This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hardware Limitations In Home version

Is it possible to get the hardware limitations removed for the home version?  Or have they been removed in V18?



This thread was automatically locked due to age.
Parents
  • C'mon mate, lets imagine that sophos has to pay salaries, developing new solutions, ideas maintain current activities, infrastructure etc etc. We can be glad that sophos is allowing us a home users to using their product just for free with all features. Beside that, for home usage 4 cores and 6 gb is a overkill. With all features on you can gain 1GB/s. look how Fortigate(and other solutions) are expensive, what the are offering etc. With sophos you've got it for free with great community :) appreciate it ^^ and if you wanna use it for commercial just support it - buying it ;)

    __________SETUP___________

    HP Small Form Factor:  i5 4Cores, 8Gb of RAM.
    Intel Network Card 5x Eth
    SSD: 256Gb

  • I understand this logic, but there is no reason to limit hardware if it is proven that the UTM is in a home location.  There are tons of other UTM packages out there that don't have hardware limitations.  I don't mind paying the annual license, but to pay the annual license with a hardware restriction is weak.  I guess I'll just stay on PFsense until they finally decide to remove the limitations.  Thanks

  • I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    It potentially is possible that Sophos isn't optimised for AMD hardware, after all given that this is designed to run on their own hardware / Azure which is all intel based (as far as I know / yes there are AMD VMs available in Azure, but you specify them), then why go to the extra effort?

    I'm just going by previous experience, and albeit 3-4 years ago, we noticed that some AMD systems (DL385p G8's) were doing high CPU when transferring SMB traffic, changed to Intel hardware - DL380p Gen8 and it was much faster.

    Tim Grantham

    Enterprise Architect & Business owner

  • BLS said:
    I hope you mean that TCP offloading is enabled, otherwise the CPU will be doing a lot of tasks, it will for a lot of tasks that require software inspection such as QoS.

    By default most of the NIC offload is disabled on XG, I believe It's required for IPS to work in inline mode.

     

    SFVH_SO01_SFOS 18.0.0 GA-Build379.HF052220.1# ethtool --show-offload Port1
    Features for Port1:
    rx-checksumming: on
    tx-checksumming: off
            tx-checksum-ipv4: off
            tx-checksum-ip-generic: off [fixed]
            tx-checksum-ipv6: off
            tx-checksum-fcoe-crc: off [fixed]
            tx-checksum-sctp: off [fixed]
    scatter-gather: off
            tx-scatter-gather: off
            tx-scatter-gather-fraglist: off [fixed]
    tcp-segmentation-offload: off
            tx-tcp-segmentation: off
            tx-tcp-ecn-segmentation: off [fixed]
            tx-tcp-mangleid-segmentation: off
            tx-tcp6-segmentation: off
    udp-fragmentation-offload: off
    generic-segmentation-offload: off
    generic-receive-offload: off
    large-receive-offload: off
    rx-vlan-offload: off
    tx-vlan-offload: off


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Hi,

     

    Can you change your search method from ac-bfna to hyperscan and do the same test again?

    Here's the difference by the default IPS options in XG to changing it to hyperscan, you can use "set ips search-method hyperscan" to change it.

     

    Iperf3;

    Default (ac-bfna):

    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-10.00  sec   989 MBytes   830 Mbits/sec                  receiver

     

    Hyperscan:

    [ ID] Interval           Transfer     Bitrate
    [  5]   0.00-10.00  sec  2.71 GBytes  2.33 Gbits/sec                  receiver

     

    Both of them where using only a single core from my XG.

    Also there's lot's of issues using XG with AMD hardware on KVM, primarily with SSL/TLS Decryption throughput.

     

    Using SSL/TLS Inspection:

    Saving to: ‘iso’

    iso                  11%[>                ] 207.05M  34.2MB/s

     

    Using Web Proxy:

    Saving to: ‘iso’

    iso                  14%[=>               ] 260.74M   217MB/s

     

    The CPU has a AMD Ryzen R7 1700.

     

     

    Edit: The results on ESXi is much better than KVM.

    Using the SSL/TLS Inspection with Decryption + IPS; I can get 70MB/s over a single core, which is the expected throughput for the CPU without using AES-NI. Also the same throughput I've got over a single core on a AMD Ryzen 3 2200G.

    So the issue is pretty much only on KVM.

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Just submitted a bid on a Dell R220 Intel Xeon E3-1220 v3 Quad Core, looks like a good option without breaking the bank.  TDP is a bit higher than I'd like.

     

    I'd then sell the Pondesk E3845 Atom unit I have.

  • The VM has assinged 3 cores with its 6 threads, the topology is correctly defined in KVM

    Without IPS, with Advanced Protection and Web filtering without breaking SSL.

    2 threads at 80%

    Same as before but with IPS and 3437 selected

    I get this with 5 threads 95% average on download, upload is 55% average for 5 threads

    Same as before but with Hyperscan,

    5 threads at 60%

     

    The IPS is a LAN WAN generic profile basically

     

    So hyperscan somehow worked but still upload speed are bad (maybe becasue the IPS rules are LAN-WAN)

    Is there any other way to improve the performance? maybe adding another snort instance? how is the command exactly? "ips-instance"

  • Yes mine is OFF as well I though it was enable since it is in pfsense/opnsense

     

