Hi there folks,
So after testing some more, in my case having more than 4 vCPUs makes no difference to the throughput I get, if Snort is on.
The question: does NetSec have the OpenWRT IRQbalance implemented? I don’t see /etc/config/irqbalance. If yes, how do we configure it, and if not, can I we get it?
You could add the upstream openwrt repos, see also Package repositories | NethSecurity
This could lead to update issues and conflicts in the worst case, see also Remote access — NethSecurity documentation
Ah I see, thanks for the info.
But, I don’t want to greatly modify Nethsec. The point of Nethsec, and what I am (will be? Still have a few days left of the evaluation) paying for is that I don’t have to customize and modify and build and maintain my own OpenWRT version.
So, I guess I either keep Snort off, or I build my own OpenWRT install. Or I discover some other optimization that is allowed in Nethsec. IRQBalance would have been promising, but as I said, if it ain’t already part of NethSec, it doesn’t make sense (for me) to add it.
How do YOU (kind forum members) run NethSec on a 1Gbit WAN with Snort enabled, and get full bandwidth? What hardware do you have NethSec running on?
Cheers
PS. To test, I switched the Ryzen 5 3600 CPU (Xen 2, 6 cores) in my KVM host server to a Ryzen 5 5700X (Xen 3, 8 cores) which has 25% higher single core and 33% higher multithreaded performance than the older CPU, and giving the NethSec VM more than 4 vCPUs made no difference with either the Ryzen 3600 nor with the Ryzen 5700; a full Gigabit throughput on WAN is just not possible with Snort enabled. This is with minimal other load on the host, the NethSec VM gets all the resources it needs. It just doesn’t scale.
Can I also ask what SQM algorithm is used in NethSec? Is it Cake? And can it be tuned to the type of WAN we have (fiber in my case, but if you DOCSIS or VDSL for example it would need to be tuned differently)?
I have a lab where I test performances of all hardware Nethesis sells.
Over the years, I’ve tested many different systems using both the 7.x NethServer versions (based on CentOS) and the newer NethSecurity 8, ranging from two cores to 8, using various network traffic patterns.
Concerning network flows, I tried different configs of irqbalance and packet steering, and I never found noticeable differences in network speed or CPU load.
However, it may also depend on the network card model and driver, I mostly tested Intel cards.
Having said this, I’ll be happy if you test irqbalance: if we find that it helps on some systems, I will re-evaluate its inclusion.
See packages: add irqbalance by filippocarletti · Pull Request #433 · NethServer/nethsecurity · GitHub for instructions.
It’s cake, using qosify.
To tune for different wan types you need the command line:
qosify.wan.overhead_type='none'
See tc-cake manual for possible values (instead of none).
Thanks for the info. Yes, I should test IRQBalance. =)