OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: Joerg on June 15, 2016, 11:05:48 am

Title: Intrusion Detection preformance issue
Post by: Joerg on June 15, 2016, 11:05:48 am

Hi,

I'm using the actual updated OPNsense on a ZOTAC-CI323nano cube. Configured physical WAN Interface and one LAN Interface with some VLANS.
So far the Performance is really great.
As soon I activate the Intrusion Detection IPS mode the download rate goes down by 30%.
The CPU load is below 20% then.
In case I activate the abuse.ch/* rules the Internet Connection will drop after a few minutes. In the alert tab I do not see any drop packets.

Any Idea or in which area I should look?

Title: Re: Intrusion Detection preformance issue
Post by: phoenix on June 15, 2016, 11:08:44 am

In my experience lack of RAM is usually the killer with IPS, how much RAM is on your system?

Title: Re: Intrusion Detection preformance issue
Post by: Joerg on June 15, 2016, 11:26:31 am

I'm using 8068 MB

I tested it again. starting a download will not raise the Memory usage wich is at 10%. It seem's that simply the WAN intreface Status says offline.

Title: Re: Intrusion Detection preformance issue
Post by: phoenix on June 15, 2016, 11:31:33 am

Quote from: Joerg on June 15, 2016, 11:26:31 am

I'm using 8068 MB

I guess that should be enough  :D

Are you actually using it as an IDS or have you enabled IPS mode and how many rules are you checking and blocking (is it just the ones you mentioned earlier)? I've used this on an ESXi VM with 2GB of RAM without any great problems, I'm not a developer so I'm really just asking for a bit of clarification of what you're doing.

Title: Re: Intrusion Detection preformance issue
Post by: Joerg on June 15, 2016, 11:38:13 am

I just use the rulesets   
abuse.ch/Dyre SSL IPBL
abuse.ch/Feodo Tracker
abuse.ch/SSL Fingerprint Blacklist
abuse.ch/SSL IP Blacklist

this of course loaded 2294 Rules.

Title: Re: Intrusion Detection preformance issue
Post by: Joerg on June 16, 2016, 11:10:40 am

So I just test it again.
As soon I activate IPS mode the WAN Interface will go offline in less than 4 minutes.

Are there some logfiles or settings which I can check?

Title: Re: Intrusion Detection preformance issue
Post by: jschellevis on June 16, 2016, 11:22:20 am

Just to be sure: Did you disable all hardware offloading?

If so it could be that the network chip is not very well supported by Netmap, can you tell us what network chip is in that device?

Title: Re: Intrusion Detection preformance issue
Post by: Joerg on June 16, 2016, 01:24:19 pm

So far I found out that there is an Realtek RTL8111/8168/8169/8411 chip inside. I found this in the Net so I can check when I'm home. Or is there a way to see that?

And of course I disable all Hardware offloading.  :P

Title: Re: Intrusion Detection preformance issue
Post by: Joerg on June 16, 2016, 01:31:22 pm

This is the Output of the Log this morning in the GUI:

Jun 16 08:17:38 apinger: alarm canceled: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:17:37 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:17:10 apinger: ALARM: WANGW(MY-WANIP) *** down ***
Jun 16 08:12:17 apinger: alarm canceled: WANGW(MY-WANIP) *** down ***
Jun 16 08:09:34 apinger: ALARM: VLAN11_USGW(192.168.2.1) *** down ***
Jun 16 08:09:33 apinger: ALARM: WANGW(MY-WANIP) *** down ***

Title: Re: Intrusion Detection preformance issue
Post by: franco on June 21, 2016, 09:16:01 pm

Hi Jörg,

There were several threads where Realtek turned out to be a let down and only replacing the NICs helped amend the system, e.g.:

https://forum.opnsense.org/index.php?topic=2306


Cheers,
Franco