Netgate specs vs China builds
-
So curious.
I'm running on a Chinese build at the moment.
Having some performance issues.
Running pfBlockerNG and Suricata and everyone is telling me 4GB RAM min, 8GB better.
But then I look at the SG 3100 and I see it's configured with 2GB... how's it that they have this small business platform with so little where as the community say 8GB min.G
-
If you have 8GB you can just enable all the lists and signatures and never worry about RAM use. But really you shouldn't do that because the CPU use in doing so is significant. It's unlikely you would use 4GB with a rational list selection IMO.
It's possible to run pfBlocker and Suricata in 1GB but you need be careful selecting the lists/sigs you enable. It's certainly possible to exhaust the RAM on the 3100 if you just start checking everything!
For example here I am running pfblocker with basic ad filtering and Snort with the ET Open ruleset on the 3100:last pid: 32237; load averages: 0.64, 0.62, 0.58 up 1+03:01:51 15:52:43 67 processes: 1 running, 66 sleeping CPU: 0.4% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.6% idle Mem: 175M Active, 843M Inact, 180M Wired, 84M Buf, 789M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 39083 root 2 20 0 276M 254M bpf 1 36:04 0.46% /usr/local/bin/snort -R _6830 -D 25744 root 1 52 0 129M 43M accept 1 0:34 0.00% php-fpm: pool nginx (php-fpm) 84889 root 1 52 0 129M 42M accept 0 0:37 0.00% php-fpm: pool nginx (php-fpm) 17997 root 1 52 0 129M 42M accept 1 0:32 0.00% php-fpm: pool nginx (php-fpm) 22142 root 1 52 0 129M 42M accept 0 0:35 0.00% php-fpm: pool nginx (php-fpm) 72666 root 1 52 0 127M 41M accept 0 0:32 0.00% php-fpm: pool nginx (php-fpm) 65018 root 1 52 0 129M 40M accept 1 0:39 0.00% php-fpm: pool nginx (php-fpm) 46826 root 1 52 0 129M 40M accept 1 0:33 0.00% php-fpm: pool nginx (php-fpm) 86917 unbound 2 20 0 63M 37M kqread 0 8:08 0.00% /usr/local/sbin/unbound -c /var/ 88109 root 1 20 0 46M 34M nanslp 1 0:46 0.05% /usr/local/bin/php -f /usr/local 949 root 1 20 0 89M 24M kqread 1 0:03 0.00% php-fpm: master process (/usr/lo 54622 root 17 52 0 42M 17M sigwai 0 1:17 0.00% /usr/local/libexec/ipsec/charon 6685 root 157 20 0 64M 15M uwait 1 0:13 0.00% /usr/local/sbin/filterdns -p /va 1260 dhcpd 1 20 0 13M 10M select 1 0:12 0.01% /usr/local/sbin/dhcpd -user dhcp 18729 dhcpd 1 20 0 12M 9040K select 0 0:11 0.01% /usr/local/sbin/dhcpd -6 -user d 61059 root 1 20 0 12M 8916K select 1 0:00 0.01% sshd: admin@pts/0 (sshd) 22348 root 1 20 0 11M 8672K select 0 0:00 0.00% /usr/sbin/sshd 48217 root 1 20 0 21M 7764K kqread 1 0:20 0.00% nginx: worker process (nginx) 48114 root 1 20 0 21M 7372K kqread 0 0:23 0.00% nginx: worker process (nginx) 59179 root 1 20 0 10M 6932K kqread 1 0:09 0.00% /usr/local/sbin/lighttpd_pfb -f 48043 root 1 52 0 20M 6768K pause 1 0:00 0.00% nginx: master process /usr/local 61494 root 1 20 0 9480K 6484K select 0 0:22 0.03% /usr/local/sbin/openvpn --config 99940 root 1 20 0 9148K 6244K select 1 0:07 0.01% /usr/local/sbin/openvpn --config
Steve
-
@georgelza said in Netgate specs vs China builds:
everyone is telling me 4GB RAM min, 8GB better.
