Suricata Kills down speed
-
@maverikh said in Suricata Kills down speed:
I only use the paid Snort rules.
That's not good
Because you use the rules that actually might work, if matching traffic is found.First, the easy one :
The processor you use does a "Ghz" or two.
Nice.
But "Suricata" is a multi million machine instruction program, and it tries to scan everything you throw at it. Like 40 Mega (40 million bytes a second) bytes of info.What about this question :
Why does it manage to actual provide any throughput ?To see for yourself :
Open a console or SSH, go for the 'all the answers' mode (option 8) and usetop( 'pkg install htop' for the color blind )
and make the screen as big as possible.
Sort on 'processor occupation on top'.
Now download something big.
Who is on top ?The solution is ancient : when you have very big processor power needs, start by throwing big iron at it. Go for the 5100 or 6100, or build your own Xeon rig.
And RAM : 4 G is a bare minimum.Example :
My Netgate 4100 : Intel(R) Atom(TM) CPU C3338R @ 1.80GHz" spikes to 60% on both cores when I do a simple speed test, which shows a 850 Mbits/sec in both direction.
And I have no packet inspection like Suricata or snort installed.
Which is ok of course. The processor name says it all : 'Atom". -
@gertjan said in Suricata Kills down speed:
The processor name says it all : 'Atom".
Please have look over here. An Intel Atom 5000 series
together with an Intel e810 switch chip.
Intel Atom 5000 series -
@dobby_ said in Suricata Kills down speed:
Intel Atom 5000 series
up to 100Gbps (uni-directional)/ 50Gbps (bi-directional) and 50/100GbE networking built-in.
When all planets are aligned and we're part of that perfect world, then these number should be possible.
When all packets have to be copied to 'user land', to be inspected one by one against a lot of rules .... and copied back in kernel space to be send out, I presume the decimal point will shift one or two digits to the left.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@maverikh said in Suricata Kills down speed:
When i enable Suricata, my download throughput goes from 1Gbps to a mere 300Mbps.
I only use the paid Snort rules.
A 30+ percent hit on through put is to be excepted when you enable Suricata or Snort depending on how you have it configured, how many rules you enable no matter which rule sets you use, whether using Inline mode or Legacy mode, etc, etc.
You need to browse some of the posts under IDS/IPS that others have posted about through put issues. Also make note of issues by @bmeeks about how it is configured/ works in pfSense and follow his recommendations. From what I remember no matter how you configure it, your through put will take a hit when using either of the IDS/IPS packages.
-
It is normal for throughput on the firewall to take a noticeable hit when running either of the two IDS/IPS packages.
There are some things to help minimize that hit. Here are a few:
- Make sure you carefully tune your rule set so that you are using only the minimum required rules to detect reasonable threats based on the vulnerabilities in your network. If you don't have public-facing email, DNS, or web servers, then you will not need any of those rules from the Snort rules set.
- You need plenty of CPU horsepower. This really means fast clock speeds as a higher CPU clock speed will be the best defense against getting too bogged down. Multiple cores are also great, but raw clock speed is king.
- You need a very efficient network card and driver. A multi-queue card is best. And a genuine Intel is also generally better for FreeBSD. Realtek is the pits.
- You can try changing the threading mode (or Run Mode) in Suricata. It defaults to
autoFP, which means auto flow-pinned. The other mode isworkers. If you are using Inline IPS Mode, you will likely findworkersmode to be better performing IF you have a multi-queue NIC. The threading mode can be adjusted on the INTERFACE SETTINGS tab in Suricata. You must restart Suricata if you change the threading mode in order for the change to be recognized.
-
I have a Protectli Fw4c running official PFsense... This has a J series celeron 4core @2.6Ghz and *GB ram
-
@gertjan said in Suricata Kills down speed:
With big iron I meant processors like this.
It was only pointed to your outspeak "it is only an Atom".
Nothing more.I have a Protectli Fw4c running official PFsense... This has a J series celeron 4core @2.6Ghz and *GB ram
*GB RAM is not really an information or?
What other packages you are running by site of Suricata?
Did you sort the CPU with new good thermal paste?
