wikiNetwork problems during the activation of IPS on OPNsense
This article deals with a frequent problem during the use of OPNsense with Broadcom network cards and activated Intrusion Prevention System (IPS) . A lot of user report that the interface freezes after the activation of the IPS or that the network traffic collapses. The cause for this is the missing native support of netmap through Broadcom network cards, which leads to specific error messages and network disruptions. This article explains the problems and shows a workaround to still be able to use the IPS.
Problem description
During the activation of IPS on OPNsense systems with Broadcom network cards, the following symptoms often occur:
- interface freezes
- network traffic collapses
The reason for this is the missing support of netmap through Broadcom networks. This leads to a range of error messages such as:
bnxt1: promiscuous mode disabled bnxt1: promiscuous mode disabled 788.968001 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 788.976137 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 788.984423 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 bnxt1: permanently promiscuous mode enabled 789.036601 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. 789.516407 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 789.524530 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 789.532813 [ 850] iflib_netmap_config txr 4 rxr 4 txd 256 rxd 256 rbufsz 2048 bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error. bnxt1: HWRM_CFA_L2_FILTER_ALLOC command returned INVALID_PARAMS error.
Workaround
The emulated netmap mode can be configured in the OPNsense tunables so that IPS can be used despite the restrictions. For this, the value of dev.netmap.admode is adjusted to 2. This setting is configurable under System ‣ Settings ‣ Tunables.
hint: Please note that the performance gets worse during the activation of the emulated netmap mode. This means that the network throughput rate declines and the processing of network packets may take longer.
If this entry is not existing, you can simply add it via + symbol.
More information
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
