Intel i350T4 and i340T4, common NICs used for firewalls Please test all tunables in a test environment before you apply to a production system. # File starts below this line, use Copy/Paste ##################### # Check for interface specific settings and add accordingly. # These ae tunables to improve network performance on Intel igb driver NICs # Flow Control (FC) 0=Disabled 1=Rx Pause 2=Tx Pause 3=Full FC # This tunable must be set according to your configuration. VERY IMPORTANT! # Set FC to 0 () on all interfaces hw.igb..fc=0 #Also put this in System Tunables hw.igb..fc: value=0 # Set number of queues to number of cores divided by number of ports. 0 lets FreeBSD decide hw.igb.num_queues=0 # Increase packet descriptors (set as 1024,2048, or 4096) ONLY! # Allows a larger number of packets to be processed. # Use "netstat -ihw 1" in the shell and make sure the idrops are zero # If the NIC has constant disconnects, lower this value # if not zero then lower this value. hw.igb.rxd="4096" # For i340/i350 use 2048 hw.igb.txd="4096" # For i340/i350 use 2048 net.link.ifqmaxlen="8192" # value here equal sum of above values. For i340/i350 use 4096 # Increase Network efficiency hw.igb.enable_aim=1 # Increase interuppt rate hw.igb.max_interrupt_rate="64000" # Network memory buffers # run "netstat -m" in the shell and if the 'mbufs denied' and 'mbufs delayed' are 0/0/0 then this is not needed # if not zero then keep adding 400000 until mbufs are zero kern.ipc.nmbclusters="1000000" # Fast interrupt handling # Normally set by default. Use these settings to insure it is on. # Allows NIC to process packets as fast as they are received hw.igb.enable_msix=1 hw.pci.enable_msix=1 # Unlimited packet processing # Use this only if you are sure that the NICs have dedicated IRQs # View the IRQ assignments by executing this in the shell "vmstat -i" # A value of "-1" means unlimited packet processing hw.igb.rx_process_limit="-1" hw.igb.tx_process_limit="-1" ################################################### # File ends above this line ################################## After testing I have realized that some of these settings are NOT applied via loader.conf.local and must be added via the WebGUI in System>Settings>Tunables. I have moved these from the file above to this list. Add to Tunables Disable Energy Efficiency - set for each igb port in your system This setting can cause Link flap errors if not disabled Set for every igb interface in the system as per these examples dev.igb.0.eee_disabled: value=1 dev.igb.1.eee_disabled: value=1 dev.igb.2.eee_disabled: value=1 dev.igb.3.eee_disabled: value=1 IPv4 Fragments - 0=Do not accept fragments This is mainly need for security. Fragmentation can be used to evade packet inspection net.inet.ip.maxfragpackets: value=0 net.inet.ip.maxfragsperpacket: value=0 Set to 0 () for every port used by IPS dev.igb..fc: value=0 Although the tuning in this thread so far just deals with the tunables, there are other settings that can impact IPS performance. Here are a few... In the Intrusion Detection Settings Tab. Promiscuous mode- To be used only when multiple interfaces or VLAN's are selected in the Interfaces setting. This is used so that IPS will capture data on all the selected interfaces. Do not enable if you have just one interface selected. It will help with performance. Pattern matcher: This setting can select the best algorithm to use when pattern matching. This setting is best set by testing. Hyperscan seems to work well with Intel NIC's. Try different ones and test the bandwidth with an internet speed test. Home networks (under advanced menu. Make sure the interfaces fall within the actual local networks. You may want to change the generic 192.168.0.0/16 to your actual local network ie 192.168.1.1/24 ################################################### USEFUL SHELL COMMANDS sysctl net.inet.tcp.hostcache.list # View the current host cache stats vmstat -i # Query total interrupts per queue top -H -S # Watch CPU usage dmesg | grep -i msi # Verify MSI-X is being used by the NIC netstat -ihw 1 # Look for idrops to determine hw.igb.txd and rxd grep /var/run/dmesg.boot # Shows useful info like netmap queue/slots sysctl -A # Shows system variables ###################################################