Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Throughput optimisation and options.
« previous
next »
Print
Pages: [
1
]
Author
Topic: Throughput optimisation and options. (Read 3630 times)
0nighthawk0
Newbie
Posts: 1
Karma: 0
Throughput optimisation and options.
«
on:
September 17, 2021, 11:50:08 pm »
Hi all,
Running Opnsense on a Supermicro A2SDi-2C-HLN4F ....the NIC's on this are described as "Quad LAN with Intel® C3000 SoC". 8GB DDR4 ECC RAM, 40GB Intel SSD i had lying around.
Using this as my main FW/Router as these seem quite capable.
I'm running Suricata and Unbound DNS.
Sensei is enabled on the LAN, OPT1 and OPT2 using MongoDB to back it.
The WAN should be 320 down.
I was getting 180-190 down.
Ran top -P, nothing much going on there at all so its not load/resourcing. then unchecked "Disable hardware checksum offload".
I now get 310 (280-310) down, so basically expected throughput on the WAN.
I'm going to run some more tests between LAN and OPT interfaaces to see if they reach 1GB, but just wanted advice on options.
The other two options under the same section as the checksum offload are:
Disable hardware TCP segmentation offload
Disable hardware large receive offload
These appear to be ticked by default.
I'd like to understand how these two options interact with what Opnsense (and the plugins i have installed) are trying to do. Obviously having some processes done in hardware will be quicker, but i don't really want to enable anything unneccessary or that will cause more of a problem if it is better dealt with in the software.
Its clear that the default setiings are not ideal in my case, so i'm just looking for other optimisations and advice.
Any tunables that may help or specific settings for Suricata/Sensei etc.
Thanks in advance.
Logged
dave
Jr. Member
Posts: 74
Karma: 5
Re: Throughput optimisation and options.
«
Reply #1 on:
September 18, 2021, 06:52:01 pm »
Suricata and Sensei are likely having the greatest affect on throughput.
Careful what Suricata rule sets you enable. 'SSL Fingerprint Blacklist' is v.expensive.
'abuse.ch/URLhaus' can also get pretty huge, and there's other ways of using that, like AdGuard DNS blocking (don't use it with Unbound), but i think most browsers incorporate it anyway as part of Google's Safe Browsing stuff. Quad9 use it to, so you could just use their DNS servers and get that filtering up-stream.
Also, assuming your nic supports it, try setting 'Pattern matcher' to 'Hyperscan', which is an Intel thing.
«
Last Edit: September 18, 2021, 07:04:45 pm by dave
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Hardware and Performance
»
Throughput optimisation and options.