New user feedback

First time user here who found your project through researching a router for SMB client (10 users in small office). Needing to replace an old Netgear WNDR3800 running OpenWRT that seems to be showing its age. Jumped right in with IPFire on an old PC after researching pfsense/Untangle/etc. It’s now been running for two days. So some feedback.

First, I was surprised after the almost 300mb download that I had to plug in to internet during install to get more downloads. What is downloaded that couldn’t be included in the iso? Updates I assume? After the downloads, install was pretty straight-forward and pretty easy to get the router initially setup and connected.

When connecting to webgui gets a SSL certificate error in modern browsers. Have to manually accept that this isn’t a malicious website in browser to be able to access the webgui. Have to do this everytime after clearing cache and since there is no logout option in the webgui, clearing the cache needs to be done so as not to leave it wide open to next person using that browser. So certificate issue needs to be fixed or there needs to just be standard http option. A logout should be standard as well.

One of my favorite things about OpenWRT is that it includes modern AQM (fq_codel and fq_cake) and the both work well to battle the prevalent bufferbloat issues. I’ve seen it clean up jitter and ping spikes pretty dramatically at times. Having fq_codel support in IPFire was a big reason I went with it.

But it appears QOS in IPFire is still bound to old concepts of priority despite using fq_codel. With AQM QOS the neat part of them is not having to painstakingly set QOS priority rules. Rather you just need to set the bandwidth limits and fq_codel takes care of the rest. Having to priorities to get QOS to be active while having fq_codel as it’s default scheduler is redundant.

After much testing of your QOS config page, it appears that QOS does not seem to be even active UNLESS these rules are put in. There has to be at least one rule. The quickest way to get the benefit of fq_codel in IPFire is to just enter bandwidth and then select “preset” to which it will create a bunch of popular priority rules for you and leave as is. Bufferbloat tests show fq_codel is at least active.

If I delete all the rules, QOS still shows running, but graphs are no longer working and bufferbloat is back (fq_codel isn’t active). For simplicity I suppose one could just create two all-traffic rules for down/up at 100/200 priority to get fq_codel working way it supposed to?

Anyway, I like what I see so far. Router has been solid for two days and Zoom/Teams/RDP traffic feels faster with less lag. I am hoping IPFire will be the solution for this client and more. If so I will happily donate to the project.

Thanks

Hi,

welcome to the IPFire community and thank you for your feedback.

First, I was surprised after the almost 300mb download that I had to plug in to internet during install to get more downloads. What is downloaded that couldn’t be included in the iso? Updates I assume?

Hm, if you used an outdated ISO file, those probably were updates indeed. Are you running a 32-bit installation (which we do not recommend any more for security purposes)? In this case, your system most likely downloaded the PAE kernel for addressing RAM beyond 3072 MByte.

So certificate issue needs to be fixed or there needs to just be standard http option.

Unfortunately, we cannot change this: Browsers require valid x.509 certificates signed by certificate authorities (CAs) they trust, otherwise, they will display a warning. We cannot request such a certificate as we have no idea who is going to run IPFire using which FQDN.

Some ISPs bake a (valid!) certificate for fritz.box or speedport.ip (german Telecom) into their routers, which is a pity since

  • there is no way of changing the devices’ FQDN without making the certificate invalid
  • if the embedded private key is lost, an attacker can abuse the trusted certificate (e. g. for attacks against other customers of the same vendor)

Transmitting the web interface contents in plaintext is dangerous as well, since you have to authenticate and an attacker might alter your inputs in transit. Indeed, permanently storing certificate exceptions is not easy nowadays, but I managed to do so in Firefox.

A logout should be standard as well.

You will be logged out as soon as you close your browser window.

If so I will happily donate to the project.

We will certainly appreciate it. :slight_smile: The projects’ funding situation is poor, and practically all people are working for it in their spare time.

Unfortunately, I cannot give you any advice regarding QoS. It works on every IPFire machine I administer, but I am not very much into it’s technical details.

Thanks, and best regards,
Peter Müller

Thanks for the welcoming reply.

  1. I downloaded x64 version. Just checked to make sure. Must been some updates it downloads before installing (a good thing). I suppose it is best to force this at install rather than leave it up to the user after.

  2. yeah, I understand about not using plaintext and the cert issue. I’ve just never seen having to bypass browser notices before when connecting to webgui on a router. I am not familiar with the big commercial devices (Palo, Cisco, Sohpes etc) but how do they get around it? Consumer routers don’t have this issue. Tell me they aren’t all doing standard http?

  3. another slight annoyance I just remembered is having the resubmit notice and manually having to resubmit the webpage everytime I hit BACK in the browser while configuring.

  4. QOS works. Just need to have some rules and priorities set for it to be active. Where fq_codel should only need just the bandwidth info.

I am really liking IPFire so far as an IT professional. But a roadblock is pitching a community project on old PCs as their router for SMB clients. Most small business owners don’t understand and would just prefer a paid for commercial solution type device with a name behind it.

Scott

fq_codel is always active. You cannot deactivate it at all.

If you enable the QoS, for each class you will have a HTB scheduler on top of fq_codel. I acknowledge that CAKE would handle that more elegantly, but our implementation is in no way worse than CAKE. We might probably just use more CPU time, which I am not concerned about at all.

And fq_codel does not need to know the bandwidth of the link. That is the pretty part of it.

Hmm, my limited testing using dslreports.com speedtests says otherwise. I got higher jitter/bufferbloat with QOS enabled and NO rules compared to when I added priority rules. Adding the rules seemed to be the “On” switch to fq_codel. With NO rules my dslreports quality scores and bufferbloat charts showed no difference to QOS being stopped. This was my basis of my QOS feedback of having to add rules to get fq_codel.

I can post the various results I get while playing with the QOS options.

So the HTB scheduler that becomes enabled with defined classes must be the difference in smoother jitter/bufferbloat I am seeing.

Yeah, I’m not familiar enough with the different ways fq_codel can be implemented or how it is in IPFire so I trust the expert. I will say that I have fq_cake enabled on my home router running DD-wrt for a week now and it has made a big difference in latency and quality scores. It has even lowered my ping times in games. So I am a fan of CAKE so far.

fq_cake and fq_pie both supersede fq_codel.

That isn’t how I understand it to work according to its Wiki. fq_codel is an SMART queue management that adjusts traffic and works by knowing the bandwidth limits. The “pretty part” of it is NOT having to painstakingly set QOS priority rules in the old way.

Reference: More about Bufferbloat - Bufferbloat.net

Here is my familiar way of getting it active on OpenWRT. You measure broadband speed and then “Set the Download and Upload speeds to 80-95% of the speed you measured above”
{can’t post link due to new user restriction}

Also, Thanks for all your work on IPFire. Really liking it so far