How do I balance bandwidth over several virtual NICs?

Julian Elischer julian at freebsd.org
Tue Sep 23 15:32:40 UTC 2014 

On 9/23/14, 11:11 PM, Julian Elischer wrote:
> On 9/22/14, 11:12 PM, Elof Ofel wrote:
>> I have a single NIC, mon0, that constantly receive 800 Mbps of 
>> mirrored traffic.
>> I want to split these 800 Mbps into smaller chunks and feed them to 
>> a couple of virtual interfaces.
>> Each virtual interface can then have instance of 'snort' inspecting 
>> its traffic.
>>
>> Say approximately 200 Mbps per interface = four interfaces.
>> That way, each of the four snort processes only get 200 Mbps of 
>> data to inspect instead of having *one* single snort process 
>> (single-threaded) trying to cope with 800 Mbps.
>>
>> (the problem I'm trying to solve is utilizing all cpu's. Currently 
>> one cpu runs snort at 100% while all the other cpu's idle.)
>>
>>
>> The important thing though is that all packets in the connection 
>> need to be diverted to the same virtual NIC. You can't send the SYN 
>> to NIC0 and the SYN-ACK to NIC1, 'cause then neither 
>> snort-process-0 nor snort-process-1 see the other side of the 
>> connection.
>> The loadbalancing must be based on a hash built from at least the 
>> mac-addresses+IP-addresses.
> you can probably do this with ipfw and/or netgraph in about half a 
> dozen different ways.
>
> Firstly, are the packets COPIES, or are these packets "Live".? (do 
> we have to get the packets back?)
> I'm going to assume they are not copies and htat we need ot copy them.

oh wait you said it was mirrored traffic! (looks for glasses).
ok so a divert  rule would be sufficient if you can get snort to 
listen to diverted packets .
 From memory its' something like: --daq --daq-var port={some divert 
port number}
>
> Secondly, do you want to run in inline mode so that snort can drop 
> packets?
> I'm going to assume no..
>
> Here is one possibility:
> firstly do a "check-state" in ipfw. This will effectively jump to 
> another rule if the session has been seen before. (see below)
> If the state fails, "skipto" based on a table, to send packets to 
> one of N packet rules depending on some set of bits in the address(es).
> On each set of rules we forward the packet to a different snort, 
> with a 'keep-state' rule. This assures that all following packets 
> will do the same thing (It's a little known fact that 'check state' 
> is actually very close to a conditional skipto.. it effectively 
> jumps to the rule that first matched that session.)
>
>
> the set of rules can achieve the forwarding in a number of ways, but 
> I suggest using the 'ngtee' rule to send a copy of the packet to 
> netgraph. the netgraph node in question can send it to a virtual 
> interface, from which snort is listenning using bpf.

since this is mirrored traffic, just use the "netgraph" rule not 
ngtee. I'm not exactly sure what kind of virtual interface to  hook it 
to.. I guess a regular ng_iface node would be good.. you really don't 
want the packets to enter the ip stack, so you need to make sure it is 
in 'monitor' mode.

>
> At one stage there was a snort action to allow it to listen directly 
> to divert packets, so you could use just a 'tee' rule. However I 
> THINK that may only work in inline mode.. but you may check.
>
> You could also use the 'forward' rule to send different sessions to 
> differnet virtual interfaces. from where you could look at them but 
> you'd have to somehow gather them all together again after that (a 
> bridge?).
>
>
>>
>>
>> So, what I think I'm looking for is a way to configure a lagg0 
>> interface in loadbalance mode, that take all the incoming traffic 
>> on mon0 and distribute it over four virtual member NICs. (these 
>> four NICs would then probably be configured to run in monitor mode.)
>>
>>
>> Do FreeBSD support what I'm looking for? How do I do it? Where 
>> should I look?
>>
>> /Elof
>>
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>

More information about the freebsd-net mailing list