QAT isn't working on a virtualized pfSense based on FreeBSD 14.0

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
J

john389

Member
May 21, 2022
42
12
8
Hi,

I've been trying to get QAT virtual functions to work on pfSense+ 23.01 so I could use VPN hardware acceleration.

Everything else including network virtual function passthrough is working without issues on my Linux VM host. The QAT virtual functions are passed through and show up in FreeBSD, but QAT support isn't active in the WebUI.

After a lot of trial and error and searching the internet I found this bug report from two months ago: QAT driver does not attach to QAT virtual function devices passed through to VM on Xeon D-2146NT

It seems it can't work until Intel creates FreeBSD 14 QAT drivers that work.

Has anyone been able to get it to work?
 
S

sko

Active Member
Jun 11, 2021
240
128
43
If pfSense really uses 14.0-CURRENT as a base for their product I'd *highly* recommend switching to something that uses a supported -RELEASE version (or just vanilla FreeBSD) instead of a *development* branch.

Apart from the fact that -CURRENT is never meant to be used on any production system, due to the upcoming EOL of OpenSSL 1.x there is some major restructuring work expected, to switch to OpenSSL 3 and most likely even make the SSL/TLS provider interchangeable with other implementations (LibreSSL).
So there *will* be breaking changes in the CURRENT branch in the near future (because it *is* the development branch!).

Switching to a supported RELEASE might also solve your problem regarding the QAT driver, because in 13.2-RELEASE the qat driver still supports the 1.x generation hardware.
If you absolutely need a GUI, IIRC OPNSense uses the -RELEASE branch.
 
J

john389

Member
May 21, 2022
42
12
8
Thank you for replying. I'm aware that 14.0-CURRENT is not the best base for a production system - I don't know why they are using it ?! -, but unless I want to migrate over to OPNsense for a few short months until they too switch to 14.0 , probably -RELEASE for them, there doesn't seem to be an alternative. Even pfSense 2.7.0, which is the first community release in over a year (2.6.0 was February 2022), will be based on 14.0-CURRENT when it is released this or next month (hopefully).

From what I understand the in-kernel QAT driver isn't suitable for a virtualization guest. You'd need the out-of-tree driver, where you even have to select at configure time if you want to build it for the host or guest, for it to work correctly.

So I'm somewhat stuck at the moment, because I honestly don't have the time to switch to OPNsense or build my own firewall manually at the moment, until Intel releases a FreeBSD 14.0(-RELEASE) out-of-tree qat driver for the 1.x generation hardware.

I was only asking if anyone else has had the same problem and found a solution.

Based on the linked bug report this would mean all past and current Atom and Xeon-D QAT chips are probably not supported in a FreeBSD 14.0 VM guest.
 
You must log in or register to reply here.
Top Bottom