Date: Mon, 22 Sep 2014 18:45:28 +0200 From: Nikolay Denev <nike_d@cytexbg.com> To: Elof Ofel <elofu17@hotmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: How do I balance bandwidth over several virtual NICs? Message-ID: <CA%2BP_MZGA_uz_H_QsB%2BdgXEgbXNCjv7w-OToKby=ww%2BvKgnU4_Q@mail.gmail.com> In-Reply-To: <DUB125-W13FDC584F5DF9881CF5FDEBCB30@phx.gbl> References: <DUB125-W13FDC584F5DF9881CF5FDEBCB30@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 22, 2014 at 5:12 PM, Elof Ofel <elofu17@hotmail.com> wrote: > I have a single NIC, mon0, that constantly receive 800 Mbps of mirrored t= raffic. > I want to split these 800 Mbps into smaller chunks and feed them to a cou= ple of virtual interfaces. > Each virtual interface can then have instance of 'snort' inspecting its t= raffic. > > Say approximately 200 Mbps per interface =3D four interfaces. > That way, each of the four snort processes only get 200 Mbps of data to i= nspect instead of having *one* single snort process (single-threaded) tryin= g to cope with 800 Mbps. > > (the problem I'm trying to solve is utilizing all cpu's. Currently one cp= u runs snort at 100% while all the other cpu's idle.) > > > The important thing though is that all packets in the connection need to = be diverted to the same virtual NIC. You can't send the SYN to NIC0 and the= SYN-ACK to NIC1, 'cause then neither snort-process-0 nor snort-process-1 s= ee the other side of the connection. > The loadbalancing must be based on a hash built from at least the mac-add= resses+IP-addresses. > > > So, what I think I'm looking for is a way to configure a lagg0 interface = in loadbalance mode, that take all the incoming traffic on mon0 and distrib= ute it over four virtual member NICs. (these four NICs would then probably = be configured to run in monitor mode.) > > > Do FreeBSD support what I'm looking for? How do I do it? Where should I l= ook? > > /Elof > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" Since this is below one Gig, would running separate snort processes on mon0 and using a BPF filter to split traffic work? --Nikolay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BP_MZGA_uz_H_QsB%2BdgXEgbXNCjv7w-OToKby=ww%2BvKgnU4_Q>