Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netmap not supported for Intel X553 driver in pfSense 2.5.0

    Scheduled Pinned Locked Moved Hardware
    44 Posts 6 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trumee
      last edited by

      I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

      bmeeksB N 2 Replies Last reply Reply Quote 0
      • bmeeksB
        bmeeks @trumee
        last edited by

        @trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

        I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

        Snort on pfSense-2.4.5 does not support netmap device operation, so no, the 2.4.5 release is not impacted. Snort on 2.4.5-RELEASE uses libpcap.

        1 Reply Last reply Reply Quote 2
        • N
          NRgia @trumee
          last edited by NRgia

          @trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

          I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

          My tests didn't include testing Snort on Stable 2.4.5. I was asked to install Snort on 2.5.0-devel by another user, to compare Snort vs Suricata, in the matter of speed and it was a little lower for me when I tested with Snort.

          After some discussions with the guys that maintain Netmap, Intel drivers, Supermicro support, FreeBSD, I was directed to Suricata maintainers.

          I took my time and tried various tutorials that optimize some networking parameters, but I got only small variances in performance like 30-40 Mbps.

          My last try will be to have a chat with Suricata guys.
          I hope they will not recommend me a Napatech card
          Napatech products link , or something.
          I will update if I find something of interest.

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @NRgia
            last edited by bmeeks

            @NRgia said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

            @trumee said in Netmap not supported for Intel X553 driver in pfSense 2.5.0:

            I have a Supermicro motherboard 'A2SDi-4C-HLN4F' which uses X553 chipset. It is presently running Stable 2.4.5-p1 and Snort. Is this release affected by this issue?

            My tests didn't include testing Snort on Stable 2.4.5. I was asked to install Snort on 2.5.0-devel by another user, to compare Snort vs Suricata, in the matter of speed and it was a little lower for me when I tested with Snort.

            After some discussions with the guys that maintain Netmap, Intel drivers, Supermicro support, FreeBSD, I was directed to Suricata maintainers.

            I took my time and tried various tutorials that optimize some networking parameters, but I got only small variances in performance like 30-40 Mbps.

            My last try will be to have a chat with Suricata guys.
            I hope they will not recommend me a Napatech card
            Napatech products link , or something.
            I will update if I find something of interest.

            One issue that is likely at play with both Suricata and Snort (Snort on FreeBSD-11.x) is that on FreeBSD the netmap host stack originally exposed only a single ring. NIC drivers, on the other hand, pretty much uniformly expose multiple rings. The more rings you have, the higher the theoretical throughput can be.

            The latest iteration of netmap on FreeBSD finally offers a multiple ring interface for the host stack. The host stack is the connection to the kernel itself. Most of the original implementations of netmap envisoned sending packets between two NIC interfaces directly (that is, without necessarily going through the kernel network stack). So to put this in Suricata terms, think of using two physical NICs and having Suricata sit between them policing traffic between the two NICs. In that scenario all rings available in the NIC drivers would be used.

            But Suricata on pfSense needs to interract with the kernel network stack because we want to inspect traffic as it flows to and from the NIC to the pf firewall engine in the kernel. Also, we don't want to use up two valuable hardware NIC ports just to have an "in" and an "out" path. We want to use a single NIC for an interface.

            Starting with FreeBSD-12 and the move to the iflib networking API, netmap now exposes a multi-ring netmap interface for the host stack. However, for the moment I don't believe Suricata 5.x is using that interface in order to maintain backwards compatibility with older netmap API versions.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.