pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162023-03-09T07:02:42ZpfSense bugtracker
Redmine pfSense Plus - Bug #14085 (New): QAT not working / same speed as AES-NI with CPIC-8955!https://redmine.pfsense.org/issues/140852023-03-09T07:02:42ZAlexandru Racovita
<p>My post on the netgate forum, still no unanswer:<br /><a class="external" href="https://forum.netgate.com/topic/175096/ipsec-with-qat-low-performance-netgate-cpic-8955?_=1677835676706">https://forum.netgate.com/topic/175096/ipsec-with-qat-low-performance-netgate-cpic-8955?_=1677835676706</a></p>
<p>Meanwhile I upgraded the operating system to:<br /><strong>pfsense+ 23.01-RELEASE (amd64) / FreeBSD 14.0-CURRENT / CPIC-8955 hardware accelerator</strong></p>
<p>The exact same thing happens here:<br /><a class="external" href="https://forum.netgate.com/topic/162176/openssl-qat">https://forum.netgate.com/topic/162176/openssl-qat</a></p>
<p><strong>AES-NI CPU Crypto: Yes (active)<br />QAT Crypto: Yes (active)</strong></p>
<pre>
/root: openssl engine
(devcrypto) /dev/crypto engine
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
</pre><br /><pre>
/root: openssl speed -engine rdrand -evp aes-128-gcm
engine "rdrand" set.
Doing aes-128-gcm for 3s on 16 size blocks: 109473266 aes-128-gcm's in 3.15s
Doing aes-128-gcm for 3s on 64 size blocks: 59620644 aes-128-gcm's in 3.06s
Doing aes-128-gcm for 3s on 256 size blocks: 37145965 aes-128-gcm's in 3.05s
Doing aes-128-gcm for 3s on 1024 size blocks: 12758891 aes-128-gcm's in 3.07s
Doing aes-128-gcm for 3s on 8192 size blocks: 1961291 aes-128-gcm's in 3.06s
Doing aes-128-gcm for 3s on 16384 size blocks: 1004601 aes-128-gcm's in 3.09s
OpenSSL 1.1.1t-freebsd 7 Feb 2023
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 556330.64k 1245949.78k 3121023.03k 4255301.17k 5246333.35k 5320204.54k
/root: openssl speed -engine devcrypto -evp aes-128-gcm
engine "devcrypto" set.
Doing aes-128-gcm for 3s on 16 size blocks: 109588628 aes-128-gcm's in 3.09s
Doing aes-128-gcm for 3s on 64 size blocks: 58764133 aes-128-gcm's in 3.08s
Doing aes-128-gcm for 3s on 256 size blocks: 36989212 aes-128-gcm's in 3.08s
Doing aes-128-gcm for 3s on 1024 size blocks: 12517930 aes-128-gcm's in 3.03s
Doing aes-128-gcm for 3s on 8192 size blocks: 1892616 aes-128-gcm's in 3.01s
Doing aes-128-gcm for 3s on 16384 size blocks: 962895 aes-128-gcm's in 3.02s
OpenSSL 1.1.1t-freebsd 7 Feb 2023
built on: reproducible build, date unspecified
options:bn(64,64) rc4(8x,int) des(int) aes(partial) idea(int) blowfish(ptr)
compiler: clang
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
aes-128-gcm 566761.39k 1221816.69k 3076300.76k 4228737.43k 5154679.78k 5217925.52k
</pre><br /><strong>I can see some errors here:</strong><br /><pre>
dmesg | grep qat
qat0: <Intel dh895xcc QuickAssist> mem 0xe0600000-0xe067ffff,0xefd40000-0xefd7ffff,0xefd00000-0xefd3ffff irq 32 at device 0.0 on pci2
qat_dh895xcc_fw: could not load firmware image, error 6
qat0: Failed to load UOF FW qat_dh895xcc_fw
qat0: Failed to load acceleration FW
qat0: Resetting device qat_dev0
qat0: Secondary bus reset
device_attach: qat0 attach returned 14
qat0: <Intel dh895xcc QuickAssist> mem 0xe0600000-0xe067ffff,0xefd40000-0xefd7ffff,0xefd00000-0xefd3ffff irq 32 at device 0.0 on pci2
qat0: qat_dev0 started 12 acceleration engines
qat0: FW version: 4.18.0
qat_ocf0: <QAT engine>
</pre><br /><strong>Drivers:</strong><br /><pre>
kldstat | grep qat
2 1 0xffffffff83ba5000 81d8 qat.ko
3 7 0xffffffff83bae000 7f320 qat_api.ko
4 8 0xffffffff83c2e000 44280 qat_common.ko
5 6 0xffffffff83c73000 1fe98 qat_hw.ko
11 1 0xffffffff84aef000 161f38 qat_dh895xcc_fw.ko
kldstat | grep aes
16 1 0xffffffff84c61000 a288 aesni.ko
</pre><br /><strong>vmstat -i | grep qat shows us that the board is used</strong>
<p>Clients using AES_GCM_16 (128) PRF_HMAC_SHA1 MODP_2048, the maximum IPSEC speed reached is around 800Mb/s ( <strong>TOTAL</strong> , even with multiple clients, parallel connections)</p>
