From owner-freebsd-net@FreeBSD.ORG Mon Sep 22 15:13:22 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F2CC277E for ; Mon, 22 Sep 2014 15:13:21 +0000 (UTC) Received: from DUB004-OMC2S19.hotmail.com (dub004-omc2s19.hotmail.com [157.55.1.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F7D280E for ; Mon, 22 Sep 2014 15:13:21 +0000 (UTC) Received: from DUB125-W13 ([157.55.1.137]) by DUB004-OMC2S19.hotmail.com with Microsoft SMTPSVC(7.5.7601.22724); Mon, 22 Sep 2014 08:12:11 -0700 X-TMN: [YvOsUF6xfq2gYst9ajvxV3uz+WKBGdjf] X-Originating-Email: [elofu17@hotmail.com] Message-ID: From: Elof Ofel To: "freebsd-net@freebsd.org" Subject: How do I balance bandwidth over several virtual NICs? Date: Mon, 22 Sep 2014 17:12:11 +0200 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 22 Sep 2014 15:12:11.0948 (UTC) FILETIME=[95C93EC0:01CFD677] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 15:13:22 -0000 I have a single NIC=2C mon0=2C that constantly receive 800 Mbps of mirrored= traffic. I want to split these 800 Mbps into smaller chunks and feed them to a coupl= e of virtual interfaces. Each virtual interface can then have instance of 'snort' inspecting its tra= ffic. Say approximately 200 Mbps per interface =3D four interfaces. That way=2C each of the four snort processes only get 200 Mbps of data to i= nspect instead of having *one* single snort process (single-threaded) tryin= g to cope with 800 Mbps. (the problem I'm trying to solve is utilizing all cpu's. Currently one cpu = runs snort at 100% while all the other cpu's idle.) The important thing though is that all packets in the connection need to be= diverted to the same virtual NIC. You can't send the SYN to NIC0 and the S= YN-ACK to NIC1=2C 'cause then neither snort-process-0 nor snort-process-1 s= ee the other side of the connection. The loadbalancing must be based on a hash built from at least the mac-addre= sses+IP-addresses. So=2C what I think I'm looking for is a way to configure a lagg0 interface = in loadbalance mode=2C that take all the incoming traffic on mon0 and distr= ibute it over four virtual member NICs. (these four NICs would then probabl= y be configured to run in monitor mode.) Do FreeBSD support what I'm looking for? How do I do it? Where should I loo= k? /Elof =