From owner-freebsd-net@FreeBSD.ORG Mon Sep 22 16:45:30 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 00658B05 for ; Mon, 22 Sep 2014 16:45:29 +0000 (UTC) Received: from mail-vc0-x231.google.com (mail-vc0-x231.google.com [IPv6:2607:f8b0:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B2E96332 for ; Mon, 22 Sep 2014 16:45:29 +0000 (UTC) Received: by mail-vc0-f177.google.com with SMTP id im17so4288045vcb.8 for ; Mon, 22 Sep 2014 09:45:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=NG9L+/8HaPyNHmJARvcS2TkTIOP+2Nma1jwlccYOT/U=; b=vHhw07S//dlQXxgLOU++NpHu+im76kbzoCCWWPZ/PcXhCcPAUykZjSZRGfFvXdDAwx zh2qBhCSHxNKFl/KIKaObfaVBfhgtkS2na2QWC2HpI8yc7QBC+/UH2uYeZhIpIJpg2sW 9HUMrmS/hky1P4du4D3qxevtuU9OWEn0J3gin87SUG2Ny4KeYMFoJaUUuaEMYtKR10CA JQ0YDiIrnJmI4bZiyCxuzKaKZOhK/KytCbXU11qkwuFKQUsJxEwHfPfg3vE3J7jIQ6Oh ybn0LJSl5K9nYi239xFXlQbNKeIcmUui8LuCc/ECsTao2X8rm2PbmX6Lj5F8SXjNw8qI /wCA== MIME-Version: 1.0 X-Received: by 10.221.9.1 with SMTP id ou1mr7877059vcb.60.1411404328753; Mon, 22 Sep 2014 09:45:28 -0700 (PDT) Sender: ndenev@gmail.com Received: by 10.220.168.202 with HTTP; Mon, 22 Sep 2014 09:45:28 -0700 (PDT) In-Reply-To: References: Date: Mon, 22 Sep 2014 18:45:28 +0200 X-Google-Sender-Auth: mf_UtKTUHagamj5DXasxH8HZ2_o Message-ID: Subject: Re: How do I balance bandwidth over several virtual NICs? From: Nikolay Denev To: Elof Ofel Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 16:45:30 -0000 On Mon, Sep 22, 2014 at 5:12 PM, Elof Ofel wrote: > I have a single NIC, mon0, that constantly receive 800 Mbps of mirrored t= raffic. > I want to split these 800 Mbps into smaller chunks and feed them to a cou= ple of virtual interfaces. > Each virtual interface can then have instance of 'snort' inspecting its t= raffic. > > Say approximately 200 Mbps per interface =3D four interfaces. > That way, each of the four snort processes only get 200 Mbps of data to i= nspect instead of having *one* single snort process (single-threaded) tryin= g to cope with 800 Mbps. > > (the problem I'm trying to solve is utilizing all cpu's. Currently one cp= u runs snort at 100% while all the other cpu's idle.) > > > The important thing though is that all packets in the connection need to = be diverted to the same virtual NIC. You can't send the SYN to NIC0 and the= SYN-ACK to NIC1, 'cause then neither snort-process-0 nor snort-process-1 s= ee the other side of the connection. > The loadbalancing must be based on a hash built from at least the mac-add= resses+IP-addresses. > > > So, what I think I'm looking for is a way to configure a lagg0 interface = in loadbalance mode, that take all the incoming traffic on mon0 and distrib= ute it over four virtual member NICs. (these four NICs would then probably = be configured to run in monitor mode.) > > > Do FreeBSD support what I'm looking for? How do I do it? Where should I l= ook? > > /Elof > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" Since this is below one Gig, would running separate snort processes on mon0 and using a BPF filter to split traffic work? --Nikolay