<p>Also, I want to specify that I tested this QAT adapter on another server with the same results, I also tested on a different server with much higher performance.</p>
<p>Attached you can find config file and some tests. More you can find in my post:<br /><a class="external" href="https://forum.netgate.com/topic/175096/ipsec-with-qat-low-performance-netgate-cpic-8955?_=1677835676706">https://forum.netgate.com/topic/175096/ipsec-with-qat-low-performance-netgate-cpic-8955?_=1677835676706</a></p>
<p>Thanks!</p> pfSense Plus - Feature #14066 (New): Add line number to rules and insert optionhttps://redmine.pfsense.org/issues/140662023-03-03T09:20:22ZMike Moore
<p>From a rule management perspective, is it possible to do the following:<br />1. Add line numbers in the GUI. So an admin can say 'Line 30' needs to be modified instead of having to relay the rule to the team and everyone hunting for that specific rule. Of course the line numbers will need to be adjusted each time a rule is added or deleted. Makes administration easier.</p>
<p>2. Insert a rule within the rule set. Currently, the only options are to add a rule at the top or at the bottom or maybe copy an existing rule which would place it underneath what you are copying - which is a good step. Having a large rule set it makes sense to create a rule and have the option presented to 'place after line 15' for example.</p>
<p>This is all about better rule administration and management.</p> pfSense Plus - Feature #14012 (New): ZFS memory usage graphshttps://redmine.pfsense.org/issues/140122023-02-22T09:50:05ZJim Pingle
<p>It's becoming increasingly relevant for users to monitor ZFS memory usage, especially ARC usage. This is ideal as a separate RRD graph under <strong>Status > Monitoring</strong> but might also be a nice addition to the ZFS widget or a separate ZFS Memory widget.</p>
<p>Currently users have to look at the output of <code>top</code> to see it:</p>
<pre>
ARC: 1202M Total, 743M MFU, 384M MRU, 916K Anon, 14M Header, 59M Other
1041M Compressed, 3148M Uncompressed, 3.02:1 Ratio
</pre>
<p>Or dig through sysctl OIDs:</p>
<pre>
kstat.zfs.misc.arcstats.mfu_ghost_size: 0
kstat.zfs.misc.arcstats.mfu_size: 778736128
kstat.zfs.misc.arcstats.mru_ghost_size: 0
kstat.zfs.misc.arcstats.mru_size: 402139648
kstat.zfs.misc.arcstats.anon_size: 989184
kstat.zfs.misc.arcstats.other_size: 62153984
kstat.zfs.misc.arcstats.bonus_size: 13352960
kstat.zfs.misc.arcstats.dnode_size: 35653000
kstat.zfs.misc.arcstats.dbuf_size: 13148024
kstat.zfs.misc.arcstats.metadata_size: 138728448
kstat.zfs.misc.arcstats.data_size: 1043136512
kstat.zfs.misc.arcstats.hdr_size: 14482464
kstat.zfs.misc.arcstats.overhead_size: 90355200
kstat.zfs.misc.arcstats.uncompressed_size: 3300402688
kstat.zfs.misc.arcstats.compressed_size: 1091509760
kstat.zfs.misc.arcstats.size: 1260264224
kstat.zfs.misc.abdstats.linear_data_size: 114316288
kstat.zfs.misc.abdstats.scatter_data_size: 977197568
kstat.zfs.misc.abdstats.struct_size: 6681872
</pre>
<p>The exact set of data to graph is open for debate here, but we should at least go with the equivalent values to those shown in <code>top</code> output.</p> pfSense Plus - Bug #13964 (New): PHP syntax error in ``ec2_setup.php``https://redmine.pfsense.org/issues/139642023-02-16T08:19:13ZDanilo Zrenjanin
<p>The ec2_setup.php file contains code that is not compatible with PHP 8.1.</p>
<pre>
[16-Feb-2023 08:35:53 Europe/Rome] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/sbin/ec2_setup.php:299
Stack trace:
#0 /usr/local/sbin/ec2_setup.php(478): writeOpenVPNConfig('x.x.x.x')
#1 {main}
thrown in /usr/local/sbin/ec2_setup.php on line 299
</pre> pfSense Plus - Bug #13949 (New): Boot Environments do not seem to cleanly restore the systemhttps://redmine.pfsense.org/issues/139492023-02-12T09:51:54ZYuri Weinstein
