OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: w9hdg on November 11, 2022, 11:39:05 PM

Title: Throughput with IDS/IPS Enabled
Post by: w9hdg on November 11, 2022, 11:39:05 PM
Good Day Everyone,

I have been trying to wrap my head around the Intrusion Detection system. I have attached screenshots of the configuration that I have instead of trying to explain it all. The long and the short of it is that when I have Intrusion Detection/Intrusion Prevention enabled I see the throughput of my WAN drop from 550ish to 480 or so.

I have attached screenshots of everything I can think of. Is the IDS system just that much of a power hog? If so perhaps the system requirements page needs an update to reflect this because from my understanding I should be running a lot better than I am. I do know I'm a little light on RAM that is being addressed tomorrow when my order shows up (I hope). For the observant among you this is a virtualized install with a passed through Intel dual gigabit nic.

Thanks in advance,

~T
Title: Re: Throughput with IDS/IPS Enabled
Post by: vico1959 on November 11, 2022, 11:49:08 PM
Did you disable all hardware offloading as the help on the IPS line warns you to do before enabling?
Title: Re: Throughput with IDS/IPS Enabled
Post by: Supermule on November 11, 2022, 11:54:38 PM
The short answer is yes....

But in the end it depends on the hardware at hand.
Title: Re: Throughput with IDS/IPS Enabled
Post by: w9hdg on November 12, 2022, 12:12:21 AM
Quote from: vico1959 on November 11, 2022, 11:49:08 PM
Did you disable all hardware offloading as the help on the IPS line warns you to do before enabling?

Yes I did
Title: Re: Throughput with IDS/IPS Enabled
Post by: w9hdg on November 12, 2022, 12:13:56 AM
Quote from: Supermule on November 11, 2022, 11:54:38 PM
The short answer is yes....

But in the end it depends on the hardware at hand.

Can you elaborate? It has 10 cores of a dual e5-2450v2 setup which turbos to 2.5 ghz. Is surricata single threaded? If so that would explain why throwing more cores at it doesn't seem to be really helping.
Title: Re: Throughput with IDS/IPS Enabled
Post by: vico1959 on November 18, 2022, 08:35:08 PM
Okay so other than memory use being a bit higher than I like, the rest of the hardware in that performance chart seems to be doing okay but that chart doesn't really show disk performance. If you are using a standard HD then you might try an SSD instead and see if that will help the swap file performance and therefore help your overall performance throughput. As a comparison, I am running a dedicated standalone hardware box with an i5-7400, which is only 4 cores at 3.0 GHz, 8GB of RAM and an SSD and my Internet speed is only 300/35 but I am getting the full speed with IPS enabled. It may be that there is a cap on max throughput that the software package can handle? It may be that the extra layer of running a virtualized box may have an impact? Have you heard what anyone else with a faster Internet speed is getting in comparison to you?
Title: Re: Throughput with IDS/IPS Enabled
Post by: nzkiwi68 on November 20, 2022, 09:01:50 PM
Once you have enough RAM, another performance tuning option you can select is to change the detect profile to HIGH.

Services > Intrusion Detection > Administration
(enable advanced mode to "Detect Profile"

Also, BIOS settings are very important.
Disable P states, disable C states, disable Turbo boost.
Title: Re: Throughput with IDS/IPS Enabled
Post by: nzkiwi68 on November 20, 2022, 09:03:59 PM
Oh rats, I didn't read your post very well, I see you are virtualised.

You would need to make those BIOS changes on the hosts for the C/P states and turbo boost, but those changes will help all VMs anyway.