PfSense (or generic BSD 8.x) on PX 3.3, optimizations ?

[dea]

Hi !

I use two PFSense firewall on a PX Cluster, all ok, works very well.
Firewal configuration is complex and works on 35 VLAN (4 virtual E1000 as NIC).

The CPU utilization (4 cores on single VM, type QEMU64) is medium/high (maximum full load 70%, typical 20-30%).
Phisical hardware is powerfull and CPU on the IBM server presents a low-medium load.

Can I increase CPU units (now 1000 as default) ? I could have benefits?
Can I change VM settings to optimize it on BSD ?

Very thanks

Luca

 

[dea]

...

for example, disable "Use tablet for pointer" (absolutely useless in PFSense) can be helpful ?

 

[mir]

Do you use virtio disks? virtio will increase IO performance and take load off your CPU.
If you can get machine type KVM64 to work this should reduce load off CPU to since a number off things can run in hardware instead of being software emulated.
Increase assigned RAM will allow more processes to run in RAM concurrently.

 

[dea]

Thanks Mir !

I use ide disk, really on PFSense true firewall (only router and firewall function) practically HDD is not used.
I think the problem is only "number crunching".

Increase CPU units ? I could have benefits?

 

[spirit]

I have also notice this high cpu usage.
I think it's related to e1000 emulation.

Maybe can you try with virtio-net.

https://doc.pfsense.org/index.php/VirtIO_Driver_Support

 

[mir]

I have had problems with virtio-net in the past which was the reason for using e1000. Problem seen was that packages was not passing through to the net. It might have been solved in later pfSense and/or KVM.

 

[mir]

Just tried switching nics to virtio-net which behaves exactly like in the past, no traffic passing through the nics! Load did not changes in any remarkable way.

PS. the virtio-net malfunctioning is a FreeBSD 8.x only. On FreeBSD >= 9.0 virtio-net works as expected.

 

[dea]

Thanks Mir !!!!

For now, on PFSense 2.1.5 I will continue to use e1000 nics, CPU loads max 70% (on 4 cores), 35 VLAN and 100 mbps wan link.
These two firewalls are really critical and I can not experiment.

With the new PFSense version (series 2.2) I will try virtio-net.

For now, if I increase CPU units on firewall VM, think that I can reduce virtual CPU peak level ?

Luca

 

[mir]

See this solution to have virtio-nics work: http://forum.proxmox.com/threads/19695-High-CPU-Idle-Usage-with-pfsense-OpenBSD?p=100491#post100491
It was a configuration in pfSense.