I was wondering all the time why my Speedtest only shows 250Mbit /s since some time. Then i tried an older IPFire Build (120) which i had on my backup router. And voila: I get the full 500MBit/s Bandwith of my connection. I also tried the new build on the backup router and then i also only got 250 MBit. so it’s not about the hardware.
Current hardware: Zbox Ci329 (2x Gbit Realtek 8168)
core120 is old. this version has no mitigations for Intels security flaws. Some of this mitigations need much CPU power. (Disable Hyperthreading 20%, Clear caches and buffers at context switch 30% …) so i think this CPU’s are around 50% slower now…
And because Intels patches activate the mitigations also on non affected CPU’s this make sense.
I also thought about this patches (Meltdown etc). But considering that the Celeron N4100 in the CI329 is 5 times faster than the old Atom D525 i used, i thought this should compensate more than enough.
I will install OPNSense on the old router and see if it makes a difference.
In what kind of application is 5 times faster?
Benchmark are brief evaluations of performances, so most of the particular cases of computing may (or may not) be affected so much by the benchmarks. The hardware acceleration of h264 rather than h265 made by CPU or GPU may reduce sometime the CPU usage from 40% to 3-4%, but that does not mean that hardware decoding CPU is 10 times more powerful than the not hardware decoding one…
I hope you will get it. Otherwise, consider a 1st or 2nd Gen embedded Ryzen as alternative. AMD are currently such less prone to all the exploits (and mitigations) about branch prediction of x64 platform.
So my friends, i installed OPNSense on the old Atom D525 Backup Router.
And what are the results? 350Mbit/s on this crappy 10 year old machine! IPFire managed to achieve ~180Mbit/s on this hardware with the Meltdown/Spectre Patches.
So, as a user of IPCop and IPFire for 14 years, i have to admit: OPNSense runs circles around IPFire in the new Meltdowned World !
So dear developers, i hope you can cure the problems, because the BSD guys have far superior performance!
you compare apples with oranges here. The “meltdown/spectre patches” come in dozens, and different combinations mitigate different variants of those vulnerabilities. Some are comparable across Linux and BSD, some are not.
At IPFire, we eventually disabled SMT on machines affected by MDS (see here for further details), which causes massive performance issues. Except for OpenBSD, I am not aware of any *nix operating system doing the same by default.
Well, could you provide more details on the CPU vulnerability mitigations enabled on that machine by OPNSense and IPFire?
As it is already painfully obvious, performance and security are a trade-off, especially when it comes to CPU vulnerabilities. We are currently working on Kernel 5.9, which might provide better performance, but simply putting “X is faster than Y” is not detailed enough to be a valid comparison.