thanks for your suggestions. I'll try 2 CPU's and more RAM. I read somewhere that snort was not (yet) multi-threaded so I'm not sure 2 CPU's will help.
I run xen... On Mon, Mar 30, 2009 at 11:53 PM, compdoc <comp...@hotrodpc.com> wrote: > I maintain about 6 efw firewalls, and they like ram. For smaller numbers > of users, I give it 768 Megs, and for about 30 users with heavy usage, > including day-long openvpn sessions, (but limited to a 7 Mbit link) it wants > at least 1 Gig. > > > > Ram is often used to cache lookups, etc., so the more the better. What sort > of disk I/O is happening when it's at full speed? > > > > The largest efw firewall (the one with 30 users) runs in a xenserver vm. It > has 1 Gig ram, and two cpus assigned. Snort is enabled on Red. The cpu usage > shows both cpus tend to be used evenly, and can peak to 80% usage, but > normally runs 10% or less throughout the day. Disk I/O isn’t measurable. > > > > I have to say, pumping 30mbps through a port, while scanning the data for > virus, spam, intrusion, etc. and keeping the natting straight, all while > providing services like DHCP, etc, is no small feat for any router. That’s a > lot of data and a lot of scanning. I don’t think 2 cpus are a lot for a > router, and in your case, I'd think that’s the minimum. Also, it needs to > buffer all that data somewhere while its being scanned. Give it a lot more > ram. > > > > There is also the possibility it's not liking the vm's hardware. Network > cards in particular, but not necessarily limited to that. Even the way > you’ve set up vmware's networking might not be optimal. > > > > If you want to be successful at making a VM like this work, you need to get > to know the OS running natively on a decent cpu. Got a spare pc you can play > with? It's the only way to judge any OS, and to judge if there's a problem > with the vm. > > > > I find that OSes run faster on xenserver... > > > > > > > > > > > > > > *From:* Bart Heinsius [mailto:bheins...@gmail.com] > *Sent:* Monday, March 30, 2009 2:20 PM > *To:* efw-user@lists.sourceforge.net > *Subject:* Re: [Efw-user] Snort CPU load limits download speed > > > > > Snort is almost maxing out your processor here. You aren't swapping, but > there > > > is not enough processor time left to go much higher. You said this is a > > virtual machine. Can you add more processor and see if it improves? > > Add more processor? Like assigning 2 processors to Endian? Sounds like a > lot for a router. I would think that one of the four cores in my Dell R200 > Quad Core X3230, 2.66GHz/2x4M 1066FSB is enough for a 30mbps link. Or are > there parameters that prevent the VM from getting the max CPU? > > -Bart > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 3975 (20090330) __________ > > > > The message was checked by ESET NOD32 Antivirus. > > > > http://www.eset.com > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Efw-user mailing list > Efw-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/efw-user > >
------------------------------------------------------------------------------
_______________________________________________ Efw-user mailing list Efw-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/efw-user
