Netmap not supported for Intel X553 driver in pfSense 2.5.0

stephenw10

4.0.1-k is the ixgbe driver version used in pfSense 2.5. You can check the source:
https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_5/sys/dev/ixgbe/if_ix.c#L50

Steve

NRgia

@stephenw10 said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

4.0.1-k is the ixgbe driver version used in pfSense 2.5. You can check the source:
https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_5/sys/dev/ixgbe/if_ix.c#L50

Steve

I don't see my chipset in the the source list, maybe that's the issue.
I saw that the version is 4.0.1-k, but I don't find this version on Intel site, that was my dilemma. Before you gave me the link to the github, I couldn't track any changes.
What versioning scheme we have for this drivers ? How can I compare this driver version number to the Intel official site?
I mean I know FreeBSD implements alot of bugfixes, and other optimisations, but I though I could see something like this:

As an example:

FreeBSD 4.0.1-k driver contains the code from Intel driver version 3.3.10 plus the following optimisations,etc

This way I could clearly understand if the driver is old or not, if it's compatible, etc

Do you know where to look for this?

Thank you

stephenw10

@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

vendor=0x8086 device=0x15e5

It is listed though: https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_5/sys/dev/ixgbe/ixgbe_type.h#L146
That is the code it's running.

Steve

NollipfSense

@stephenw10 I thought ixbge was Chelsio's ... no?

kiokoman

ixgbe = intel 10 GbE
i= intel
x = 10
gbe = GbE
GbE= Gigabit Ethernet

stephenw10

Yup, Chelsio uses cxgbe for the same reasons.

Steve

NRgia

@stephenw10 said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

vendor=0x8086 device=0x15e5

It is listed though: https://github.com/pfsense/FreeBSD-src/blob/RELENG_2_5/sys/dev/ixgbe/ixgbe_type.h#L146
That is the code it's running.

Steve

Thank you for pointing me to the code. But I'm not trying to do a code audit.
What I want is, to be able to correlate a Intel driver release with FreeBSD included driver.
There are any standard release notes? (besides fixing this and that, in git)

For example, for IXGBE driver for Linux I have a clear release notes that states that X553 chipset is supported.

Please check the description here:

https://downloadcenter.intel.com/download/14687/Intel-Network-Adapter-Driver-for-PCIe-Intel-10-Gigabit-Ethernet-Network-Connections-Under-Linux-

For the upstream driver, version 4.0.1-k doesn't tell me anything. How can I correlate that version to anything?

I don't think if I should bother you with this, because it's not a pfSense issue, but I need to understand this in order to be able find the root cause.

Thank you

NRgia

I got a very interesting response from Intel, after I asked if their latest release 3.3.10 supports X553 chipsets.

Intel response about the driver.png

To give this response as an real life case scenario, how can I track if the code from Intel's driver release 3.3.14, is included or will be included with FreeBSD upstream driver?

Thank you

NRgia

By comparing the Netgate XG7100 box https://store.netgate.com/pfSense/XG-7100-desktop.aspx

with mine

https://www.supermicro.com/en/products/motherboard/A2SDi-4C-HLN4F

I see it has the same configuration as in SOC, RAM, and I hope NICS.

Also it is recommended for Suricata and Snort.

When I bought mine, I was looking over the Netgate XG7100 configuration, to find something close, and I think the Supermicro board is at close at it gets.

My question is, why the Supermicro board has issues with Netmap, and I got speeds as low as 150 Mbs/s?

The speeds are the same with Netgate box? Is there any custom Intel driver for it? Should I need to tweak something?

I don't think that Netgate's box transfer speeds are bad as Supermicro's box.
Any opinion on this?

Thank you

bmeeks

@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

By comparing the Netgate XG7100 box https://store.netgate.com/pfSense/XG-7100-desktop.aspx

with mine

https://www.supermicro.com/en/products/motherboard/A2SDi-4C-HLN4F

I see it has the same configuration as in SOC, RAM, and I hope NICS.

Also it is recommended for Suricata and Snort.

When I bought mine, I was looking over the Netgate XG7100 configuration, to find something close, and I think the Supermicro board is at close at it gets.

My question is, why the Supermicro board has issues with Netmap, and I got speeds as low as 150 Mbs/s?

The speeds are the same with Netgate box? Is there any custom Intel driver for it? Should I need to tweak something?

I don't think that Netgate's box transfer speeds are bad as Supermicro's box.
Any opinion on this?

Thank you

There is a very high probability that if the Netgate box has the same NICs as your box, then it will have the same netmap issues. What the "recommended for Snort and Suricata" statement really means is the box has enough horsepower (RAM and CPU) to handle a robust rule set. So far as I know, there are no detailed speed tests performed using Inline IPS Mode to determine how that mode functions with various hardware.

