Hello! I have a Protectli VP4670-6 with 24 GB of RAM, an NVMe drive, and a 12-core i7 processor, along with Intel 2.5Gb network cards. I have 5 VLANs and a 3 Gbps internet connection. When IPS/IDS is disabled, using iPerf3, I get 2.3 Gbps between my laptop and the router over a wired connection. However, when I enable IDS/IPS, my speed drops to a maximum of 500 Mbps.
I thought that with this kind of hardware, I would at least get 1 Gbps or more. Am I doing something wrong? I have disabled unnecessary filters, and I'm running the latest version (12.2 from January 24, 2025), but I had the same issue even before this update.
I really want to keep network analysis enabled. Are there any tunings or optimizations I can apply? I'm not maxing out the CPU or RAM. I already apply tunable from other post here for maximum performance but i dont have performance ;) and my stale and mbuf was at under 2% majority of time under 1%
I'm also not maxing out the CPU and definitely not the memory. I would have the same question, I was hoping to get more throughput. So we are in the same boat (https://forum.opnsense.org/index.php?topic=38797.msg226657#msg226657), but let's help each other.
First, what are the intrusion detection settings you have?
I share my configs so you know what kind of information I'm after.
Under: Services -> ID -> Administration:
- Intrusion Detection -> Checked
- IPS Mode -> Checked
- Interfaces -> ONLY selected one interface. Which is my LAN interface.
- Pattern matcher -> Hyperscan (if your hardware allows it?)
- Under the "Download", I enabled / downloaded the following rules:
abuse.ch/Feodo Tracker, abuse.ch/ThreatFox, abuse.ch/URLhaus, ET open/botcc, ET open/drop, ET open/dshield, ET open/emerging-dos, ET open/emerging-exploit, ET open/emerging-exploit_kit, ET open/emerging-phishing, ET open/emerging-scan, ET open/emerging-shellcode, ET open/emerging-sql, ET open/emerging-web_server, ET open/emerging-worm
Then I go to: Services -> ID -> Policy (https://forum.opnsense.org/index.php?topic=37466.msg226815#msg226815).
Create a new policy:
- Enabled -> Checked
- Rulesets -> Selecting all of the above (which I downloaded)
- Action -> Alert
- New action -> Drop
Please, share your setup.
Last but not least, what kind of tunables did you apply??
https://imgur.com/BWRwlW8
https://imgur.com/JMoq8gy
https://imgur.com/rLQ22Mn
https://imgur.com/OnP74Pv
https://imgur.com/patIvfc
https://imgur.com/ceas4s9
iperf when on my lan
https://imgur.com/ptfIGvE
iperf on vlan
https://imgur.com/RoqLg5E
and ids,ips setting
https://imgur.com/i4k3XCM
https://imgur.com/cv8lzP6
https://imgur.com/iRDoQlf
https://imgur.com/MQoZCv8
sorry for link insert image seem not work with ( [img][img/] )
WOw uhmm ok.
- Do NOT enable IDS/IPS on Vlan interfaces. And you also do not need to select WAN. Then also uncheck "Promiscuous mode". And also uncheck "Enable syslog alerts" (unless you have a good reason to have syslog alerts?).
- Then also which rulesets did you downloaded? You didn't show that. I hope you didn't downloaded all.. That is also a bad idea
- Last but not least, you are setting all the rules to "Alert", meaning you do not even block any request with your current IPS setup. Why?