SG6100 SWAP full and high CPU - tweak suggestions?

alnico

I am using a SG6100-Max with a lot of services enabled. I've noticed that my CPU usage is quite high from 40% to 100%. My 1GB swap space was always 100% full, so I increased it to 4GB. Traffic is homelab setup.

Is there something I can do to address the issue/tweak it further?

These are the settings:
Netgate 6100-Max
8 GB RAM (onboard so can't upgrade)
128GB HD

Packages:

Top snapshot:

CPU Memory and Swap:

Can I tweak it any further such as increasing the swap space?

patient0

@alnico what pfSense+ version are you running?

I do think it's just too many CPU/RAM intensive services running on it.

The ones I know that can be CPU or/and RAM hogs you run are pfBlockerNT, suricata and ntopng. Not sure about crowdsec, haproxy and zeek (is that only the agent?).

You run bandwithd and darkstat, both of which are for bandwidth monitoring. Why not choose one of them?

How much sense it makes to run crowdsec and suricata I don't know.

I'd start with stopping ntopng and see how the memory and CPU workload are. If it significantly improves I'd move ntopng to a separate server/vm in your homelab.

Gertjan

@alnico said in SG6100 SWAP full and high CPU - tweak suggestions?:

My 1GB swap space was always 100% full, so I increased it to 4GB

You should add more RAM, which is impossible.
So only one option left : lower the RAM usage.
Suricata/darkstat/ntopng will use all avaible memory. remove them all, and memory issues will be gone for good.
Up to you to find some middle ground here.

Btw : Suricata/darkstat/ntopng are processes that have to be baby-sit them : every day (Im' serious), you see what these have found, check their memory usage and disk usage (log files !!). if you don't have to time to check up with their stats, disable them, as it is useless to collect data that you waste-bin moments later.

See it like this : when not swapping : every memory access is one cpu cycle.
With swapping every memory access is (hundreds) thousand of cycles .... Swapping is very (!) expensive for the CPU.

dennypage

@alnico said in SG6100 SWAP full and high CPU - tweak suggestions?:

Is there something I can do to address the issue/tweak it further?

The amount of CPU for ntopng is quite egregious. I would suggest you reconfigure (or disable) ntopng. You likely have it tracking more data than it should be. Recommendations...

In the ntopng package:

• Make sure you are not monitoring the wan interface(s).

Inside of ntopng itself:

• If you have any of the slice and dice time series information (off by default), turn them all back off.
• If you have increased data retention times from defaults, lower it.
• If you have any form of active discovery enabled inside ntopng itself, turn that off as well.

SteveITS

@alnico Run ps aux|grep php and see if you can see what the PHP processes are actually doing. Often those are stuck doing log rotation/compression, which can be a few things...double compression, high log amounts, etc.