Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Bug?]2.5.0-DEVELOPMENT (amd64) built on Sun May 03 23:56:0 snort-2.9.16 Inline IPS throttles Wireguard speed

    Scheduled Pinned Locked Moved
    Development
    2
    5
    490
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iqjet
      last edited by iqjet

      Hi,
      when running Wireguard (on a Client PC) with snort in Mode INLINE IPS (LAN) my speed is about 8MB/s.
      /dev/zero 0%[ ] 101,84M 7,97MB/s
      Setting snort to Legacy Mode my speed will raise up
      /dev/zero 4%[ ] 410,75M 93,9MB/s

      Snort Inline IPS throttles Wireguard Client speed to 8MB, Legacy Mode is working fine.
      System tunables are set according to recommendations:

      kern.ipc.maxsockbuf Maximum socket buffer size 4262144
      dev.igb.0.fc WAN Flow Control 0
      dev.igb.1.fc LAN1 0

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        carefully read this "howto"
        the settings for suricata and snort are the same

        https://forum.netgate.com/topic/138613/configuring-pfsense-netmap-for-suricata-inline-ips-mode-on-em-igb-interfaces

        provide all the information mentioned there

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • I
          iqjet
          last edited by iqjet

          well, I followed this instructions. Inline IPS is working without a problem, except WG speed is throttled.

          Edit:
          ifconfig igb1

          igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	description: LAN
	options=8520b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO>
	ether 00:0e:c4:d4:b5:64
	inet6 fe80::20e:c4ff:fed4:b564%igb1 prefixlen 64 scopeid 0x2
	inet 10.16.252.254 netmask 0xffffff00 broadcast 10.16.252.255
	inet 10.99.99.254 netmask 0xffffffff broadcast 10.99.99.254
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
          1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by kiokoman

            uhm

            Asking for help? Provide the following:
            If you run into an issue not discussed above and would like help, please provide the output from the following commands (excluding any sensitive IPs/hostnames, and remembering to substitute your interface(s) where I have igb0):

            ifconfig igb0
sysctl -a | grep netmap
sysctl -a | grep msi
sysctl -a | grep igb
sysctl -a | grep rss
cat /var/log/system.log | grep netmap
cat /var/log/system.log | grep sig

            also check if there is this option,maybe also snort have it
            If your cpu is being under used but traffic is bottlenecked, check out these sections of the manual: Runmodes and Threading

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • I
              iqjet
              last edited by iqjet

              I'm runing pfsense at a Intel(R) Core(TM) i5-5250U CPU. CPU load is low, RAM usage 23% out of 8GB. Google DNS is blocked. I use igb1. As I told, no problems without WG and full speed. WG natively runing on a Linux Mint 19.3 PC throttles the speed. Imho there is nothing wrong with Mode "Inline IPS"
              Edit
              Your requested results are in Snort.zip

              1 Reply Last reply Reply Quote 0
              • First post
                Last post