<p>I tried and set up 25.01RC and had a minor issue so decided to roll back to 22.05.</p>
<p>To my surprise, after restoring the system back to 22.05, two packages: `ntopng` and `pfBlockerNG-devel` had errors and required reinstalls.</p>
<p>Boot Environments did not cleanly restore the system to the known state!</p>
<p>See more than 1 user reporting this problem => <a class="external" href="https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior">https://forum.netgate.com/topic/177764/boot-environments-unexpected-behavior</a></p> pfSense Plus - Feature #13740 (New): Feature Request: Mark Boot Environments with different prope...https://redmine.pfsense.org/issues/137402022-12-09T14:04:10ZJonas R
<p>Boot snapshots are awesome. However. I see huge potential for expanding the features on these. So here are a few suggestions</p>
<p>Mark a snapshot as forbidden to boot.<br />This comes from a weird situaton from my 6100. Where the first boot would work just perfectly. However, ever subsequent boot would result in a completely broken LAN. So I had to be suuuper careful not to boot the last remaining snapshot of my "working" system whilst trouble shooting. But if I had been able to mark it so it wasn't allowed to be booted. Then this would've been real handy.</p>
<p>Mark snapshot with Deletion Prevention:<br />This is basically an option to mark a specific snapshot so that it isn't allowed to be deleted, whilst the "Prevent from being deleted"-flag is set. Or something similar. Suggestion is to have it as a check box from within the edit-page. This could then disable the Trash-icon on the main paige.</p> pfSense Plus - Bug #13233 (Feedback): OpenVPN DCO connection fails with Auth Digest Algorithm set...https://redmine.pfsense.org/issues/132332022-05-28T19:16:49ZSteve Wilson
<p>OpenVPN DCO configurations specifying an auth digest algorithm of SHA512 fail to connect. Changing the algorithm to SHA256 resolves the issue. See <a class="external" href="https://forum.netgate.com/topic/172479/openvpn-with-dco/6">https://forum.netgate.com/topic/172479/openvpn-with-dco/6</a>. It's not clear to me if this is intended (but as yet undocumented) behavior or a true bug. If DCO currently requires the auth digest algorithm to be SHA256 it should probably be flagged in the comments on the OpenVPN Server and Client set-up pages.</p> pfSense Plus - Bug #13074 (New): AES-GCM with SafeXcel on Netgate 2100 causes MBUF overloadhttps://redmine.pfsense.org/issues/130742022-04-19T12:10:00ZChris S
<p>Running IPSec tunnels on a Netgate 2100 with AES-GCM and SafeXcel enabled seem to cause an MBUF overload requiring a reboot to re-establish the tunnel.</p>
<p>First spotted by NOCling in the forums. I was able to reproduce on my own 6100-2100 IPsec setup.</p>
<p><a class="external" href="https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload">https://forum.netgate.com/topic/171469/netgate-2100-s2s-aes-gcm-and-safexcel-mbuf-overload</a></p> pfSense Plus - Bug #12894 (New): duplicating freshly created certificates through refreshinghttps://redmine.pfsense.org/issues/128942022-03-03T14:30:26ZVan Quach
<p>Version 22.01-Release FreeBSD 12.3-Stable</p>
<p>Bug: After successfully creating a certificate. The certificate gets duplicated by refreshing the page (while the green success notification is shown)</p>
<p>This happend to me with different CA and it doesn't matter what type of certificate it is.</p> pfSense Plus - Bug #12759 (New): Proprietary packages link to non-existant or non-public github p...https://redmine.pfsense.org/issues/127592022-02-05T19:22:11ZKris Phillips
<p>When clicking on the version number to view the code for packages like openvpn-import and aws-wizard, these link to a non-existant Github page (or one that is private). We should probably add a way to just remove these links on proprietary packages for pfSense Plus.</p>