I don't run IPS on a home connection - its pretty freaking pointless if you ask me.. Is this work or business where you provide some service to the public internet? Is this not in some sort of https connection..
If you were going to run it - more than likely it would be a very limited useful rules list be it home or business with everything being https these days that as mentioned should be well groomed, etc.
pfblocker isn't all that resource hungry depending on how exactly your using it - sure if you try an block the planet loading all the lists possible it sure can get resource hungry..
Sure you prob had others telling you 32GB on an I9, etc. If anything the interwebs love to throw resources at anything.. But you don't always need a Ferrari to commute to work ;)
-
I only run it in IDS mode,
This is a home, but then this is the new normal ... aka I work permanently from home.99.9% is outgoing traffic, with only one incoming stream, Home Assistant, which is reversed proxied via CloudFlare.
love the Ferrari Analogy.
... it seems part of my problem might be a faulty modem, which have been killing my incoming speed, so the sluggish experience might not be the pfSense platform, will know in the next couple of hours.
G
-
@georgelza and all your traffic to and from work would be in a vpn I would assume. The IDS not going to have any visibility to that traffic.
Now sure it might catch some bad traffic between some machines on different vlans in your local network.. Or something spewing out bad traffic because it has been infected..
But overall the use case for IPS/IDS in most networks is quite limited with pretty much all traffic being encrypted.. And if you do want to run, even as just a learning experience etc.. After the groom down to rule sets that actually make sense, etc. its not going to be all that resource hungry.
-
I\m not that often on VPN actually.
Ye... I was suspecting I might have been hacked, and configured Suricata to try and block any exploit to send information out of my network... or open a pipe back home.
Either i was never hacked or it worked, as my phantom arm/disarm of my home alarm stopped since I configured Suricata.I don't spend enough time on the finer turning of Suricata to go and check every bundle of rules, I sort of looked at the Lawrence videos and figured they know allot more than me and their go to list is probably allot better than what I would ever compile.
G
-
@johnpoz is spot on about IDS/IPS on a home network. It won't do all that much in reality. I maintain both of the IDS/IPS packages for pfSense, so I have some familiarity with them ... .
Back in the old days when email flowed unencrypted to mail servers via port 25, all web traffic was HTTP in the clear over port 80, and DNS lookups were strictly plaintext over port 53; then an IDS/IPS had eyes into everything and could be helpful.
But today email flows encrypted via TLS over either port 465 or 587. Darn near 100% of web traffic is encrypted HTTPS over port 443, and even DNS lookups are increasingly moving to encryption via DoT and DoH. So the IDS/IPS has a very hard time seeing anything at all in the payloads. It can only see the initial header info and maybe try to glean some partially useful info out of that. Or else it just looks at the source or destination IP and compares that to some list of "bad guys" and flags the traffic.
The only exception to the above gloomy scenario would be if you configure a full MITM (man-in-the-middle) interception scheme to terminate, inspect, and then re-encrypt traffic through your firewall. But doing this is a major undertaking, and truly and thoroughly breaks the chain of trust with HTTPS and other encrypted traffic.
So if you want to play around with IDS/IPS, then have fun. But just be prepared to be troubled a bit by false positives. Especially when first configuring the system and learning the ropes.
-
Thanks Thanks...
So update. Suricata and pfBlockNG has been disabled.pfBlockerNG I might re-enable, by all the advise here, unlikely to enable Suricata again.
And it seems neither might have been the root cause, that it seems was a damaged modem,
Had the local Telco guy check the line, he came back, line's 100% but when he does test from his side against my modem it refuses to sync above 8Mbps... so the last bit of yesterday was to pull a old modem out of a box, configure it as per my network, where I was previously maxing out at 3/5-4Mbps I'm now getting 7-8 Mbps... so hoping he will enable my line for faster this morning and we will then get even better ...
I'm so waiting for the 200-300 Mbps fiber in January.
Will advise later when this has been done and what I found.
So far, thanks for comments.
G