at a glance. The new driver should make that happened.
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
If I compile my own driver I will get the same speed, but NETMAP will not start in NATIVE mode, only in emulated mode
In comparison with FreeBSD 11.2 where I got between 800-960 Mbs/s it's a huge difference.Did you compile with the new Intel 25 driver? I take it yes ... wow that a hell of a difference.
-
@NollipfSense said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
But if you are using Netmap in NATIVE mode, what is your issue then ?
The current driver when in iflib does not allow traffic graph to show. That's great info to have on the WebGUI at a glance. The new driver will make that happened.
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
If I compile my own driver I will get the same speed, but NETMAP will not start in NATIVE mode, only in emulated mode
In comparison with FreeBSD 11.2 where I got between 800-960 Mbs/s it's a huge difference.Did you compile with the new Intel 25 driver? I take it yes ... wow that a hell of a difference.
I'm using 25.1 even, but I think you are referring to the driver package rele
On FreeBSD 11.2 it worked this way, compile the driver and override the ko in /boot/kernel/ or copy as a module in /boot/modules. Sure, adding the proper line in loader.conf.local is also needed
On FreeBSD 11.3,12.1 if I compile my own driver I will achieve nothing, because my own compilation, will not include NETMAP native support due to iflib framework, hence it will run in Emulated mode at 150 Mbs/s, and if I go with the FreeBSD 12.1 driver, NETMAP will start in Native mode, but I will achieve the same speed 150 Mbs/s, so something is not right with the driver.I contacted you because in your thread here: https://forum.netgate.com/topic/144979/porting-bge-driver-to-iflib/5
you mentioned you had problems with NETMAP Native support and you attempted to compile some drivers.
In this context we have the same issue I think. Can you elaborate, what was your status with BGE in the end?
Thank you
-
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
Can you elaborate, what was your status with BGE in the end?
So, I had bought an Apple Mac Mini server (2011) because I am a Mac user and I like the small form factor; however, it uses Broadcom NIC hence, the BGE. I wanted to port the driver, but it was too much work for me as a newbie to porting. So, the solution was to get a thunderbolt PCI enclosure (Akitio) and placed the Intel i350 in it. That also allows me to upgrade to the 10GBe NIC when I move to an area with fiber.
-
@NollipfSense said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:
Can you elaborate, what was your status with BGE in the end?
So, I had bought an Apple Mac Mini server (2011) because I am a Mac user and I like the small form factor; however, it uses Broadcom NIC hence, the BGE. I wanted to port the driver, but it was too much work for me as a newbie to porting. So, the solution was to get a thunderbolt PCI enclosure and placed the Intel i350 in it. That also allows me to upgrade to the 10GBe NIC when I move to an area with fiber.
- With i350 Netmap works by default, no tinckering from your side whatsoever?
- I don't mind recompiling the kernel, but your steps from that thread are accurate?
- I am asking you because you said it's a lot of waiting, trial and error,etc, and I don't want to reach step 5 for example, and see it's "a no go", but if Luigi explained it to you, then it must work, right?
- Did you got the chance to do a speed test on Fiber?
Thank you