"
Yes, hardware offloading is disabled. I've got 1g/1g for internet. I've read about ppl using Zenarmor in conjunction with Suricata. Like ZA on the LAN and Suricata on the WAN. Hmm. Lots to think about.
Jeff
Jeff
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Intrusion Detection and Prevention / Re: IDS/IPS performance hit - does this look normal...
January 06, 2023, 08:07:55 PM #2
Intrusion Detection and Prevention / IDS/IPS performance hit - does this look normal...
January 06, 2023, 07:49:09 PM
New to OpnSense, but really liking it so far.
Have IDS/IPS up using abuse.ch* and ET.telemetry* on the LAN interface on - Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (4 cores, 4 threads), w/8G memory, 2 Broadcom BCM57xx single port cards with a typical NAT setup (FiOS single static IP WAN, and ~75 or so devices behind the firewall on a single /24 LAN).
I'm seeing about a 20% performance hit in terms of raw throughput when in IPS mode on outbound traffic thru the FW to the internet with the above setup. Seem about right? (216,358 rules in total, all in alert mode for the moment.)
Jeff
Have IDS/IPS up using abuse.ch* and ET.telemetry* on the LAN interface on - Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (4 cores, 4 threads), w/8G memory, 2 Broadcom BCM57xx single port cards with a typical NAT setup (FiOS single static IP WAN, and ~75 or so devices behind the firewall on a single /24 LAN).
I'm seeing about a 20% performance hit in terms of raw throughput when in IPS mode on outbound traffic thru the FW to the internet with the above setup. Seem about right? (216,358 rules in total, all in alert mode for the moment.)
Jeff
#3
Virtual private networks / Re: Expose services at SiteB to WWW via SiteA using VPN tunnel (already built)
January 04, 2023, 02:45:52 AM
Went with a single free ngrok tunnel for that last service to expose it on the Starlink side. Yay!
Now to get the IDS/IPS stuff configured.
Jeff
Now to get the IDS/IPS stuff configured.
Jeff
#4
Virtual private networks / Re: Expose services at SiteB to WWW via SiteA using VPN tunnel (already built)
January 03, 2023, 11:54:52 PM
Great idea - that worked for 6 of the 7 services/devices I needed to expose. The final one is an Elk Products M1 Gold security panel ethernet card/add-on (static IP, proprietary encrypted protocol). Still messing around with it.
Thanks!
Jeff
Thanks!
Jeff
#5
Virtual private networks / Expose services at SiteB to WWW via SiteA using VPN tunnel (already built)
January 03, 2023, 12:21:58 AM
Ok guys, I got an interesting one that I can't seem to figure out. I'm new to OpnSense, but not networking etc. I just replaced my main home FW with OpnSense, and I should've done this years ago tbh. I've tried all sorts of stuff and I just can't seem to get this to work. I'm thinking there must be a way.
To wit:
SiteA is home (static FiOS)
SiteB is remote (behind Starlink [CGNat])
Both sites have a single /24 and a single OpnSense FW as the main FW.
192.168.100.2/24 (SiteA)
192.168.0.1/24 (SiteB)
I've built my OpenVPN tunnel (SiteA server, SiteB client) and all is working perfectly. I simply would like to expose services at SiteB to the www via SiteA. There's other services (mostly paid) that can do this, but I don't want to go that route. I'd prefer to do this via OpnSense and the VPN tunnel. This was working before when SiteB was Exede/Viasat which provides a real IP, but now, well - Starlink. You understand.
Anyways - thoughts?
Jeff
To wit:
SiteA is home (static FiOS)
SiteB is remote (behind Starlink [CGNat])
Both sites have a single /24 and a single OpnSense FW as the main FW.
192.168.100.2/24 (SiteA)
192.168.0.1/24 (SiteB)
I've built my OpenVPN tunnel (SiteA server, SiteB client) and all is working perfectly. I simply would like to expose services at SiteB to the www via SiteA. There's other services (mostly paid) that can do this, but I don't want to go that route. I'd prefer to do this via OpnSense and the VPN tunnel. This was working before when SiteB was Exede/Viasat which provides a real IP, but now, well - Starlink. You understand.
Anyways - thoughts?
Jeff
Pages1
