Hi,
I recently built a new machine to try out ipfire as alternative to pfsense. The machine is an i5 -12600h , 16gb ram and was used with no issues on pfsense. My ISP provides and 8GB/8GB connection. I had no issues getting 8gb/7gb on 10gb clietnts. Having setup ipfire with no qos or filtering etc I can only get around 5gb down and 4gb up on my 10gb clients.. The nic for the wan is an X540 which was what I used before.
Why is ipfire limting my bandwidth?
thank you
This could have a thousand reasons. We have plenty of IPFire setups out there that easily reach 10 GBit/s. We even have a few that have 100 GBit/s and I have one that even has 200 GBit/s. Basically it is not the software.
It will probably be some hardware limitation. Bus bandwidth, CPU (although that looks like a beefy one).
Nice.
Would you consider to share some of these configurations? Mainboard, CPU, RAM, adapters.
what type of RED 
https://www.ipfire.org/docs/installation/red
IP, dhcp - x550.
As I mentioned it worked fine under pfsense.. I fired up vyos which gives me full 8/8gb so it clearly isn’t my hardware.
What do mean by x550?
The network card Im using for the 10gb wan & lan interface, 10 gtek x550 -t2
Yeap. I have used both pf and opn both have different issues…
I wanted to use a Linux based firewall etc. Provably stick with vyos as it works full speed
Sorry didnt understand the first bit but the card is
to sum your details up:
opn and pf sense working full speed
vyos works full speed
all at the very same hardware 
chances that there is a hardware limitiation:
chances that ipfire does not like your hardware:
My ISP allowed me to upgrade to 8Gb/s.
I wanted to test a mini PC with two 10Gb/s ports.
On paper, it looked good:
Intel Core i3-N305 processor
8GB DDR5 memory
128GB M.2 SSD on PCIe 3.0 x1
2 x Marvell AQC113 10 Gigabit LAN ports
4 x Intel I226-V 2.5 Gigabit LAN ports
But I’m getting results similar to yours: a maximum of 4 Gb/s with speedtest on Green using IPFire installed with no services enabled.
(I don’t get any better with Ubuntu directly on 10Gb port)
I should point out that I am indeed getting 7.8Gb/s on my PC, which is directly connected to the 10Gb port of the box with an X540-T2 card.
Do you have any examples of IPFire configurations (motherboard, processor, 10Gb/s network card) that actually allow you to use this transfer rate ?
Hello Phil,
yes, a lot actually.
I don’t know the Marvell chip, but there are some chipsets that require the CPU to do a lot of work. They are the cheaper options, and the more expensive ones do a lot more work in the chip, which of course means a larger die and higher power consumption. The i3 CPU is probably on the weaker side and will probably not have a lot of PCIe lanes available. So it is all about how fast the system can transfer data over the internal busses. A chipset that needs to talk more to the CPU will definitely not perform well.
So in the Lightning Wire Labs Appliance world, we use “server-grade” CPUs like Intel Xeon or Intel’s Atom Server Series. Those simply have a lot more bandwidth available and we also use Intel or Broadcom NICs which do a lot of stuff on their own. On these systems, 10 GBit/s is not a problem.
We have an appliance in stock that does 200 GBit/s and doesn’t even sweat as much as I would have expected it to.
The Intel i3 Series is designed for desktop computers and therefore not always ideal for use as a firewall. They have excellent single-core performance, but that is not very useful when the data cannot make its way in and out of the CPU.
And as it has been mentioned several times on this forum, I am not sure how accurate speed tests over the internet are at these rates.
Thanks for the clarification.
So, not really a configuration that’s accessible to the general public.
I don’t know what you mean.
There are no knobs in the OS that you could twist to make it faster. We already configure everything to perform as fast as possible.
regarding cn mini pc's:
one could/should verify the pcie bandwidth and pcie generation 
@pscar13
skyeci73 has verified the hardware can achieve symetric 8gb/s 
until now skyeci73’s scenario with ipfire perfoming bad
on hardware that performs well on other distros stays unclear 
I mean, it’s very expensive equipment for home use.
