Proxmox 5.4, HP Flashed Mellanox Connectx-3, pfSense = issue

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Snorf

New Member
Nov 12, 2018
24
8
3
BC, Canada
This is my situation:

Internet connection Fibre 750Mbps/750Mbps transceiver sticks into my computer router (pfSense).

Computer/router is 2 x Xeon X5650 with 32G of Ram. With HP 656089-001 Infiniband 10/40GB DP NIC 649281-B21 flashed to Mellanox firmware by following the thread on STH and set to eth mode.

When I install pfSense 2.4.4 on the hardware by itself and install Suricata, pfblocker and turn on lots of options, I can run multiple speedtests from ISP's and cpu runs at 35% max and it is very fluid. I get up to 800Mbps/800Mbps on multiple tests running at the same time. (I managed to figure out how to take the drivers from a VM running FreeBSD and install them into pfSense to make this work. A few great posts on STH helped with this!)

Now if I try the same thing with Proxmox/pfSense I am lucky to achieve 300/300, even with all the 24 cpu's and 32G of ram allocated just to pfSense. CPU never goes over 35% either but performance is less than half.

I was hoping that I could make the Proxmox/pfSense work with similar results so I would have some head room to spin up a VM to play with new releases of pfSense or maybe run a different DHCP server etc.

I have exhausted my reading and comprehending what to do to troubleshoot this problem so I am reaching out.

Do i need to install drivers for the Mellanox card into Proxmox? Or tweak something? Or is this just not going to work?

Thanks for looking.

Snorf
 
Last edited:

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
There are some known issues with the virtio networking from KVM interacting with the BSD kernel. This can cause performance problems with pfsense in a VM.

One possibility is passthrough, if your hardware supports it. SR-IOV might work as well.
 

Snorf

New Member
Nov 12, 2018
24
8
3
BC, Canada
Thank you for the reply. It took me about 2 weeks to learn how to fire up a VM with freebsd 11.1 and get the mlx files so the card would work in the first place with pfSense. Reading and learning is tedious when you have to google every third or fourth word or acronym. But, I did get it working :).

I gave the whole passthrough (hardware is capable) a try and it looks like I will have to rebuild from scratch again, she is fubar baby!!! LOL! I think I will pass on the SR-IOV route, that could be another couple of weeks after my first read of that tutorial..........

I was really hoping that maybe I just missed a check box, :) but no such luck.

Should I dump Proxmox? Is there free virtualization software that has native support for connectx-3 right out of the box and works awesome? Or should I just spend the money and get a network card that is supported by pfSense and Proxmox?

I do hate to give up but it seems like every time there is an update to anything now I will have to recompile drivers for this card. Windows 10 lots of support but everything else nada.

Snorf
 

mTek

New Member
Nov 18, 2018
15
6
3
Debian the underlying os of proxmox supports the connectx3 as I have them in my proxmox cluster on 5.3. What was mentioned here is that the virio drivers sometimes are a problem with pfsense. I've not had any trouble with this (2.4.4-RELEASE) but on the proxmox side click advanced on the network and up the multique to 8 and see if that helps.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
It's not a card support issue in either OS. It's that the host is running the card and providing a virtual network card to the guest (pfSense). The drivers for those virtual network cards can sometimes cause performance issues in the BSD guest. If you do the same thing with any other guest OS, it's not an issue. There are some things you can try to mitigate them, but I never got satisfactory results from them. Some people don't seem to run into it, not sure why. I decided that, particularly with VM escape exploits out there, that the firewall will just be dedicated hardware. I got a cheap 1U and just dedicated it to pfSense.
 

Snorf

New Member
Nov 12, 2018
24
8
3
BC, Canada
Thx for sticking with me on this. There has been a small victory, but it was followed by massive failure...... :)

First I re-installed pfSense and used OVMF and q35 instead of the defaults like shown in the virtualization instructions on the netgate site.
It seemed much more responsive getting to and working in the UI but same end result for performance :(. I then tried the pci pass through again, and it worked and it doubled my performance to around 600/600! Yeah! (small victory) But I am still down about 25% from where it should be. I then spun up another VM of pfSense and tried adjusting the multique to 8 and that did not help. I was then going back to the pass through VM and Proxmox didn't like something. But I am hoping that when I get back to the pass through build, with some tweaking it may work. There was an error and I was in the middle of googling it to figure out what to do when things took a turn for the worse (massive failure) so I am re-installing everything.

I will report back, hopefully with good news. If this doesn't work this time I think I will be making it just a pfSense box and moving on from my pfSense/VM dream, at least until I come across newer hardware to screw up :). It was either re-purpose this hardware as something or send it to the recycler, so a fast router firewall is better than nothing.

Snorf
 

Snorf

New Member
Nov 12, 2018
24
8
3
BC, Canada
I have everything running and I am at about 490/490 with the fresh install with pci pass through.

The comment I am seeing in the pfSense boot screen is (not sure what this means but hopefully google does):

mlxen0: tso4 disabled due to -txcsum.
mlxen0: tso6 disabled due to -txcsum.
mlxen0: enable txcsum first.
mlxen1: tso4 disabled due to -txcsum
mlxen1: tso6 disabled due to -txcsum
mlxen1: enable txcsum first.

I clicked the All Functions box in the hardware tab for the PCI device. Should this network device have been passed through as a PCI device or a PCI Express device or both?

The Pci passthrough - Proxmox VE does not say to enter both comments into the vmid.conf file so I have only entered
hostpci0: 03:00.0;03:00.1 as it is a dual port card.

pfSense is picking it up as a 40Gbase-CR4 <full-duplex,rxpause,txpause>

Snorf
 
Last edited:

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I've only done GPUs and USB controllers, so NICs might be different, but I would try both methods for passing the card. One might work better than the other.

Double check the IOMMU groups, if that's not right you can get really weird results.

I've never seen an option for PCI/PCIe. The setup is supposed to be the same either way from what I understand. I've also never done it in Proxmox, just libvirt, so perhaps I'm off base there.

Look into the messages. The way this works is that the PCI device is not visible to the host anymore and the guest OS has total control. So the drivers in the guest and any errors it reports are important. You might need to force the host to ignore the card, but probably not if you haven't had errors from Proxmox about sending the card over. Those messages make me think that the card checksum offload is disabled, which would be bad for performance. It also looks like a setting from pfSense/BSD's driver.

If you are testing using internet servers, please stop and set up a local test. Once the packets go off site you have no guarantees of anything. Slight latency jitter can make a difference at these speeds. Get something basic like iperf testing working across the pfSense setup, once you get that tuned, then worry about internet performance. I've seen people spend days chasing things that didn't end up being an actual problem on their side.