Another strange thing i noticed after upgrading to 18.1.r1:
With 18.1.r1, IDS+IPS enabled, download speed decreased to about half ~550Mbit/s. Disabling IDS+IPS i'm back to my full speed ~980Mbit/s
Same IDS+IPS rules, same everything, but with 17.7.11: ~980Mbit/s
IDS+IPS was up and running in both cases, as i could see my own rules being blocked, some other rules being blocked, exceptions being passed and so on...
This https://forum.opnsense.org/index.php?topic=6590.0 actually made things worse for me so i deleted the stuff i added (while i was on 17.7.11)...
I'm also confident that the alerts reflected the reality, as it blocked eicar for example, or other wicar tests or other custom rules with both versions...
You can try to boot the 17.7 kernel and see if that is the cause:
# opnsense-update -kr 17.7.10 -n "17.7\/sets"
Running this will bring you back to the 18.1.r1 kernel:
# opnsense-update -k
(Don't forget the reboot in both cases)
Cheers,
Franco
Nope.. same thing unfortunately...
That's good and bad at the same time. :o
Maybe the new NAT rule framework makes this slower? Although in that case IDS/IPS switching shouldn't matter.
Next thing would be to use the old Suricata binary on top of the 11.1 kernel:
# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/17.7/MINT/17.7.11/OpenSSL/All/suricata-4.0.3.txz
Cheers,
Franco
Nope.. this didn't help either.
Further more, i just noticed suricata eats a lot of CPU now, while speedtesting. Didn't noticed this before.
Take a look at the attached image.
I think, for some reason, the quad core 3.6Ghz i3-8100 is maxed out now, at least on one core, as 25% CPU corresponds to 1 core maxing out.
I think for some reason it worked with multi-core CPUs before, multiple threads maybe, but not anymore. Is this possible?
Ok, this made me think, the CPU usage... for some reason i missed that promiscuous mode was enabled. This was the cause. Disabling it obviously fixed it :)
Apologies.
Whew, glad to hear that! 8)
Perhaps something to put in dcol's sticky tuning guide?
So far I only touched on tunables in the guide, but I updated to include other IPS settings. Thanks
having the same problem regarding the performance as long as IPS is enabled. I got 250/25Mbit in the past and now having max 150/25. Suricata process in top is using only one core - is this how it should be?
What else can I do to troubleshoot? As soon as I disable IPS its becomes fast as mentioned above
//Edit: sorry for complaining about opnsense - turned out that a debian VMs java process stresses the cpu really hard so all other VMs had no CPU cycles left for themselves
All is working fine - thanks for working so hard on opnsense!
I'm having the same issue...I don't have Promiscuous mode selected and running 18.1.2_2. I'm losing about 1/4 of my download speeds with it enabled. CPU usage is next to nothing and my ram is using about 20%, so I don't see where the bottleneck would be hardware wise. I used the instructions provided by the opnsense how-to docs.
This should help: https://forum.opnsense.org/index.php?topic=6590.0
The tunables must be properly set though, according to your system. In other words, search the ones mentioned in dcol's post in your system and modify them as instructed.