The problem you have uncovered is what I meant in my first post in this thread about netmap turning into a big disappointment for me. The support within the FreeBSD OS and within the various NIC drivers is hit-or-miss. And as is normal with these kinds of issues, you get some amount of finger-pointing between the FreeBSD folks, the netmap folks and the actual hardware vendors (Intel in this case). pfSense and the Suricata/Snort packages are victims in this game as they just depend on, and assume it exists, a healthy and functioning netmap kernel device working seamlessly with the hardware NIC driver.

NRgia

@bmeeks said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

The problem you have uncovered is what I meant in my first post in this thread about netmap turning into a big disappointment for me. The support within the FreeBSD OS and within the various NIC drivers is hit-or-miss. And as is normal with these kinds of issues, you get some amount of finger-pointing between the FreeBSD folks, the netmap folks and the actual hardware vendors (Intel in this case). pfSense and the Suricata/Snort packages are victims in this game as they just depend on, and assume it exists, a healthy and functioning netmap kernel device working seamlessly with the hardware NIC driver.

All the users that are using pfSense will have nothing but a great respect for you as a person, and for your contribution.
But as it was with iOS and Android, Apple had just one phone released every year, and it was easy to customize and optimize it. The same thing here, I don't think it's Netgate job to customize third party boards, even if they're not Chinese knock offs, but their boxes I would like to believe they are doing some tinkering and optimizations, maybe compiling some drivers from time to time, it's their hardware. If I remember correctly a few years back the Denverton platform was supported only on Netgate's hardware.

So what am I looking for is, maybe some steps, to be able to compile an Intel driver with iflib support? On Linux I know how to compile a kernel, it shouldn't be that hard on FreeBSD...

As for pointing fingers...for my discussions with Intel, FreeBSD and some guys from Netmap, I tend to believe that FreeBSD should update the driver versions, with iflib support. It works on Linux, it worked before FreeBSD 11.3.

Unfortunately I cannot find a Bill Meeks on FreeBSD forums.

Any further help, links to where I should ask more questions will be much appreciated. I'm not referring only to you Bill, I'm asking in general.

Thank you

bmeeks

@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

@bmeeks said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

The problem you have uncovered is what I meant in my first post in this thread about netmap turning into a big disappointment for me. The support within the FreeBSD OS and within the various NIC drivers is hit-or-miss. And as is normal with these kinds of issues, you get some amount of finger-pointing between the FreeBSD folks, the netmap folks and the actual hardware vendors (Intel in this case). pfSense and the Suricata/Snort packages are victims in this game as they just depend on, and assume it exists, a healthy and functioning netmap kernel device working seamlessly with the hardware NIC driver.

All the users that are using pfSense will have nothing but a great respect for you as a person, and for your contribution.
But as it was with Apple and Android, Apple had just one phone released every year, and it was easy to customize and optimize it. The same thing here, I don't think it's Netgate job to customize third party boards, even if they're not Chinese knock offs, but their boxes I would like to believe they are doing some tinkering, it's they're hardware.

So what am I looking for is maybe some steps, to be able to compile an Intel driver with iflib support? On Linux I know how to compile a kernel, it shouldn't be that hard on FreeBSD...

As for pointing fingers...for my discussions with Intel, FreeBSD and some guys from Netmap, I tend to believe that FreeBSD should update the drivers versions, with iflib support. It works on Linux, it worked before FreeBSD 11.3.

Unfortunately I cannot find a Bill Meeks on FreeBSD forums.

Any further help, links to where I should ask more questions will be much appreciated. I'm not referring to you Bill, I'm asking in general.

Thank you

The pfSense source is available on Github here: https://github.com/pfsense/FreeBSD-src. There you will find the majority of what you need to compile a pfSense FreeBSD kernel. There are branches for both 2.4.5 and 2.5 at that link. Now setting up a builder is no trivial task and requires quite a bit of FreeBSD compiler "foo" to get it all working. You start by building a FreeBSD bare-bones machine and then create a pfSense "builder" on top of that. You will have to make some manual edits to various shell scripts and conf files to get it working. Several users over the years have tried this. A select few have been successful. Most have not. I have never attempted to build a full kernel. All I do is use my builder to create packages via Poudriere. That's a lot easier to set up.

The pfSense team has never shown much interest in hardware driver development, especially when it relates to specific packages. So while they would make sure a given Intel NIC driver worked properly in their custom hardware for normal operations, they would not necessarily invest the time and effort into making it 100% netmap compatible as that would only benefit the tiny percentage of users that might install and use one of the IDS/IPS packages with inline IPS mode. Without Suricata or Snort (with inline mode) installed, nothing in pfSense uses netmap, thus there is no big incentive for them to spend time and effort making some NIC driver work with netmap.

I'm going through this to illustrate why things are the way they are with regards to NIC drivers in pfSense. Not saying it is good or bad, just saying it is what it is for now. I think the bottom line is that, as of now, there is not enough of their "profitable user base" yelling about netmap support on their appliances. So there is no big push to get that fixed. And as you have noted, the real issue seems to sit with the new iflib stuff in FreeBSD 12.1.

