IDS/IPS performance hit - does this look normal...

[jeffmcfarlin]

New to OpnSense, but really liking it so far.

Have IDS/IPS up using abuse.ch* and ET.telemetry* on the LAN interface on - Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (4 cores, 4 threads), w/8G memory, 2 Broadcom BCM57xx single port cards with a typical NAT setup (FiOS single static IP WAN, and ~75 or so devices behind the firewall on a single /24 LAN).

I'm seeing about a 20% performance hit in terms of raw throughput when in IPS mode on outbound traffic thru the FW to the internet with the above setup. Seem about right? (216,358 rules in total, all in alert mode for the moment.)

Jeff

[FullyBorked]

New to OpnSense, but really liking it so far. Using abuse.ch* and ET.telemetry* on the LAN interface on - Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (4 cores, 4 threads), w/8G memory, 2 Broadcom BCM57xx single port cards with a typical NAT setup (FiOS single static IP, and ~75 or so devices behind the firewall on a single /24).

I'm seeing about a 20% performance hit when in IPS mode on outbound traffic thru the FW to the internet with the above setup. Seem about right? (216,358 rules)

Jeff

I wouldn't expect a huge hit, your CPU is decent.  Have you disabled hardware offloading Interfaces > Settings?  I have an i3-9100 8GB of ram as well, and 1200Mbps Xfinity and the performance hit in imperceivable to me.  However I haven't used Suricata on my internal interfaces in some time now.  I only use it on my DMZ interface that hosts a few sites/game servers and Zenarmor on my other interfaces. 

[jeffmcfarlin]

Yes, hardware offloading is disabled. I've got 1g/1g for internet. I've read about ppl using Zenarmor in conjunction with Suricata. Like ZA on the LAN and Suricata on the WAN. Hmm. Lots to think about.

Jeff