[Oisf-users] Inline NFQ

[Xavier Romero]

Hello,

I'm successfully running Suricata (detection mode) for a long time in a dedicated physical machine, processing about 2 Gbps with no problem.
Now I need to set up another Suricata box for inline mode as a virtual machine (just for 50Mbps), it's a small VM (CentOS 7, 2 CPUs & 2 GB RAM) but it should be enough thought. I set up iptables that way:

iptables -I FORWARD -j NFQUEUE --queue-bypass --queue-balance 0:1

My problem is, when I start Suricata on inline mode, the network throughput drops dramatically...  I run internet speed test

[15:24:30][admin at test ~]$ ./speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Selecting best server based on latency...
Hosted by masmovil (Madrid) [0.00 km]: 13.574 ms
Testing download speed........................................
Download: 602.14 Mbit/s
Testing upload speed..................................................
Upload: 136.50 Mbit/s

[15:25:02][root at suricata ~]$ systemctl start suricata

[15:25:24][admin at test ~]$ ./speedtest-cli
Retrieving speedtest.net configuration...
Retrieving speedtest.net server list...
Selecting best server based on latency...
Hosted by masmovil (Madrid) [0.00 km]: 10.948 ms
Testing download speed........................................
Download: 14.18 Mbit/s
Testing upload speed..................................................
Upload: 3.08 Mbit/s

I've tried with 1 and 2 queues (-q 0 -q 1), and in both autofp and workers mode, no matter... always same results. Suricata threads does not consume much CPU, so it does not look like I need more cores.

Neither dmesg, journctl, /var/log/messages nor suricata logs are complaing about anything.

I've no idea where to look or what to try. Any suggestion will be wellcome.

Best regards,
Xavier Romero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151007/8c32a5ae/attachment-0001.html>