I’m re-purposing yet another old/spare/surplus PC into an IPFire firewall. It will be a simple RED+GREEN install with 1 Gbps internet on RED and a small, single-user internal network on GREEN.
The PC is a dual core Pentium (possible upgrade to first gen Core 2 Duo) with 4 GB RAM. I know this is under-powered and I won’t be getting 1 Gbps throughput but would like it to be as good as possible. Many years ago the Intel PRO dual card was recommended as having hardware (and a Linux kernel module driver) that offloaded some of the TCP/IP stack from the CPU. Is this still the case? Will I see a significant improvement with this or some other “smart” single or dual port card(s) on IPFire?
As a data point, I’m currently running an even less powerful single core 32-bit Pentium with two generic TP-Link Gig-E cards and getting about 400 Mbps down and 600 Mbps up. (I assume IPFire has less work to do on “up” transfers.) It would be nice if I could do better than those numbers.
That’s all up to your hardware and software installation / configuration. If you don’t run many services and filters you will be fine. The more you run on that maschine, the more hardware resources will be required. I think there is no way around to find out for yourself by testing it.
That never changed and will not change since the network card is active. Semi-active or passive cards are more CPU hungry. Of course that cards are old and may not understand some newer protocols so if needed, you may use newer Intel cards such as the i350.
I’m using an unmodified IPFire install, with no changes to the default services and filters. Nodes on the GREEN network only have a single user (me) active at a time, doing basic web browsing, software downloading, and Youtube video streaming. No web servers, VPNs, etc.
So IPFire does use the processing power of the active cards to reduce CPU usage and thus increase throughput? I know there’s no way to know 100% without testing but I’m asking people like you who have experience (thanks!) if my IPFire performance is likely to increase significantly with active compared to passive network cards. No other changes to CPU, memory, IPFire configuration, or what nodes on the GREEN network are doing. I checked and the i350 cards (thank you for telling me about them) are much more expensive than passive or even the Intel PRO models. I’m trying to understand how much added speed they’re likely to give and decide if the extra cost is worthwhile.
That’s because Intel Pro 1000 is bloody old and active cards have got lots of more components for their functions on it that are only controlled by the driver, but calculated by the card itself. Passiv cards doen’t do that at all and mostly don’t have special functions that are used in professional networks and the computer has to do all its calculations.
Probably none. They just have some professional funtions you will not use and are more enegry efficient. I woudn’t replace them. I’m still running lots of Pro 1000 cards that just work fine.
Do you mean “not use it’s full capability and advanced functions”?
Or do you mean that my IPFire installation is doing nothing to protect my internal network because I didn’t do manual configuration? On the Firewall → Rules page I see no rules, just a “New rule” button. But Firewall → Firewall Options, Firewall → Intrusion Prevention, and Firewall → iptables show lots of things active. I’ve also tested my internet IP address from external servers and it seem OK (many services, etc. are being blocked).
Thank you. Useful article, although as you say it’s old and didn’t really teach me a lot I didn’t already know (I know that passive and active cards are different, just not the details.)
As per what I’ve said, I don’t think I need “special functions”. I think I do need to a card that handles some tasks itself and reduces CPU interrupts and loads.
From what you’ve written and the relative pricing of the passive vs. Pro 1000 vs. i350 cards I think I’m going try the Pro 1000. Thank you very much for your help and advice.
Once again, if I’ve completely misunderstood IPFire’s purpose and use and, unmodified, it’s not providing the basic firewall protection I think it is, please tell me.
I’m thinking about the threats inside your network. How do you keep your electronics, that communicate with the internet, from talking somewhere you don’t want to?
All the bad people out there turned around and don’t even try to break in from outside anymore. They want to compromise the PCs to get a communication established to their command and control servers. So you don’t just have to lock the doors from outside, but also from inside.
Ah I thought you’ve got them already. OK but I wouldn’t buy that old cards anymore. The driver support stopped years ago so I wouldn’t take any chances to get problems with that in the nearby future.
Is protecting from these kinds threats something that’s done by configuring IPFire? If so, can you point me to a resource that shows how?
If not – if this is about vulnerabilities in Linux programs such as web browsers (Firefox, Chromium, Opera, Vivaldi) – running on hosts inside my IPFire firewall on the GREEN network, then there’s very little I can do about it.
There are three Linux* base drivers for Intel® Gigabit Network Connections:
igb-x.x.x.tar.gzdriver : Supports all 82575/6, 82580, I350, I354, and I210/I211 based gigabit network connections.
e1000e-x.x.x.x.tar.gzdriver : Supports the Intel® PRO/1000 PCI-E (82563/6/7, 82571/2/3/4/7/8, or 82583) I217/I218/I219 based gigabit network adapters.
e1000-x.x.x.tar.gzdriver : Supports Intel® PRO/1000 PCI and PCI-X family of gigabit network connections.
Following the download links on the page, It seems that the e1000-x.x.x driver is unsupported, as you said. The e1000e-x.x.x.x and igb-x.x.x are current. What’s confusing is that there are “PRO/1000” cards for sale in both PCI-E and PCI/PCI-X variants, and some of the webpages don’t list which chipset, or even iwhich nterface, the NIC has. (My motherboard has one PCI-E x16, one PCI-E x1, and two PCI slots.)
Again, you’ve been very helpful. I’ll try to find a NIC that’s within my budget and is supported by either the “e1000e” or “igb” driver.
On the Firewall → Rules page I see no rules, just a “New rule” button. But Firewall → Firewall Options, Firewall → Intrusion Prevention, and Firewall → iptables show lots of things active. I’ve also tested my internet IP address from external servers and it seem OK (many services, etc. are being blocked).