Performance tuning for IPS maximum performance

[elektroinside]

Took another closer look at these, after analyzing my settings and reconfigured my box.
They might work, I can't really "feel" if they made much of a difference, but kinda feels like faster.
What I did notice though, that my CPU usage dropped considerably after your settings.
When first trying them out, I must have misconfigured something as things got significantly worse, so I think it was my fault, I wasn't paying the necessary attention.

Thanks dcol for your work!

[elektroinside]

An important observation:

These settings (if correctly applied) not only enhance IDS/IPS performance, but OpenVPN as well. OpenVPN performs significantly better without any other configured parameters!

[Evil_Sense]

I implemented the tuning settings on my apu2c4.

I added the settings to the tunables in the GUI and used the mentioned command's to check before and afterwards, without noticing something odd.

Like elektroinside said, it fells faster, but it seems that cpu usage and memory usage has slightly increased and sometimes the system feels slower than usual.
I'm not sure if this comes from the rx & tx packet descriptor size of 4096 or the high max interrupt rate of 64000 but it seems a bit too heavy for the little apu2c4 .

Suggestions are welcome

[dcol]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

[Evil_Sense]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better

[jenmonk]

With IPS/IDS my internet speed drops to 60mbs from 300mbs.
 I want to try your suggestions. Appreciate if you could let me know how to check ports used by IPS
"Set to 0 (<x>) for every port used by IPS
dev.igb.<x>.fc: value=0"

I followed "Fast and easy way to protect your home and/or small office network with OPNsense"  for my Initial setup
Thanks

[mimugmail]

I did some testing in a 10G Lab:

#####################################
OPNsense 18.1.6-amd64
FreeBSD 11.1-RELEASE-p9
OpenSSL 1.0.2o 27 Mar 201

Intel(R) Xeon(R) CPU E3-1270 v5 @ 3.60GHz (8 cores)

16GB RAM

Intel X520DA SFP+

Suricata, 11700 Rules enabled

Tests with iperf3:
iperf3 -p 5000 -f m -V -c 10.0.2.10 -t 30 -P 10 -w 12M
#####################################

No IPS enabled: 9400Mbit (30% CPU load)
IDS enabled: 9400Mbit (45% CPU load)
IPS enabled (Default Pattern matcher): 550Mbit (17% CPU load)
IPS enabled (Hyperscan): 1400Mbit (17% CPU load)

[jenmonk]

With IPS/IDS my internet speed drops to 60mbs from 300mbs.
 I want to try your suggestions. Appreciate if you could let me know how to check ports used by IPS
"Set to 0 (<x>) for every port used by IPS
dev.igb.<x>.fc: value=0"

I followed "Fast and easy way to protect your home and/or small office network with OPNsense"  for my Initial setup
Thanks

Appreciate all the help

[Julien]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

[Evil_Sense]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

Well, with 42000 I got a reasonable balance between resource usage and (at least I hope) good/better networking performance.

[Julien]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

Well, with 42000 I got a reasonable balance between resource usage and (at least I hope) good/better networking performance.

Can you share the value ? how much is before and after the IDS is activated ?
i am willing to configure this as the firewall is not near to me, if things missed up i will need to travel like 4 hrs go and 4 hr back.

[Evil_Sense]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

Well, with 42000 I got a reasonable balance between resource usage and (at least I hope) good/better networking performance.

Can you share the value ? how much is before and after the IDS is activated ?
i am willing to configure this as the firewall is not near to me, if things missed up i will need to travel like 4 hrs go and 4 hr back.

I don't use IDS, so I can't give a statement on it.
Since I didn't write down the original settings and didn't make speed tests before and after, I'm not really able to provide reliable values. I could however try to remove the settings and measuring against the current state tomorrow.

[Julien]

Some of the tunables and settings do come with a resource price. Try reducing the interrupt rate. The queue size is a NIC dependent setting and depends of the buffer size in the NIC itself.

Thanks, will try with interrupt value of 42000 and see if it gets a bit better

Hi EVIL_Sense,
after changing the 42000 value, have you noticed some changes / speed ?
i am willing to get this configured on a production soon as we are from 1024MB when IDS is activated we reach 400MB

Well, with 42000 I got a reasonable balance between resource usage and (at least I hope) good/better networking performance.

Can you share the value ? how much is before and after the IDS is activated ?
i am willing to configure this as the firewall is not near to me, if things missed up i will need to travel like 4 hrs go and 4 hr back.

I don't use IDS, so I can't give a statement on it.
Since I didn't write down the original settings and didn't make speed tests before and after, I'm not really able to provide reliable values. I could however try to remove the settings and measuring against the current state tomorrow.

Thank you,
if you could do that i'll appreciate it.

[Julien]

I have IDS enabled using only 1 rule " abuse.ch/SSL IP Blacklist " after testing the speed test its drop simnifically .

hardware is
Intel(R) Core(TM) i5-3317U CPU @ 1.70GHz (4 cores)
Memory 16 % ( 1301/8054 MB )

[mimugmail]

IDS or IPS?
Do you use Hyperscan?