Newer IPFire builds can not handle >250 Mbit

I was wondering all the time why my Speedtest only shows 250Mbit /s since some time. Then i tried an older IPFire Build (120) which i had on my backup router. And voila: I get the full 500MBit/s Bandwith of my connection. I also tried the new build on the backup router and then i also only got 250 MBit. so it’s not about the hardware.

Current hardware: Zbox Ci329 (2x Gbit Realtek 8168)
No QoS

How can i fix this?

Hi user,

do you youse ips or proxy or someone like this? IPS need’s cpu power.

No, it’s very pure installation. Not even any addons used.

RED: DHCP, Cable Modem
GREEN: LAN

Strange. Maybe a developer can say more.

core120 is old. this version has no mitigations for Intels security flaws. Some of this mitigations need much CPU power. (Disable Hyperthreading 20%, Clear caches and buffers at context switch 30% …) so i think this CPU’s are around 50% slower now…

And because Intels patches activate the mitigations also on non affected CPU’s this make sense.

1 Like

I also thought about this patches (Meltdown etc). But considering that the Celeron N4100 in the CI329 is 5 times faster than the old Atom D525 i used, i thought this should compensate more than enough.

I will install OPNSense on the old router and see if it makes a difference.

Maybe but i had bad experience with a Zotac CI323 with an
Intel N3150 quad-core 1.6GHz
which has much slower PCIe performance than the good old J1900.

In what kind of application is 5 times faster? :slight_smile:
Benchmark are brief evaluations of performances, so most of the particular cases of computing may (or may not) be affected so much by the benchmarks. The hardware acceleration of h264 rather than h265 made by CPU or GPU may reduce sometime the CPU usage from 40% to 3-4%, but that does not mean that hardware decoding CPU is 10 times more powerful than the not hardware decoding one…

Well…we know more after i have tested OPNSense. Curious if the BSD guys have done it better.

Well, you will know if you will choose again IPfire or OPNSense. Because i suppose that you have not the same age version of OPNSense for find out how much bandwidth has been lost :slight_smile:

Anyway, feel free to update your experience, please.

1 Like

I will compare only the current versions. Maybe the BSD guys have implemented the patches in a more efficient way or BSD is generally more efficient (loosely spoken).

All i want is my full bandwith.

I hope you will get it. Otherwise, consider a 1st or 2nd Gen embedded Ryzen as alternative. AMD are currently such less prone to all the exploits (and mitigations) about branch prediction of x64 platform.

@userip, what’s your CPU usage under 250Mbit network load?

top shows
Cpu(s): 0.3%us, 0.2%sy, 0.0%ni, 99.1%id, 0.0%wa, 0.1%hi, 0.3%si, 0.0%st

Repeat the test with network load. This system is IDLE.

@arne_f

This is the maximum i ever see with network load maxed:
Cpu(s): 0.5%us, 0.2%sy, 0.0%ni, 89.3%id, 0.0%wa, 1.0%hi, 9.0%si, 0.0%st

See also:

So my friends, i installed OPNSense on the old Atom D525 Backup Router.
And what are the results? 350Mbit/s on this crappy 10 year old machine! IPFire managed to achieve ~180Mbit/s on this hardware with the Meltdown/Spectre Patches.

So, as a user of IPCop and IPFire for 14 years, i have to admit: OPNSense runs circles around IPFire in the new Meltdowned World !

So dear developers, i hope you can cure the problems, because the BSD guys have far superior performance!

@userip, as Arne said, in the diagram your machine is idle, not under load. Set it under full network load and look, what htop displays during that.

To track down the problem any further, have you tried:

  • disable Quality of Service
  • disable Location Block
  • disable Intrusion Prevention

@marco

I already posted a new one. The Ci329 has a powerful CPU and does not use more CPU power when under network load. All stuff like QoS etc is disabled.

I also googled and have seen that OPNSense users can achieve 1Gbit/s with my CI329 Hardware.
So this is the next thing i will do - move my main router to OPNSense.

For me it’s not acceptable that IPFire only reaches 30% of the performance that OPNSense can do on the same hardware.

Hi,

you compare apples with oranges here. The “meltdown/spectre patches” come in dozens, and different combinations mitigate different variants of those vulnerabilities. Some are comparable across Linux and BSD, some are not.

At IPFire, we eventually disabled SMT on machines affected by MDS (see here for further details), which causes massive performance issues. Except for OpenBSD, I am not aware of any *nix operating system doing the same by default.

Well, could you provide more details on the CPU vulnerability mitigations enabled on that machine by OPNSense and IPFire?

As it is already painfully obvious, performance and security are a trade-off, especially when it comes to CPU vulnerabilities. We are currently working on Kernel 5.9, which might provide better performance, but simply putting “X is faster than Y” is not detailed enough to be a valid comparison.

Thanks, and best regards,
Peter Müller

3 Likes