IDS/IPS cripples speed on ER707-M2
I upgraded my ER707-M2 to the latest firmware 1.2.0 and noticed a new feature Settings > Network Security > IDS/IPS which provides Intrusion Detection and Prevention.
Simply enabling it with its default setting of Detect Only on Low cripples my wired throughput using Google Fiber from a reliable 900-950Mbps to as low as 140Mbps. It's all over the place with the values fluctuating significantly on each test. It only seems to add about 25% CPU use to my router with plenty of resources to spare.
This is a 2.5G router.
I do not see any type of hardware offloading setting in the Omada controller.
And I cannot find any current documentation on IDS/IPS.
Lots of screenshots in this Reddit thread: https://www.reddit.com/r/TPLink_Omada/comments/18uwsme/idsips_cripples_speed_on_er707m2/
IDS/IPS off
IDS/IPS turned on around 9:00 for testing, shows a fairly mild CPU increase.
The huge CPU spike around 2:00 was when enabling DNS Caching with a setting of 5 minutes.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Gastr1c
Thanks for posting in our business forum.
Expected to be normal which has been discussed here.
https://community.tp-link.com/en/business/forum/topic/624204?replyId=1287830
- Copy Link
- Report Inappropriate Content
Pretty sure this is to be expected...the ER707 is only a dual core CPU andI'm betting donuts to dollars, there is zero hardware packet processing onboard for IPS/IDS...so it's all done via software exception processing, which will definitely slow things down.
Since I can almost feel your 'but it's only 25% loaded question', keep in mind that IP throughput is dependent on latency as well...and going the software route will add quite a few milliseconds (thus shaving hundreds of Mbps off your speedtest).
Don't think it's fair to expect wire rate IPS/IDS on a $150 router, you will have tradeoffs.
- Copy Link
- Report Inappropriate Content
@d0ugmac1 I definitely did not expect a 2.5G router to be reduced to a 0.1G router. I'm not intimately familiar with the TP-Link router offerings, but it looks like the ER707-M2 is towards the top of their current wired Omada offerings.
- Copy Link
- Report Inappropriate Content
for the most part a 2.5G router is mostly due to the nic and secondary the horsepower... the chipset.
if u want 1G ips speeds... go for a 4 core router.
- Copy Link
- Report Inappropriate Content
Not to open a can of worms, but my mental image of a TPlink router (I have quite a few), is a custom hardware device incorporating the equivalent of a Raspberry PI running a customized version of OpenWRT bolted to the guts of a Smart TPlink L2 switch. Any packet specific work, ie DPI or IDS/IPS requires the CPU to scan the headers of all inbound packets. This is done in software...which keeps things cheap but doesn't perform anything like a Cisco/Juniper/Palo Alto would. It probably also limits the throughput speed to the CPU's dedicated internal switch port (probably 1Gbps?) when header inspection is required...so more CPU cores isn't going to fix the problem. YGWYPF.
- Copy Link
- Report Inappropriate Content
Hi @Gastr1c
Thanks for posting in our business forum.
Expected to be normal which has been discussed here.
https://community.tp-link.com/en/business/forum/topic/624204?replyId=1287830
- Copy Link
- Report Inappropriate Content
I just ended turning mine off along with alot of the attack protection which I found added latency.
The ER707-M2 was my upgrade from the ER605........ Atleast the ER707 stays online, my ER605 kept falling over constantly and wasn't even doing the one job it was meant to......... supplying internet.
The ER707 is much more reliable. The IDS things meh....... I actually have mine scheduled for like 1am-6am to be on only as I find most attacks on my network occur when I am asleep from oversea's........ so it protects things then and during the day it's off so we just get full speed.
That said........ Given the lack of a few things I need like the custom DNS for DHCP Reservations I am working on a dedicated N100 DIY Router myself so I can run PfSense/PiHole/LAN Cache virtualised in the one unit hopefully. I may keep my TP Link ....... dunno haven't decided. It is a very good unit the ER707.... Well worth it's cost just would have been nice had it had a quad core in it.
I love TP Link but meh...... still on the fence with it. I love it's adopt feature and it's easy to use for setting up base VPN's etc...... It's just a constant pigeon hole of things.
Again IDS is a nice feature...... But yes only hitting the CPU a small amount does ask the question ....... if there is more head room to improve speed it seems it could be tweaked but to what end? .....
Thats my two cents. I feel like TP Link have finally gotten the software to a respectable level..... now it's just a matter of better hardware and tweaks. If you still can't do custom DNS on the DHCP Reservations then TPLink need to scrap the DHCP server they are using and built a different one in.
I did report a insight mac address issue but on the controller forum side to for Omada..... on this router in the Omada software.
- Copy Link
- Report Inappropriate Content
@Clive_A some guidance from TP-Link as to what routers will run IDS/IPS at wire speed or at least relative performance would be most welcome.
Running an ER7206 with 890mb download when IDS off and 275mb with IDS on.
Happy to upgrade as I understand hardware ages, but don't know to what?
- Copy Link
- Report Inappropriate Content
Hi @HomeAdmin
Thanks for posting in our business forum.
HomeAdmin wrote
@Clive_A some guidance from TP-Link as to what routers will run IDS/IPS at wire speed or at least relative performance would be most welcome.
Running an ER7206 with 890mb download when IDS off and 275mb with IDS on.
Happy to upgrade as I understand hardware ages, but don't know to what?
This is not hardware aging. Just a normal symptom.
IDS/IPS would also take a toll on the speed of ER8411.
And I have given the drop rate if you enable IDS/IPS in the link.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 802
Replies: 8
Voters 0
No one has voted for it yet.