does anyone have any experience with using Nethsec on the Deciso DEC740 (or DEC750)?
This is an AMD64 (Ryzen Embedded v1500b) -based router/firewall device with SFP+ and 2.5Gbit copper. It is sold with a OPNSense license, but I ofcourse want to use it with Nethsec.
Some more details why I am asking: I am now on my second year of licensing Nethsec. I run it in a VM on a RHEL 10 server on Ryzen 7 9700X with Connect-X4 NICs. I am able to get my 1gbit fiber WAN routing/firewalling working fine, however I cannot use DPI or any of the threat prevention features as it reduces throughput to about 500Mbit. Changing the scheduler and tuning of the RHEL hypervisor has not allowed me to increase the performance of the Nethsec VM.
Since Nethsec is not available on ARM, finding dedicated hardware for Nethsec is interesting.
I am open to other ideas ofcourse, on how to get Nethsec to handle 1Gbit with all the bells and whistles turned on. =)
Unfortunately at the link you provided there are no details about the NICs/SFP+ cages used…
DPI and Threat Prevention usually take a significant toll while being processed by CISC CPUs (like all x86-64) when offloading or hardware acceleration is not available (like AES-NI does on this CPU).
Better NIC/SPF+ chips allow to reduce the impact of network throughput on CPU load, however usually ARM is the go-to for networking appliances.
Could be interesting to know if the cTDP could be tweaked on this device (can reach 25W as CPU Standard), but I don’t think that Deciso would allow it (could be too much for passive cooling).
Here is more details of someone who took the DEC740 apart and did a detailed performance review.
In that review however they specify “three dedicated 1G copper ports made possible by Intel I210 chips” and lists the mainboard version as a “Netboard A10 Gen.3”, however the current product has 2.5G ports, so the hardware has been updated since the review.
The review does a comparison of OPNSense Community 22.1 virtualized and the same on a DEC740, so a couple of releases old now. IPSec and Wireguard performance is good, better even than specficed by Deciso, but ofcourse DPI was not enabled.
Edit: I found this BSD hardware probe of the A10 Gen3 board, with I211. I am not able to find anything newer than Gen3. Perhaps they only changed the I210 for I would assume I225 or I226 to refresh with 2.5G, don’t know.
DPI will struggle only if there is a really high amount of connections per second (this value highly depends on the RAM of your device), otherwise only the first 32 packages of each connections are actually scanned.
Something is stirring in that direction, slowly, but it is.
If it runs OpenWRT, there’s a very high chance it runs NethSecurity
Hi, thanks for the hyperscan settings, I enabled them, we shall see how the performance is.
Yes, the DEC740/750/2750 (Rack Mount) is supported with OpenWRT and I assume it would run NethSec just fine as well. What I was wondering if people have direct experience using one with NetSec and also then what the performance is when using IPS and other mitigation options. But I don’t think anyone here actually has a DEC740 in use.
The entire idea is getting Nethsec, sofar only on X86, on hardware that can hold up to IPS load like for example Wirewalla Orange, which purports to support 2gbs routing + firewall + smart firewall.