Throughput optimisation and options.

Started by 0nighthawk0, September 17, 2021, 11:50:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 17, 2021, 11:50:08 PM
Hi all,

Running Opnsense on a Supermicro A2SDi-2C-HLN4F ....the NIC's on this are described as "Quad LAN with IntelĀ® C3000 SoC".  8GB DDR4 ECC RAM, 40GB Intel SSD i had lying around.

Using this as my main FW/Router as these seem quite capable.

I'm running Suricata and Unbound DNS.
Sensei is enabled on the LAN, OPT1 and OPT2 using MongoDB to back it.

The WAN should be 320 down.

I was getting 180-190 down.
Ran top -P, nothing much going on there at all so its not load/resourcing. then unchecked "Disable hardware checksum offload".
I now get 310 (280-310) down, so basically expected throughput on the WAN.
I'm going to run some more tests between LAN and OPT interfaaces to see if they reach 1GB, but just wanted advice on options.

The other two options under the same section as the checksum offload are:
Disable hardware TCP segmentation offload
Disable hardware large receive offload

These appear to be ticked by default.

I'd like to understand how these two options interact with what Opnsense (and the plugins i have installed) are trying to do. Obviously having some processes done in hardware will be quicker, but i don't really want to enable anything unneccessary or that will cause more of a problem if it is better dealt with in the software.

Its clear that the default setiings are not ideal in my case, so i'm just looking for other optimisations and advice.
Any tunables that may help or specific settings for Suricata/Sensei etc.

Thanks in advance.
September 18, 2021, 06:52:01 PM #1 Last Edit: September 18, 2021, 07:04:45 PM by dave
Suricata and Sensei are likely having the greatest affect on throughput.

Careful what Suricata rule sets you enable.  'SSL Fingerprint Blacklist' is v.expensive.
'abuse.ch/URLhaus' can also get pretty huge, and there's other ways of using that, like AdGuard DNS blocking (don't use it with Unbound), but i think most browsers incorporate it anyway as part of Google's Safe Browsing stuff.  Quad9 use it to, so you could just use their DNS servers and get that filtering up-stream.

Also, assuming your nic supports it, try setting 'Pattern matcher' to 'Hyperscan', which is an Intel thing.
Print
Go Up Pages1
User actions