Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 3122 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hardware required for FTTP with IPS/IDS and Webfiltering?

Jo_Seph_B

Hi All,

I've been running a UTM for about 3-4 years in my home network and love it, its been flawless on my 35Mbps connection.  I've recently been lucky enough to get FTTP into my house.  I'm now hitting a bottle neck on the UTM that I believe stems from hardware and more specifically the CPU.

For info my current hardware is an i5 Mac Mini running ESXi 6.7 and a Virtual UTM. The UTM has 4 Cores assigned and 8GB of RAM.  There are no other VM's running on the host.

  • Hypervisor:VMware ESXi, 6.7.0, 8169922 
  • Model:Macmini6,1 
  • Processor Type:Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz 

The UTM is fully capable of the 300Mbps line speed with IPS/IDS and Webfiltering off.  Just Webfiltering takes the speed down to about 240Mbps and IPS/IDS takes it down to around 140Mbps.

Does anyone know what sort of hardware I'd need to get those features and still be able to max the 300Mbps line?  I'm assuming I'm going to need a faster clock speed rather than more cores. Being the geek I am I'd love to keep those features enabled.  Web filtering is a must due to the kids being on their own segregated network with their own filters and rules, one of the best features.

I have been investigating off loading the IPS/IDS to a dedicated box (IPFire as I've used it before) and put that in front of the UTM and then either bridge or double NAT.

Would love to know thoughts or what anyone else has done?  Should I go bare metal on some better hardware?  Ideally I don't want a thirsty full fat server but would consider an older appliance re-purposed if the power consumption is sub 100W.

Thanks, Joe.

 



This thread was automatically locked due to age.
  • +1

    Since IPS uses a single core for every "user" you indeed need a CPU with as high as possible clock speed. Multiple cores are being used for IPS, but not for 1 user. If you are the only one using UTM your speedtest will only get 1 core.

    If you do 2 simultaneous speed tests on different machines you should see that a second core kicks in for the 2nd connection and given that you have 300Mbps connection, both should be able to reach about 140Mbps (about the same as you are getting now) to total up to about 280Mbps.

    Unfortunately I cannot advise in which clock frequency you should use.

    Another thing that might give you some extra performance is tweaking the IPS-settings (disable items under attack patterns that you are not using and decrease rule age (<12 should be good).

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • +1

    Hi Joe,

    As apijnappels says, you were only testing a single core with IPS enabled.  I suspect you would fill your pipe with your present hardware if you had three people testing simultaneously.  You would need at least 5GHz to do that with a single speed tester.  An alternative would be a box running Suricata on a quad-core CPU in front of the UTM.  Then again, maybe everyone getting throughput four times what they're used to is sufficient.  Let us know what you do.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I ran speed tests from multiple devices and was able to max out the link using multiple streams.  I think I can live with that as a solution.   One host needing all the bandwidth at once will be rare so won't actually be a problem in the grand scheme of things.  I have 35 devices behind the UTM most are mine.  There are 4 of us in the house so basically we have one core each :D

    As a test I did disable the IPS/IDS on the UTM and put the IPS/IDS service on an IPFire firewall in front and was able to max the link from a single host with a few tweaks to the web filters.  I'm not keen on double NAT though as it causes odd behaviour with the IPsec VPN on the UTM setup I use. 

    Thanks for the advice both.  Forgot all about the single stream per core gotcha, feel daft for asking now :D

    Cheers

Unfiltered HTML