[Beginner] Latency issues following quickstart guide

Hi All,

Not sure if this is the correct place to ask for help, but I’m trying to evaluate Vyos after good recommendations, and not understanding what I’m seeing. I’ve setup a test device with 25G (intel E810, EPYC node) for evaluating, and struggling with barely 1Gbps throughput and stuttering/unplayable video, unable to keep streams alive. For comparison, regular old fedora with ancient iptables does ~6G per tcp socket, no latency/dns/stuttering.

I’ve stripped everything back to the ‘quickstart’ settings, and I’m not sure what I’m missing.

Here’s my config - any pointers would be appreciated!

vyos@vyos# show
 firewall {
 firewall {
     flowtable FT1 {
         description Fastpath
         interface eth0
         interface eth1
         offload software
     }
     ipv4 {
         forward {
             filter {
                 default-action drop
                 rule 10 {
                     action offload
                     description Fastpath
                     offload-target FT1
                     state established
                     state related
                 }
                 rule 20 {
                     action accept
                     inbound-interface {
                         name eth0
                     }
                     state established
                     state related
                 }
                 rule 100 {
                     action accept
                     description "Allow LAN"
                     inbound-interface {
                         name eth1
                     }
                 }
             }
         }
         input {
             filter {
                 default-action drop
                 rule 10 {
                     action accept
                     inbound-interface {
                         name eth0
                     }
                     state established
                     state related
                 }
                 rule 20 {
                     action jump
                     destination {
                         port 22
                     }
                     jump-target VyOS_MGT
                     protocol tcp
                 }
                 rule 30 {
                     action accept
                     icmp {
                         type-name echo-request
                     }
                     protocol icmp
                     state new
                 }
                 rule 40 {
                     action accept
                     destination {
                         port 53
                     }
                     protocol tcp_udp
                     source 10.10.10.0/24
                     }
                 }
                 rule 50 {
                     action accept
                     source {
                         address 127.0.0.0/8
                     }
                 }
                 rule 100 {
                     action accept
                     description "Allow LAN"
                     inbound-interface {
                         name eth1
                     }
                 }
             }
         }
         name VyOS_MGT {
             default-action return
             rule 15 {
                 action accept
                 inbound-interface eth1
             }
             rule 20 {
                 action drop
                 inbound-interface eth0
                 state new
             }
         }
         output {
             filter {
                 default-action accept
             }
         }
     }
 }
 interfaces {
     ethernet eth0 {
         address dhcp
         address dhcpv6
         description WAN
         dhcpv6-options {
             pd 0 {
                 interface eth0 {
                     address 1
                 }
                 length 48
             }
         }
         hw-id xx.xx.xx.xx.xx
         ipv6 {
             address {
                 autoconf
             }
         }
         offload {
             gro
             gso
             sg
             tso
         }
     }
     ethernet eth1 {
         address 10.10.10.1/24
         description LAN
         hw-id xx.xx.xx.xx.xx
         offload {
             gro
             gso
             sg
             tso
         }
     }
     loopback lo {
     }
 }
 nat {
     source {
         rule 100 {
             outbound-interface {
                 name eth0
             }
             source {
                 address 10.10.10.0/24
             }
             translation {
                 address masquerade
             }
         }
     }
 }
 service {
     dhcp-server {
         shared-network-name LAN {
             subnet 10.10.10.0/24 {
                 lease 86400
                 option {
                     default-router 10.10.10.1
                     domain-name home.local
                 }
                 range 0 {
                     start 10.10.10.20
                     stop 10.10.10.200
                 }
                 subnet-id 1
             }
         }
     }
     dns {
         forwarding {
             allow-from 10.10.10.0/24
             cache-size 0
             dhcp eth0
             listen-address 10.10.10.1
         }
     }
     lldp {
         interface eth1 {
         }
         management-address 10.10.10.1
     }
     ntp {
         server 0.ch.pool.ntp.org {
         }
         server 1.ch.pool.ntp.org {
         }
         server 2.ch.pool.ntp.org {
         }
         server 3.ch.pool.ntp.org {
         }
     }
     ssh {
         port 22
     }
 }

I would try removing all the hardware offloads and testing, adding them one by one to see if one of them is the cause.

Also rule20 in forward filter looks a bit odd, why wouldnt you (normally) allow established/related in both directions?

That is remove that “inbound-interface” for rule20 all together.

Same with rule10 for input filter.

You also seems to have a DNS-forwarding running out to - nowhere?

I’ve tried this to no difference. Not sure why but the previous several versions of nightly builds auto-enable these offloads every reboot for my nic.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.