PFSense on KVM Proxmox - Suricata/Snort performance issues


  • This post is deleted!

  • Does someone have an idea?

    The KVM virtualizes the CPU in kvm64. Is this the right thing to do for Pfsense?


  • What is the question? Proxmox is using kvm to virtualize cpu's. Pfsense runs fine under virtualization platforms in general, and proxmox (among others) in particular.


  • I am having this problem. Suricata totally nukes my speeds. I have a fiber connection and I'm only getting 230-300mb/s. That is with all 24 cpus applied to pfSense. I have even disabled the rules and just running it causes this issue!


  • This post is deleted!

  • Hello all,
    I'm running Proxmox and Pfsense. I have a problem where Suricata will instantly limit by fiber connection down to 230mb/s. Even with the rule sets turned off for that interface. I have plenty of resources available set to the VM (24 CPUs, 15Gb memory) As soon as Suricata is disabled I get 950/950 ish connection.

    Does anybody else experience issues with Proxmox->Pfsense->Suricata like this?

    Doing this setup with pfSense on Hyper-V I had no problems.

    Could it be my cheap Realtek 1gb NICs?


  • @routethebyte said in PFSense on KVM Proxmox - Suricata/Snort performance issues:

    Hello all,
    I'm running Proxmox and Pfsense. I have a problem where Suricata will instantly limit by fiber connection down to 230mb/s. Even with the rule sets turned off for that interface. I have plenty of resources available set to the VM (24 CPUs, 15Gb memory) As soon as Suricata is disabled I get 950/950 ish connection.

    Does anybody else experience issues with Proxmox->Pfsense->Suricata like this?

    Doing this setup with pfSense on Hyper-V I had no problems.

    Could it be my cheap Realtek 1gb NICs?

    Are you trying to use the Inline IPS feature? If so, that will be your problem as virtual machines have virtual NICs and the netmap kernel device used for Inline IPS mode will revert to emulation in most cases. That mode is super slow in terms of throughput. This is a limitation of how the netmap kernel device works and has nothing to do with Suricata itself.


  • @bmeeks How would I go about changing the mode?


  • @routethebyte said in PFSense on KVM Proxmox - Suricata/Snort performance issues:

    @bmeeks How would I go about changing the mode?

    If you do not know how to do that, chances are very good you have not modified it from the default. The default is Legacy Mode Blocking and in that mode what I mentioned in my first reply is moot and your problem lies elsewhere.

    But just so you know, changes to the blocking mode are made on the INTERFACE SETTINGS tab for the IDS/IPS interface.


  • @bmeeks I've tried every mode. They give the same result. I'm honestly considering running it bare metal on something but I love Proxmox and really like it virtualized.


  • @routethebyte said in PFSense on KVM Proxmox - Suricata/Snort performance issues:

    @bmeeks I've tried every mode. They give the same result. I'm honestly considering running it bare metal on something but I love Proxmox and really like it virtualized.

    I am not familiar with Proxmox. I use VMware products. An IDS/IPS can be very demanding on a system, but I would not generally expect a performance hit as large as you are seeing. If you want to run virtualized, I would try a VMware product such as ESXi (there is a free version you could experiment with). Many folks run pfSense and its packages on ESXi without issue. There have been quite a few reports of various issues on other hypervisors. Hypervisors will all use virtual NICs (unless you pass-through a dedicated hardware NIC to the virtual machine). How well the software undergirding the virtual NIC works with applications like an IDS/IPS is what determines performance.

    Bare metal is always going to be faster than virtualization given the same underlying hardware. But do not expect full line speed with an IDS/IPS running with a fairly heavy ruleset.