Suricata cutting download speed if IPS enabled

[Braineh]

Hallo everyone.

I'm quite new to Opnsense and got a question about Suricata. I registered for the ET telemetry edition, saved the token, enabled rules and downloaded them. Afterwards, I enabled Suricata and also IPS. What confuses me is, that enabling IPS is cutting my download speed by a minimum of 50%, while disabling it restores it to full speed. But here I can't see the point as the traffic is checked but not blocked without IPS anyway, so I can't see why this would cut the download performance that hard.
Anyone?
Thanks in advance.
Braineh

[cookiemonster]

yes, that is the normal behaviour, in that there is a high performance penalty from IPS. It is more of factor with CPUs with lower single thread performance.

[johnmcallister]

....But here I can't see the point as the traffic is checked but not blocked without IPS anyway, so I can't see why this would cut the download performance that hard.

What is the make,  model, & specifications (RAM amount, CPU speed, # of CPU cores, etc.) of the hardware your OPNsense instance (router) is running on?

What is the bandwidth of your internet connection, in Mbps or Gbps per second?  Fiber? Cable? Which provider?

[Braineh]

It's an Intel Celeron quad core mini itx board, 16 GB memory. From what I see, the CPU peaks at max 70% when log on but goes down instantly, during traffic it's never above 50%.

Provider is o2 and it's working through 4G / 5G since we unfortunately still got no serious wired connection here. Usually I get 100-250 MBit here. On the WAN side (Realtek) sits a ZTE 5G Router using bridge mode. On LAN side there's a Intel NIC, forgot which one I used in there. All Hardware acceleration / offload is disabled

[Enoch58]

Yes, that's the typical behavior, where there's a significant performance penalty from IPS. This is more pronounced with CPUs that have lower single-thread performance.