IPS+ IDS performance

[elektroinside]

Another strange thing i noticed after upgrading to 18.1.r1:

With 18.1.r1, IDS+IPS enabled, download speed decreased to about half ~550Mbit/s. Disabling IDS+IPS i'm back to my full speed ~980Mbit/s
Same IDS+IPS rules, same everything, but with 17.7.11: ~980Mbit/s

IDS+IPS was up and running in both cases, as i could see my own rules being blocked, some other rules being blocked, exceptions being passed and so on...

This https://forum.opnsense.org/index.php?topic=6590.0 actually made things worse for me so i deleted the stuff i added (while i was on 17.7.11)...

[elektroinside]

I'm also confident that the alerts reflected the reality, as it blocked eicar for example, or other wicar tests or other custom rules with both versions...

[franco]

You can try to boot the 17.7 kernel and see if that is the cause:

# opnsense-update -kr 17.7.10 -n "17.7\/sets"

Running this will bring you back to the 18.1.r1 kernel:

# opnsense-update -k

(Don't forget the reboot in both cases)


Cheers,
Franco

[elektroinside]

Nope.. same thing unfortunately...

[franco]

That's good and bad at the same time.

Maybe the new NAT rule framework makes this slower? Although in that case IDS/IPS switching shouldn't matter.

Next thing would be to use the old Suricata binary on top of the 11.1 kernel:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/17.7/MINT/17.7.11/OpenSSL/All/suricata-4.0.3.txz


Cheers,
Franco

[elektroinside]

Nope.. this didn't help either.
Further more, i just noticed suricata eats a lot of CPU now, while speedtesting. Didn't noticed this before.
Take a look at the attached image.

I think, for some reason, the quad core 3.6Ghz i3-8100 is maxed out now, at least on one core, as 25% CPU corresponds to 1 core maxing out.

I think for some reason it worked with multi-core CPUs before, multiple threads maybe, but not anymore. Is this possible?

[elektroinside]

Ok, this made me think, the CPU usage... for some reason i missed that promiscuous mode was enabled. This was the cause. Disabling it obviously fixed it

Apologies.

[franco]

Whew, glad to hear that!

[mimugmail]

Perhaps something to put in dcol's sticky tuning guide?

[dcol]

So far I only touched on tunables in the guide, but I updated to include other IPS settings. Thanks

[nines]

having the same problem regarding the performance as long as IPS is enabled. I got 250/25Mbit in the past and now having max 150/25. Suricata process in top is using only one core - is this how it should be?

What else can I do to troubleshoot? As soon as I disable IPS its becomes fast as mentioned above

//Edit: sorry for complaining about opnsense - turned out that a debian VMs java process stresses the cpu really hard so all other VMs had no CPU cycles left for themselves
All is working fine - thanks for working so hard on opnsense!

[thg0432]

I'm having the same issue...I don't have Promiscuous mode selected and running 18.1.2_2.  I'm losing about 1/4 of my download speeds with it enabled.  CPU usage is next to nothing and my ram is using about 20%, so I don't see where the bottleneck would be hardware wise.  I used the instructions provided by the opnsense how-to docs.

[elektroinside]

This should help: https://forum.opnsense.org/index.php?topic=6590.0

The tunables must be properly set though, according to your system. In other words, search the ones mentioned in dcol's post in your system and modify them as instructed.