"This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 17, 2020, 08:34:18 AM #2
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 16, 2020, 09:37:11 PM
Thanks.... Got it...
Best results with Hyperscan and profile "High"... Abt. 780Mb/s with 8556 rules. The changes between the profiles are marginal; between 740MB/s and 780Mb/s.
The other algorithmns are far slower... Maximum 400Mb/s, down to 140Mb/s... With any profile.
Current "optimum" settings attached.
If I can test anything special for you, fell free to ask 8)
Best results with Hyperscan and profile "High"... Abt. 780Mb/s with 8556 rules. The changes between the profiles are marginal; between 740MB/s and 780Mb/s.
The other algorithmns are far slower... Maximum 400Mb/s, down to 140Mb/s... With any profile.
Current "optimum" settings attached.
If I can test anything special for you, fell free to ask 8)
#3
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 16, 2020, 03:44:25 PM
I did an ISO upgrade and 20.7 with 12.1 is running now. Currently ~8000 rules are activated, IDS and IPS enabled, Hyperscan gives abt. 850MB/s. The other algorithms gave significantly worse results; down to 100MB/s.
Do you have any hints for me regarding the profile ? Do I have to edit the settings file, or can this be done by GUI ?
Do you have any hints for me regarding the profile ? Do I have to edit the settings file, or can this be done by GUI ?
#4
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 16, 2020, 10:22:55 AM
That's what it looks like now....
#5
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 16, 2020, 09:09:18 AM
I changed to development firmware upgrade. It's 20.7 now, but still with 11.2 BSD.
Performance is significantly improved. I can run now IDS and IPS, with increased rule set (~3000) at 1GB/s; with Hyperscan and net.bpf.zerocopy_enabled=1. The load goes to slightly more than 1 without IPS, and close to 2 with IPS enabled. Powerd is set to hiactive.
Performance is significantly improved. I can run now IDS and IPS, with increased rule set (~3000) at 1GB/s; with Hyperscan and net.bpf.zerocopy_enabled=1. The load goes to slightly more than 1 without IPS, and close to 2 with IPS enabled. Powerd is set to hiactive.
#6
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 15, 2020, 07:08:06 PM
I use Hyperscan, promiscuous mode (due to VLANs), IDS enabled, IPS disabled. Currently are abt. 1900 rules enabled. But there is still some space for more, until I loose the 1 Gbit/s.
Where do you configure the CPU usage ? I don't have such an option, even in advanced mode. I run a 4 core CPU (AMD FX-8800 P), where 3 cores most of the time feel quite bored ;D
Where do you configure the CPU usage ? I don't have such an option, even in advanced mode. I run a 4 core CPU (AMD FX-8800 P), where 3 cores most of the time feel quite bored ;D
#7
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 12, 2020, 11:14:24 PM
That's a superb question... When I check the settings with sysctl -A | grep dev.igb, everything is fine; which means is set to 0. Obviously, it isn't; else, I would not expect to see any change regarding the throughput when typing the settings on console...
And, how can I be sure that the other settings related to the NICs are applied correctly ? They all show up fine; but who knows ...
Btw, I disabled IPS; just checking is active. I run a smal and well controlled network. I just want to know, in case of some possible problems. With IPS enabled, I achieved close to 300M... 8 cores don't help, afaik... It looks like only one core is used.
And, how can I be sure that the other settings related to the NICs are applied correctly ? They all show up fine; but who knows ...
Btw, I disabled IPS; just checking is active. I run a smal and well controlled network. I just want to know, in case of some possible problems. With IPS enabled, I achieved close to 300M... 8 cores don't help, afaik... It looks like only one core is used.
#8
Intrusion Detection and Prevention / Re: Performance tuning for IPS maximum performance
June 12, 2020, 04:28:05 PM
I had performance problems while connecting a Fritzbox 6591 to my opnsense box. The trick with the fc works fine for me; full 1GB/s throughput; before just ~300MB/s.
