Does anyone with a RPi5 have snort3 configured for IPS? What is the max bandwidth the processor can do?
It's not supported here yet.
There is a pending PR to support RPi5B: https://github.com/openwrt/openwrt/pull/13987
I have it merged for testing purposes. With the RPi5B in a double NAT (I am not using it as my primary router/firewall), with the internal NIC (eth0) being treated as the WAN interface and with a USB 3.0 NIC (eth1) as the LAN interface, I am getting around 160 Mbits/sec from a node outside the RPi5B to a RPi4B behind the RPi5B with snort3 running in IPS mode using the full registered user rules. If I stop snort on the RPI5B, I can saturate the line.
Without snort:
% iperf3 -c 10.9.8.107
Connecting to host 10.9.8.107, port 5201
[ 5] local 10.9.8.101 port 57566 connected to 10.9.8.107 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 113 MBytes 951 Mbits/sec 0 618 KBytes
[ 5] 1.00-2.00 sec 112 MBytes 937 Mbits/sec 0 618 KBytes
[ 5] 2.00-3.00 sec 112 MBytes 939 Mbits/sec 13 605 KBytes
[ 5] 3.00-4.00 sec 111 MBytes 932 Mbits/sec 0 660 KBytes
[ 5] 4.00-5.00 sec 112 MBytes 939 Mbits/sec 13 544 KBytes
[ 5] 5.00-6.00 sec 112 MBytes 939 Mbits/sec 13 533 KBytes
[ 5] 6.00-7.00 sec 112 MBytes 941 Mbits/sec 13 477 KBytes
[ 5] 7.00-8.00 sec 112 MBytes 939 Mbits/sec 13 431 KBytes
[ 5] 8.00-9.00 sec 111 MBytes 935 Mbits/sec 0 574 KBytes
[ 5] 9.00-10.00 sec 111 MBytes 930 Mbits/sec 174 499 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 1.09 GBytes 938 Mbits/sec 239 sender
[ 5] 0.00-10.00 sec 1.09 GBytes 936 Mbits/sec receiver
iperf Done.
With snort (a single core gets saturated during the test):
% iperf3 -c 10.9.8.107
Connecting to host 10.9.8.107, port 5201
[ 5] local 10.9.8.101 port 48946 connected to 10.9.8.107 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 21.2 MBytes 178 Mbits/sec 0 997 KBytes
[ 5] 1.00-2.00 sec 19.7 MBytes 165 Mbits/sec 6 1.27 MBytes
[ 5] 2.00-3.00 sec 20.0 MBytes 168 Mbits/sec 1 997 KBytes
[ 5] 3.00-4.00 sec 18.8 MBytes 157 Mbits/sec 0 1.04 MBytes
[ 5] 4.00-5.00 sec 18.8 MBytes 157 Mbits/sec 0 1.09 MBytes
[ 5] 5.00-6.00 sec 20.0 MBytes 168 Mbits/sec 0 1.13 MBytes
[ 5] 6.00-7.00 sec 18.8 MBytes 157 Mbits/sec 0 1.15 MBytes
[ 5] 7.00-8.00 sec 20.0 MBytes 168 Mbits/sec 4 863 KBytes
[ 5] 8.00-9.00 sec 18.8 MBytes 157 Mbits/sec 0 921 KBytes
[ 5] 9.00-10.00 sec 18.8 MBytes 157 Mbits/sec 0 959 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 195 MBytes 163 Mbits/sec 11 sender
[ 5] 0.00-10.05 sec 193 MBytes 161 Mbits/sec receiver
iperf Done.
2 Likes
I spent some time configuring my RPi5B as a backup router and did the live test with LAN/WAN connected not double NATed as above. Results where similar with the bufferbloat speed test with or without SQM enabled. The RPi5B is just not powerful enough to run snort at gigabit speeds.
With SQM enabled:
Without SQM enabled:
My connection maxes out around 950 Mbps downstream without snort running on the RPi5B.
3 Likes
Thank you @darksky for the tests you ran. I see now that the Pi5 is not working to work. Pity. What x86 hardware are you using for full speed snort IPS and SQM?
I have an AMD U5800 based one from acemagician. It’s decent and rock solid stable. I also tried the intel N95 based one it was CPU limited with snort. You can search on me to find the relevant threads here.
Moving this to the developers section since this is not yet supported but development is currently active.
Might be interesting for someone to revisit the RPi5B benchmarks with snort3 built with vector scan. See PR#23904.
How does RPi5B's CPU compare to GL-MT6000? Should be pretty similar I would think (both quad, similar clock rates, etc.)
On filogic/glinet_gl-mt6000 there are gains of 2-4x in throughput. From the commit message:
The performance difference of snort3 compiled against this is sizable.
I compiled snort 3.1.84.0 against vectorscan for filogic/glinet_gl-mt6000
and compared it to snort3 without the library.
In IDS mode:
Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3)
Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3)
Gain of 3.6x
In IPS mode:
Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3)
Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3)
Gain of 1.8x
Notes:
* Data generated on snapshot build on 12-Apr-2024 using kernel version 6.6.26,
snort version 3.1.84.0, vectorscan version 5.4.11.
* Speedtest script hitting the same server.
* Snort rules file of was 37,917 lines/22 MB.
* In all cases, single core CPU saturation occurred which speaks to the efficiency
gains supplied by vectorscan.
EDIT: I also did some quick iperf3 tests with RPi5B. Similar results:
Test Soc #2 bcm2712/RPi5B
IDS mode:
Using iperf3 to send wo/ vectorscan: 515 Mbits/sec
Using iperf3 to send using vectorscan: 934 Mbits/sec
Gain of >1.8x
IPS mode:
Using iperf3 to send wo/ vectorscan: 259 Mbits/sec
Using iperf3 to send using vectorscan: 934 Mbits/sec
Gain of >3.7x (934 Mbits/sec is the theoretical max)
Hi @darksky ,
I was thinking to buy a rpi5 and use it with SQM cake for my symmetric 1Gbps WAN. From your test without snort, it seems to handle it pretty well. I was wondering if you tried or have the possibility to test the rpi5 with a USB network adapter as an additional NIC and see if it handles CAKE for traffic going thorugh both NICs.
Thanks.
Can’t remember the specific setup I had when testing. No hardware available for testing now.
1 Like