I stumbled upon the IPFire-Project on the kuketz-blog a couple of weeks ago and have been on fire ever since (pun intended ). Although I have some experience with networks (CCNA Routing & Switching), I’m far away from being an expert and my knowledge regarding firewalls is little. So please bear with me here. =)
Anyway, I was very excited about the project and wanted to get to know IPFire on a small basis in my home environment and so I bought a Raspberry Pi 4 (8GB) and followed the instructions on the website. My board is from 2018, so I’m not affected by the problem with/without the firmware EEPROM. Installation was totally simple and everything works. However, I made some obervations and came across some problems, I wanted to share with you. Maybe it could help other people, too.
First of all, my setup:
(attached to a USB3-Port of the Pi is a Delock-USB-to-LAN-Adapter capable of Gigabit-speed, correctly identified and supported by IPFire due to its Realtek 8153 Chipset).
Please! Please! Please! No judgement about the logic of the structure! Originally I wanted to use the Pi as an AP too but the internal WiFi-chipset is just to weak and is only capable of about 50mbit/s max when acting as an AP (even with 802.11ac activated and not only HT-Caps, but also VHT-Caps “registered”). I still got a AlfaNetwork AWUS1900, but hence that I’m not a linux “pro”, I hesitate trying to implement the driver by compiling IPFire new or building an AddOn or whatever you have to do .
Apart from that, Laptop and Smartphone are protected on client-site and the MFP and the NAS are only occasionally running and have no internet-acces (blocked by the FritzBox). So the fact, that only the Desktop-PC is behind the firewall is ok with me, so please so judgement. =) Additionally IPFire serves as a DNS-Server (with some blockling lists) for all the devices.
Now my observations / questions.
With masquerading deactivated (and the correct firewall-rules of course), I can reach the FritzBox, the MFP and the NAS from the Desktop-PC. If I want to reach any of the WiFi-clients (Laptop for example) I have to activate masquerading. I tried without masquerading (at whole) and just punching in the source-nat-option within a firewall rule but that doesn’t seem to work. I guess the FritzBox is the problem here, I guess all the wired devices are on the same “bridge” and therefor can reach each other without any problems, but for the WiFi-clients there is some kind of interface-change necessary (client isolation deactivated does not do the trick). Any ideas or explanations?
Sadly I had to realise, that the throughput over the wired connection (when transferring data from the NAS to the Desktop-PC) is about 250mbit/s tops. I checked via htop and saw that the first core of the Raspberry is at 100%. Oddly enough, when I transfer data from a Laptop to the Desktop at about 200mbit/s the core was only at about 40%. I guess the problem here is the “queueing” of the data packets, because the NAS pushes with 1.000 whereas the Laptop only gives about 200. Is there some way to improve the ethernet-speed?
I fiddled around with fcrontab to automatically update my blockling list for the dns and found some entries, I thought of as a bit “too much” like: “testing run-parts” every minute and every 5 minutes, timechecking every 5 minutes, ddns-update every 5 minutes, connection scheduler every 5 minutes, etc. Is this really necessary (again, I’m no expert ) or would it be enough to reduce this intervals? I guess it’s not that performance consuming, so this question is just out of interest. =)
So, that’s it from me for now. I’m sorry for the long text but I wanted to contribute as detailed as it gets.
Thanks very much to the IPFire-team, keep up the good work, donation is on the way.