But... I added the commands to tunables (GUI) and /boot/loader.conf.local. After reboot, dev.igb.x.fc is set to 0, but is does not speed up the things. After entering "sysctl dev.igb.x.fc=0" by hand from console, things speed up magically. It looks like the commands are not working when executed from /boot/loader.conf.x ...
/boot/loader.conf.local:
and the rest of /boot/loader.conf:
The NIC is a i350-T2.
opnsense is pretty new for me, and I have no idea what I am doing wrong... any help is welcome :-)
But... I added the commands to tunables (GUI) and /boot/loader.conf.local. After reboot, dev.igb.x.fc is set to 0, but is does not speed up the things. After entering "sysctl dev.igb.x.fc=0" by hand from console, things speed up magically. It looks like the commands are not working when executed from /boot/loader.conf.x ...
/boot/loader.conf.local:
Code Select
### loader.conf.local
# Flow Control (FC): 0 = Disabled, 1 = Rx Pause, 2 = Tx Pause, 3 = Full FC
hw.igb.0.fc=0
hw.igb.1.fc=0
dev.igb.0.fc=0
dev.igb.1.fc=0
# Set number of queues to number of cores divided by number of ports, 0 lets FreeBSD decide (should be default)
hw.igb.num_queues=0
# Increase packet descriptors (set as 1024, 2048 or 4096 ONLY)
hw.igb.rxd="2048" # Default = 1024
hw.igb.txd="2048"
net.link.ifqmaxlen="4096" # Sum of above two (default = 50)
# Increase network efficiency (Adaptive Interrupt Moderation, should be default)
hw.igb.enable_aim=1
# Increase interrupt rate # Default = 8000
hw.igb.max_interrupt_rate="64000"
# Fast interrupt handling, allows NIC to process packets as fast as they are received (should be default)
hw.igb.enable_msix=1
hw.pci.enable_msix=1
# Unlimited packet processing
hw.igb.rx_process_limit="-1"
hw.igb.tx_process_limit="-1"
and the rest of /boot/loader.conf:
Code Select
...
net.inet.ip.redirect="0"
net.inet.icmp.drop_redirect="1"
hw.igb.1.fc="0"
dev.igb.1.fc="0"
hw.igb.0.fc="0"
dev.igb.0.fc="0"
# dynamically generated console settings follow
#comconsole_speed
#boot_multicons
#boot_serial
#kern.vty
console="vidconsole"
The NIC is a i350-T2.
opnsense is pretty new for me, and I have no idea what I am doing wrong... any help is welcome :-)
#9
Hardware and Performance / opnsense and FritzBox 6591 throughput...
June 10, 2020, 01:33:46 PM
I use the following setup:
Internet (cable 1Gb/s) -> FritzBox 6591 -> Opnsense -> LAN
-> PC (DMZ)
The FritzBox is connected to a PC and the opnsense router (AMD A10-8800, Intel NIC i350-T2).
Running iperf3 on the PC, I get almost 1Gb/s from the PC to wherever (LAN or Internet), in all directions. Running iperf3 from LAN to Internet, the throughput is only ~200Mb/s.
I played with lots of MTU/MSS settings; no influence on throughput. I don't run any services; it's a fresh setup.
I tried "exposed host" in FB; no change.
Any ideas are happily welcome :-)
Internet (cable 1Gb/s) -> FritzBox 6591 -> Opnsense -> LAN
-> PC (DMZ)
The FritzBox is connected to a PC and the opnsense router (AMD A10-8800, Intel NIC i350-T2).
Running iperf3 on the PC, I get almost 1Gb/s from the PC to wherever (LAN or Internet), in all directions. Running iperf3 from LAN to Internet, the throughput is only ~200Mb/s.
I played with lots of MTU/MSS settings; no influence on throughput. I don't run any services; it's a fresh setup.
I tried "exposed host" in FB; no change.
Any ideas are happily welcome :-)
Pages1