I gave up on the idea of ​​using 10G, it was too expensive and not really necessary.
In the end, 2.5G is more than enough, my Chinese N100 miniPC with four Intel i226-V Nics works perfectly.
You really should familiarize yourself with the hardware used by by Joe IpFire user, and you should try not to throw shade on their hardware when they have a software problem. Recommending “server grade” hardware to that crowd is not helpful. Likewise unhelpful is gaslighting against the Marvell chip if you have no experience with it. We will get to that chip below.
I happen to have drawers full of 10gbe NICs of various provenances, and I have a few computers on a 10gbe network. I therefore could whip up some tests. My tests always are with iperf3 against a known-good server. Speedtest would be unhelpful, results do change from server to server, by the time of day, etc..
All tests using jumbo frames unless noted otherwise.
My iperf3 test server has a 32 core Threadripper with 256g memory and built-in dual x550 NICs running Ubuntu. The machine eats everything thrown at it for breakfast. As a baseline, here are the iperf3 results between that server and another Ubuntu machine, also running x550 NICS.
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.5 GBytes 9.88 Gbits/sec 32 sender
[ 5] 0.00-10.00 sec 11.5 GBytes 9.88 Gbits/sec receiver
I am in the process of evaluating a small Chinese PC meant for firewalls. It has an Intel 355 CPU, two 10gbe Marvell/Aquantia NICS and four Intel I226-V NICs for 2.5gbe. It has similar specs as OP’s machine. Could be the same, with a 355 vs OP’s 305, they perform the same. Only the Marvell NICs were used for this test.
With Vyos, iperf3 gave me this:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.5 GBytes 9.90 Gbits/sec 17 sender
[ 5] 0.00-10.00 sec 11.5 GBytes 9.90 Gbits/sec receiver
With IpFire, the results were:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.0 GBytes 9.42 Gbits/sec 49 sender
[ 5] 0.00-10.00 sec 11.0 GBytes 9.41 Gbits/sec receiver
Normally, I would not lose sleep about 9.42 vs 9.90. However, the IpFire results were without jumbo frames. IpFire does not seem to like jumbo frames, there is no facility in the UI. Once jumbo frames were enabled at the command line (ip link set mtu 9000 dev red0), the iperf3 readings were:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.5 GBytes 9.90 Gbits/sec 14 sender
[ 5] 0.00-10.00 sec 11.5 GBytes 9.90 Gbits/sec receiver
Bottom line:
All of the above without IDS/IPS. With IPS/IDS the results would be very different, as a lot of computing power is needed.
I have a similar box as yours, possible the same (Qotom?), except that mine has a 355 CPU vs your 305, which really should not matter. Your box and your NICs are fine., don’t let them dissuade you,
With iperf3, my box gets:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.0 GBytes 9.42 Gbits/sec 49 sender
[ 5] 0.00-10.00 sec 11.0 GBytes 9.41 Gbits/sec receiver
And when I switch on jumbo frames, it gets:
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 11.5 GBytes 9.90 Gbits/sec 14 sender
[ 5] 0.00-10.00 sec 11.5 GBytes 9.90 Gbits/sec receiver
What might have cut your performance in half is IPS/IDS. That sends any affordable router to its knees.
When testing network speed, never ever rely on Speedtest. Especially in the 10gbit range, Speedtest readings are all over the place, and are highly unreliable. I have 10gbit fiber, and Speedtest gives me anything between 1 gbit/sec and 8 gbit/sec, depending on the speedtest server used, the time of day, and the phase of the moon.. For dependable, reproduceable speed tests, always use iperf3, with your router etc. plugged into a known-good server as a pseudo WAN.
Thank you for your reply. Which device did you test?