Is Suricata set up to the WAN or LAN interface?When i enable Suricata, my download throughput goes from 1Gbps to a mere 300Mbps.
It is much more then I would expect from, I have an
CPU from 2006 or so in usage and it is only running
on 1400MHz and I get with it around 450 MBit/s.I only use the paid Snort rules.
What rules are matching what used traffic and how many
"things" must be proofed at the time against how many
of the rules will be more the main point. -
I didnt build the Protectli FW4c. Factory built it, i will change the thermal paste though.
Im am looking up the @bmeeks recommendations for ids/ips configuration as i am new to using this aspect of the firewall and packageIntel Celeron J3710 2.6Ghz 4-cores (just realized its only clocking in at 1.6Ghz) (40C temp)
8GB ram (typo)
4x Individual Intel 2.5Gbps nic's (independent cpu lanes)
hardware encryption enabled (for OpenVPN)
1Gbps/1Gbps internetstandard PFSense Plus install 23.01 with:
Suricata (using paid OINK code from snort)(inline/workers)
OpenVPN with just 2 cellphones connected
BandwidthD for bandwitdth usage graphs
MiniUPNPd for 2 xbox's -
- PowerD activated? (high adaptive)
-
@dobby_
no powerd. should i use it even though no battery ups? -
So i put artic silver on the cpu and turned on powerd (HiAdaptive). cpu temp went down 10c dashboard still says 1.6Ghz
-
@maverikh 2.6 is the burst/turbo. 1.6 base.
https://ark.intel.com/content/www/us/en/ark/products/91532/intel-pentium-processor-j3710-2m-cache-up-to-2-64-ghz.html
As noted above look at the % CPU usage while doing your test. If it’s maxed out, it’s maxed out.
Edit: powerd will reduce the clock speed if idle. When working pfSense will show two numbers on the dashboard.
-
@steveits Thank you all, Correct me if im wrong with this....
It's safe to say that if my CPU is at 7% utilization and then I loaded Suricata, and it only jumps the CPU to roughly 16% ...its not likely the cpu will speed up and therefore having some affect on internet bandwidth.
PowerD (maximum) has no affect on CPU clock when set.
I wanted to see if bandwidth improved directly by having the CPU run full clock speed. -
@maverikh Then CPU isn’t your bottleneck. Are you using inline or legacy/default mode? I skimmed the above, didn’t see the NICs posted?
-
@steveits Inline workers.
Intel 2.5Gbps nic's x4 ports I think its the I225-V
Protectli FW4C -
no powerd. should i use it even though no battery ups?
If you use it (powerD high adaptive) and your internet
traffic goes under higher load and the CPU is not
scaling up (turn up to higher GHz), this will be then
the problem as I see it, and you may solve it by setting
up PowerD.So i put artic silver on the cpu
cpu temp went down 10c dashboardThe most clients (buyers) of QoTom, Protectli,......
will do so often it first, after arriving and unpacking
as I have seen them reporting and also like you say
the temp went something between 5 C° to 10 C°
then down!What numbers you will see at the WAN port (throughput)
if you are not using suricata? I mean you said it went down
to something around 300 MBit/s, but from how much before? -
@dobby_ 1Gpbs down to now 500Mbps so i saw some improvement
-
@maverikh said in Suricata Kills down speed:
1Gpbs down to now 500Mbps so i saw some improvement
Are you using PPPoE on that internet account? If so your
pfSense will be nailed or pinned to one CPU core!!! If not
the entire WAN load will be balanced over all CPU cores
pending on your settings, your NIC (support it or not) and
also the amount and size of queues that will be able to set up. 4C / 4T = 4 queues and more queues means more transported data and for sure faster throughput comes bysite -
@dobby_ Its fiber to the modem ONT, 1Gbps/1Gbps synchronis. not ppoe. Gateway based
-
@maverikh said in Suricata Kills down speed:
Its fiber to the modem ONT, 1Gbps/1Gbps synchronis. not ppoe. Gateway based
You could try out to play around with the queue amount
and also the size to get let call it something more out for
your max. throughput.