    SFVH_KV01_SFOS 18.0.0 GA-Build354.HF052220.1# ethtool --show-offload PortA      
    Features for PortA:                                                             
    rx-checksumming: on                                                             
    tx-checksumming: off                                                            
            tx-checksum-ipv4: off                                                   
            tx-checksum-ip-generic: off [fixed]                                     
            tx-checksum-ipv6: off                                                   
            tx-checksum-fcoe-crc: off [fixed]                                       
            tx-checksum-sctp: off [fixed]                                           
    scatter-gather: off                                                             
            tx-scatter-gather: off                                                  
            tx-scatter-gather-fraglist: off [fixed]                                 
    tcp-segmentation-offload: off                                                   
            tx-tcp-segmentation: off                                                
            tx-tcp-ecn-segmentation: off [fixed]                                    
            tx-tcp-mangleid-segmentation: off                                       
            tx-tcp6-segmentation: off                                               
    udp-fragmentation-offload: off                                                  
    generic-segmentation-offload: off                                               
    generic-receive-offload: off                                                    
    large-receive-offload: off                                                      
    rx-vlan-offload: off                                                            
    tx-vlan-offload: off                                                            
    ntuple-filters: off [fixed]                                                     
    receive-hashing: on                                                             
    highdma: on [fixed]                                                             
    rx-vlan-filter: on [fixed]                                                      
    vlan-challenged: off [fixed]                                                    
    tx-lockless: off [fixed]                                                        
    netns-local: off [fixed]                                                        
    tx-gso-robust: off [fixed]                                                      
    tx-fcoe-segmentation: off [fixed]                                               
    tx-gre-segmentation: off [fixed]                                                
    tx-gre-csum-segmentation: off [fixed]                                           
    tx-ipxip4-segmentation: off [fixed]                                             
    tx-ipxip6-segmentation: off [fixed]                                             
    tx-udp_tnl-segmentation: off [fixed]                                            
    tx-udp_tnl-csum-segmentation: off [fixed]                                       
    tx-gso-partial: off [fixed]                                                     
    tx-sctp-segmentation: off [fixed]                                               
    tx-esp-segmentation: off [fixed]                                                
    fcoe-mtu: off [fixed]                                                           
    tx-nocache-copy: off                                                            
    loopback: off [fixed]                                                           
    rx-fcs: off [fixed]                                                             
    rx-all: off [fixed]                                                             
    tx-vlan-stag-hw-insert: off [fixed]                                             
    rx-vlan-stag-hw-parse: off [fixed]                                              
    rx-vlan-stag-filter: off [fixed]                                                
    l2-fwd-offload: off [fixed]                                                     
    hw-tc-offload: off [fixed]                                                      
    esp-hw-offload: off [fixed]                                                     
    esp-tx-csum-hw-offload: off [fixed]                                             
    rx-udp_tunnel-port-offload: off [fixed]            
  • That upload limit while using IPS is very strange.

    Nice to see there has a noticeable change from ac-bfna to hyperscan on your setup.

     

    The command to add more Snort instances is "set ips ips-instance  add IPS cpu <core>"

     

    Another thing,what AMD CPU are you using right now with KVM? For better performance (if you are using proxmox or straight kvm with qemu) leave as 6 sockets instead of 3 cores and 6 threads.

     

    Also, can you do the same speed test but with "generalpolicy" as the IPS Rule?

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • I don't have "generalpolicy" maybe I have deleted it but I have tried with "LAN to WAN" (one of the defaults policies) and the result is the same.

    I use KVM QEMU 4.2 with Unraid, this section of the config file reflects my CPU configuration

     <?xml version='1.0' encoding='UTF-8'?>
    <domain type='kvm' id='1'>
      <name>SophosXG</name>
      <uuid>de38a98d-bd8d-cc02-7277-5d4995ab29f3</uuid>
      <metadata>
        <vmtemplate xmlns="unraid" name="Linux" icon="linux.png" os="linux"/>
      </metadata>
      <memory unit='KiB'>6291456</memory>
      <currentMemory unit='KiB'>6291456</currentMemory>
      <memoryBacking>
        <nosharepages/>
      </memoryBacking>
      <vcpu placement='static'>6</vcpu>
      <cputune>
        <vcpupin vcpu='0' cpuset='0'/>
        <vcpupin vcpu='1' cpuset='4'/>
        <vcpupin vcpu='2' cpuset='1'/>
        <vcpupin vcpu='3' cpuset='5'/>
        <vcpupin vcpu='4' cpuset='2'/>
        <vcpupin vcpu='5' cpuset='6'/>
      </cputune>
      <resource>
        <partition>/machine</partition>
      </resource>
      <os>
        <type arch='x86_64' machine='pc-q35-4.2'>hvm</type>
      </os>
      <features>
        <acpi/>
        <apic/>
      </features>
      <cpu mode='host-passthrough' check='none'>
        <topology sockets='1' cores='3' threads='2'/>
        <cache mode='passthrough'/>
        <feature policy='require' name='topoext'/>
      </cpu>
      <clock offset='utc'>
        <timer name='rtc' tickpolicy='catchup'/>
        <timer name='pit' tickpolicy='delay'/>
        <timer name='hpet' present='no'/>
      </clock>

     

     

    The settings that are changed via console are maintained in a backup?

  • l0rdraiden said:
    <topology sockets='1' cores='3' threads='2'/>

     

    <cpu mode="host-passthrough">
        <topology sockets="8" cores="1" threads="1"/>
      </cpu>


    That's my current settings for CPU on one of my XG VM's.

     

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • I had it like you before but since I changed the topology "for the real one" I get more of performance.

    I think sophos limitation to 4 cores applies to threads so you are limited to 4 threads, If you define the topology correctly, you can use the 4 cores with its 8 threads.

    Just try a speedtest on that machine to see if it uses more than 4 or 5 threads

Reply
  • I had it like you before but since I changed the topology "for the real one" I get more of performance.

    I think sophos limitation to 4 cores applies to threads so you are limited to 4 threads, If you define the topology correctly, you can use the 4 cores with its 8 threads.

    Just try a speedtest on that machine to see if it uses more than 4 or 5 threads

Children