North South processing, but not East West?

[AWBbox]

Hi everyone,

I'm new to OPNsense and wanted to try implementing some Layer 7 inspection features in the form of Zenarmor. I'm just having a play with the free version for now before committing any money to unlock more features.

One thing I've noticed is that it significantly reduces throughput, in my case from over 16Gbps down to just 5Gbps. I have four VLANs on the inside of my network and Zenarmor is enabled on all of them.

My question is, is it possible to apply Zenarmor processing to North South traffic i.e. traffic from each subnet to the internet, but exempt East West traffic i.e. traffic between the internal subnets themselves?

I noted that this part of the Zenarmor guide refers to a section to exempt subnets and VLANs, but it appears to apply to all traffic so that would not be suitable. This section of the GUI doesn't even appear for me anyway, maybe it's a paid feature? https://www.zenarmor.com/docs/opnsense/configuring/general#exempting-vlans--networks

If anyone has suggestions I would be keen to hear them, thanks!

[sy]

Hi,

Exempted VLAN IP/Network feature exclude the whole traffic of them. The policy has direction option but you can not exempt the traffic according to direction.

Zenarmor works on single-core and max throughput is around 5 Gbit. Please check the hardware requirements on the following link. Multicore-core support is in the roadmap and plan to ship it in October.

https://www.zenarmor.com/docs/introduction/hardware-requirements

[AWBbox]

Thanks Sy, that's reassuring to know I'm being limited by Zenarmor running on a single core.

I'm running an Intel i9-12900 which is hardly being taxed at the moment, I imagine multicore will go a long way to leveraging more of its processing power and getting back to the higher throughput I was enjoying before.