NRgia

@bmeeks said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

I'm going through this to illustrate why things are the way they are with regards to NIC drivers in pfSense. Not saying it is good or bad, just saying it is what it is for now. I think the bottom line is that, as of now, there is not enough of their "profitable user base" yelling about netmap support on their appliances. So there is no big push to get that fixed.

So even if, in the end I will buy support from Netgate for this particular issue, will it matter? Or if you're not the proper person to respond, I will leave this question pending.

It's very frustrating when something worked and then it will stop because some driver refactoring.

I will continue on FreeBSD forums, and update if I have something useful.

Thank you

bmeeks

@NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

@bmeeks said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

I'm going through this to illustrate why things are the way they are with regards to NIC drivers in pfSense. Not saying it is good or bad, just saying it is what it is for now. I think the bottom line is that, as of now, there is not enough of their "profitable user base" yelling about netmap support on their appliances. So there is no big push to get that fixed.

So even if, in the end I will buy support from Netgate for this particular issue, will it matter? Or if you're not the proper person to respond, I will leave this question pending.

It's very frustrating when something worked and then it will stop because some driver refactoring.

I will continue on FreeBSD forums, and update if I have something useful.

Thank you

I have no inside knowledge nor any special influence with the pfSense team. I'm just one of several volunteer package maintainers.

I don't think they just don't care, but rather they have a lot of things "on the stove" commercial wise at the moment with their appliances and TNSR and they don't have a lot of extra time or money to spend working on FreeBSD drivers unless there was a decent profit opportunity. And profit opportunity is hard to come by when you are talking about free open-source software ... .

NRgia

Sure, I understand. I'm glad that pfSense exists for free

NollipfSense

@bmeeks said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

they don't have a lot of extra time or money to spend working on FreeBSD drivers unless there was a decent profit opportunity. And profit opportunity is hard to come by when you are talking about free open-source software ... .

Good reality check, info here ... thanks for sharing.

NRgia

I did some 4 speedtests using iperf on both pfSense versions.
Tests were done on pfSense 2.4.5-p1 and pfSense 2.5.0 clean installs

iperf server was started on pfSense interface, and the client was a local Linux host, on the same LAN as pfSense

pfSense was installed on bare metal, no virtualization was used.

The results are as follows:

Test Results for pfSense 2.4.5-p1

With In-kernel Driver 3.3.12-k NETMAP disabled

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  289 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 48430 connected with 172.18.0.12 port 5201
write failed: Broken pipe
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 8.1 sec   885 MBytes   911 Mbits/sec

With Suricata enabled - Netmap Native mode

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  153 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 47494 connected with 172.18.0.12 port 5201
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   348 MBytes   291 Mbits/sec

With Intel-ix-kmod driver 3.3.14 NETMAP disabled

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  298 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 47070 connected with 172.18.0.12 port 5201
write failed: Broken pipe
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 8.0 sec   885 MBytes   923 Mbits/sec

With Suricata enabled and Intel-ix-kmod driver 3.3.14 - Netmap Native mode

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  162 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 47262 connected with 172.18.0.12 port 5201
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   349 MBytes   292 Mbits/sec

Test Results for pfSense 2.5.0 - latest snapshot

With In-kernel Driver 4.0.1-k NETMAP disabled

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  280 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 50368 connected with 172.18.0.12 port 5201
write failed: Broken pipe
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 8.5 sec   885 MBytes   876 Mbits/sec

With Suricata enabled - Netmap Native mode

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  187 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 50376 connected with 172.18.0.12 port 5201
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   336 MBytes   282 Mbits/sec

With Intel-ix-kmod driver 3.3.14 NETMAP disabled

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  187 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 50444 connected with 172.18.0.12 port 5201
write failed: Broken pipe
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 8.2 sec   885 MBytes   905 Mbits/sec

With Suricata enabled and Intel-ix-kmod driver 3.3.14 - Netmap Native mode

------------------------------------------------------------
Client connecting to 172.18.0.12, TCP port 5201
TCP window size:  153 KByte (default)
------------------------------------------------------------
[  3] local 172.18.0.10 port 50530 connected with 172.18.0.12 port 5201
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec   340 MBytes   285 Mbits/sec

As we can see after Netmap ( or in my case Suricata, that will start Netmap also) is started the speed penalty is immense.

trumee

I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

bmeeks

@trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

Snort on pfSense-2.4.5 does not support netmap device operation, so no, the 2.4.5 release is not impacted. Snort on 2.4.5-RELEASE uses libpcap.

NRgia

@trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

My tests didn't include testing Snort on Stable 2.4.5. I was asked to install Snort on 2.5.0-devel by another user, to compare Snort vs Suricata, in the matter of speed and it was a little lower for me when I tested with Snort.

After some discussions with the guys that maintain Netmap, Intel drivers, Supermicro support, FreeBSD, I was directed to Suricata maintainers.

I took my time and tried various tutorials that optimize some networking parameters, but I got only small variances in performance like 30-40 Mbps.

My last try will be to have a chat with Suricata guys.
I hope they will not recommend me a Napatech card
Napatech products link , or something.
I will update if I find something of interest.