I hate to bring this topic up again, however I was one of the users that was never able to realize the full performance of the ITUS in router mode. I have Comcast Blast and with my AMD based mini-ITX pfsense with USB Ethernet box I get 89/12 with the itus in place I only get between 40/8 and 60/10.
This has also been tested/validated by downloading from known sites and seeing the same bottlenecks.
Does anyone have ideas / recommendations on how to increase throughput / performance of this box?
I'm running in Bridge mode with WF essentially disabled, but using Snort with nightly IPS rules. I have 125/12 mbps from Comcast and get 100/12 with Bridge online. It does slow down when the IPS table gets large, but I'm clearing it each night after IPS rule update.
On another note, I tried to sign-up to the Cavium developer forum to see if I could get the tools to look at the optimization drivers, but they've blown me off - no reply to my request in over a week.
If someone here who is really a developer/sw engineer would sign up we might gain access to additional resources. I think there must have been some Cavium tech resources working with Itus to get the first optimization functioning. As more devices adopt this platform there should be additional refinements.
I am running my Shield in router mode and see my Charter cable speeds cut more than half with snort running as well. With a fresh reboot of the Shield in router mode, I am able to get maybe 50/4, without snort, I can hit 130/5.
I remember hearing ITUS was working on tuning before they went under. Anyone else heard anything further about this? Not sure if I am the only one that feels this way, but the overall response from ITUS regarding all of this, is kind of rude. A courtesy email explaining the situation would have been nice. I understand, under legal advice, that may not be possible.
By the way, I am interested in your pFsense build you have, care to share some details (parts list) on how you built this?
I think you are referring to them adding the Cavium offload engine in the processor that wasn't being utilized yet. It had the promise of doubling the speeds. Here are two more things to try:
Go into services > intrusion prevention > snort config and comment out
down at the bottom. They only generate alerts (not drops) anyway and lighten the load on snort and the processor.
Also, go into /etc/init.d/ntpclient and change your box to update the clock sync to weekly. It's set to go online and sync every 10 minutes and then restart the ntpclient. Also excessive in my opinion:
local cronstuff='40 3 * * 0'
I'll start a different thread so everyone can share their hacks. Just curious, why didn't you use Snort on your pfSense box as it's an official package on it?