OPNsense Forum

English Forums => Hardware and Performance => Topic started by: seed on May 13, 2022, 11:52:46 am

Title: Hardware for 10GBE IPS questions
Post by: seed on May 13, 2022, 11:52:46 am

Hello all,


Are any of you running Suricata with 10Gb throughput in intrusion prevention mode?

If yes..:
How many rules are used?
What hardware is used? (CPU, NIC...)

Which OPNsense version is used in the setup?

Title: Re: Hardware for 10GBE IPS questions
Post by: seed on May 26, 2022, 08:33:09 pm

Looks like classic CPUs are not able to process the traffic. FPGAs or Smart NICs should process the traffic. It will probably take a few more years until such hardware is widely available.

Title: Re: Hardware for 10GBE IPS questions
Post by: mimugmail on May 26, 2022, 08:53:24 pm

I never saw more than 3,5Gbit .. but I also didnt test against FreeBSD 13 yet

Title: Re: Hardware for 10GBE IPS questions
Post by: seed on May 26, 2022, 09:58:10 pm

I had wondered why firewall manufacturers like Sophos and Fortigate quote such high intrusion prevention throughput rates for their hardware.
It looks like they are using a co processor for this task. It must be an FPGA. Or they cheat and create firewall rules dynamically and kill the state when the IDS sends an alert.

Napatech is already allowing Suricata offloading:
https://suricata.readthedocs.io/en/suricata-6.0.0/capture-hardware/napatech.html