Latency jumps a lot after L7 rule is enabled



  • I have been messing with the L7 functionality a bit. I just updated to "2.0-RC1 (i386) built on Fri May 6 18:21:29 EDT 2011" to get the latest patch for the L7 stuff. After doing that and enabling my LAN rule with the L7 BitTorrent container, I noticed general internet browsing seemed really slow. So I went to my providers local speedtest. I was getting 100ms+ when I normally get 20-30ms. As soon as I disable the rule with the L7 container the latency drops back down to 20ms like it normally is. If I go back in and enable that rule again, the latency jumps right back up to over 100ms. Even though I'm still getting like 15Mb, with the rule enabled websites load pretty slow, almost 56k slow.

    Any ideas?


  • Rebel Alliance Developer Netgate

    You are forwarding traffic through a daemon (ipfw-classifyd), which will cause increased latency. No way around that.

    Deep packet inspection comes at a great cost of resources, so tossing more hardware at it may help, you might be maxing out the CPU on your router. Watch the output of "top -SH" wile surfing and see what is happening.



  • What are your specs? (CPU/MEM)



  • It's an Alix 2d13 (500 MHz AMD Geode LX800 CPU, 256MB). I realized that it would take some extra resources, but didn't know it would take that much. Here is the top -SH. ipfw-classifyd jumps to between 50-60% when I visit a single website. That's crazy. So if you plan on doing any L7 stuff, an Alix definitely isn't the way to go? What would you recommend as the minimum requirements? Obviously that's going to depend on how many users, etc, but let's just say a small office, maybe about 10 users, typical browsing habbits.


  • Rebel Alliance Developer Netgate

    You'd need a lot more CPU than that. I'm not sure anyone has run benchmarks on it, but I'd expect it to be about as bad as snort is in terms of CPU, if not worse since you'd be sending more traffic through it.

    ALIX is good for many things, but CPU-intensive tasks are not one of them.



  • @sscardefield:

    It's an Alix 2d13 (500 MHz AMD Geode LX800 CPU, 256MB). I realized that it would take some extra resources, but didn't know it would take that much. Here is the top -SH. ipfw-classifyd jumps to between 50-60% when I visit a single website. That's crazy. So if you plan on doing any L7 stuff, an Alix definitely isn't the way to go? What would you recommend as the minimum requirements? Obviously that's going to depend on how many users, etc, but let's just say a small office, maybe about 10 users, typical browsing habbits.

    Take a look here http://l7-filter.sourceforge.net/performance



  • Cool, thanks for the link. Those are all higher-end boxes. I wish they had a benchmark there for a lower end appliance. It's just not reasonable for a SoHo to run a full blown PC for the firewall.



  • @sscardefield:

    Cool, thanks for the link. Those are all higher-end boxes. I wish they had a benchmark there for a lower end appliance. It's just not reasonable for a SoHo to run a full blown PC for the firewall.

    You don't have to run a full blown PC for the firewall. I'm using one of the original dual core Intel Atom 330 (2 cores, 4 threads) which was part of the DG945GCLF2 motherboard, 2GB of DDR2 and a 320GB disk all in a mini itx case. I spent $80 on the CPU/mobo, $20 on the RAM and I already had the drive laying around.


Log in to reply