IPS/Ids Protectli Vault Pro VP4670-6

Started by Shefford, January 26, 2025, 03:30:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 26, 2025, 03:30:17 PM Last Edit: January 26, 2025, 03:39:24 PM by Shefford
Hello! I have a Protectli VP4670-6 with 24 GB of RAM, an NVMe drive, and a 12-core i7 processor, along with Intel 2.5Gb network cards. I have 5 VLANs and a 3 Gbps internet connection. When IPS/IDS is disabled, using iPerf3, I get 2.3 Gbps between my laptop and the router over a wired connection. However, when I enable IDS/IPS, my speed drops to a maximum of 500 Mbps.

I thought that with this kind of hardware, I would at least get 1 Gbps or more. Am I doing something wrong? I have disabled unnecessary filters, and I'm running the latest version (12.2 from January 24, 2025), but I had the same issue even before this update.

I really want to keep network analysis enabled. Are there any tunings or optimizations I can apply? I'm not maxing out the CPU or RAM. I already apply tunable from other post here for maximum performance but i dont have performance ;) and my stale and mbuf was at under 2% majority of time under 1%
January 26, 2025, 05:32:25 PM #1 Last Edit: January 26, 2025, 05:34:59 PM by Melroy vd Berg
I'm also not maxing out the CPU and definitely not the memory. I would have the same question, I was hoping to get more throughput. So we are in the same boat, but let's help each other.

First, what are the intrusion detection settings you have?

I share my configs so you know what kind of information I'm after.

Under: Services -> ID -> Administration:

  • Intrusion Detection -> Checked
  • IPS Mode -> Checked
  • Interfaces -> ONLY selected one interface. Which is my LAN interface.
  • Pattern matcher -> Hyperscan (if your hardware allows it?)
  • Under the "Download", I enabled / downloaded the following rules:

    Code Select
    abuse.ch/Feodo Tracker, abuse.ch/ThreatFox, abuse.ch/URLhaus, ET open/botcc, ET open/drop, ET open/dshield, ET open/emerging-dos, ET open/emerging-exploit, ET open/emerging-exploit_kit, ET open/emerging-phishing, ET open/emerging-scan, ET open/emerging-shellcode, ET open/emerging-sql, ET open/emerging-web_server, ET open/emerging-worm

Then I go to: Services -> ID -> Policy.

Create a new policy:

  • Enabled -> Checked
  • Rulesets -> Selecting all of the above (which I downloaded)
  • Action -> Alert
  • New action -> Drop

Please, share your setup.

Last but not least, what kind of tunables did you apply??
Hardware: DEC3852
Version: OPNsense 24.10 Business Edition
January 26, 2025, 07:26:11 PM #2 Last Edit: January 27, 2025, 02:25:50 AM by Shefford
January 27, 2025, 01:14:15 AM #3
WOw uhmm ok.

  • Do NOT enable IDS/IPS on Vlan interfaces. And you also do not need to select WAN. Then also uncheck "Promiscuous mode". And also uncheck "Enable syslog alerts" (unless you have a good reason to have syslog alerts?).
  • Then also which rulesets did you downloaded? You didn't show that. I hope you didn't downloaded all.. That is also a bad idea
  • Last but not least, you are setting all the rules to "Alert", meaning you do not even block any request with your current IPS setup. Why?




Hardware: DEC3852
Version: OPNsense 24.10 Business Edition
Print
Go Up Pages1
User actions