<p>For example, aws-wizard links to <a class="external" href="https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard">https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-aws-wizard</a> which is an invalid path.</p> pfSense Plus - Feature #12534 (New): Generate a ISO Image for Remote Restore of pfSense Plus on t...https://redmine.pfsense.org/issues/125342021-11-19T10:37:58ZKris Phillips
<p>The 1537 and 1541 both have IPMI that supports booting ISO images. However, it does not support booting IMG files which is what our recovery image for the unit is currently built as. This effectively makes a native feature of the units unusable for pfSense and only works for TNSR. These units are able to boot Community Edition just fine, but they should be running pfSense Plus.</p> pfSense Plus - Feature #12524 (New): OpenSSL QAT Enginehttps://redmine.pfsense.org/issues/125242021-11-15T05:07:22ZLuca De Andreis
<p>Hi all,</p>
<p>is possible to compile openssl to use QAT on PfSense plus, than accelerate OpenVPN ?</p>
<p>Thanks</p>
<p>Luca</p> pfSense Plus - Feature #11772 (New): Layer 2 Tunnel Bonding Capabilityhttps://redmine.pfsense.org/issues/117722021-04-01T16:22:24ZClint Guillot
<p>Ability to tunnel traffic over multiple WAN connections back to another PF appliance at a central location in order to aggregate bandwidth of the connections. This functionality is intended to allow the use of PF to compete against the bandwidth aggregation and failover functionality of products such as Velocloud.</p>
<p>This differs from the existing multi-wan failover and load balancing in two ways: 1. NAT is performed at the "central office" end of the tunnels, so that all traffic from customer appears to come from a single IP address and 2. because the tunnels are being bonded using some layer 2 method, the full aggregate bandwidth of both connections back to central is available to a single connection.</p>
<p>While #1 above can be done now using multiple tunnels and load balanced gateways, <a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> is not currently possible. Though the real-world usefulness of <a class="issue tracker-1 status-3 priority-4 priority-default closed parent" title="Bug: Gateway not added when switching from DHCP to static (Resolved)" href="https://redmine.pfsense.org/issues/2">#2</a> is limited to a small percentage of use cases, the "speed tests" most end users consider the most important metric of their ISP or "SDWAN" (drink!) solution fall into this group.</p> pfSense Plus - Bug #11770 (New): Pantech UML295 USB Modem No Longer Functionalhttps://redmine.pfsense.org/issues/117702021-04-01T11:28:59ZKris Phillips
<p>The Pantech UML295 modem in the USB port is caused pfSense to hang on reboot when upgrading to version 21.02 of the software.</p>
<p>When it hungup on startup, I had to reconfigure the inerfaces, then the device hung on startup at:</p>
<p>umodem0: <CDC Abstract Control Model (ACM)> on usb1<br />umodem0: data interface 5, has no CM over data, has no break on uhub1<br />umodem0: on uhub1<br />umodem1: data interface 7, has no CM over data, has no break on uhub1</p>
<p>I had to press return to get it to finish booting after waiting 20 minutes. Subsequent reboots hang for a time at</p>
<p>Should VLANs be setup now {y|n]? ugen1.2:</p>
<p>After a period of time, a message about the Pantech modem appears, and then back to the</p>
<p>See the attached log of the last boot. The Cell modem no long appears in the gateway group as a tier 2 device. It is still listed as a gateway, but it is not functional.</p>
<p>[Pulled from internal ticket 80843]</p> pfSense Plus - Feature #11732 (New): Add VXLAN Support to pfSense Plushttps://redmine.pfsense.org/issues/117322021-03-26T11:23:30ZKris Phillips
<p>VXLAN Support would be useful for scalable cloud deployments of pfSense Plus</p>