Newer IPFire builds can not handle >250 Mbit

@pmueller

Well, i don’t care about apples or oranges. What counts for me is only one thing:
Which system can get the job done in the best way without any disadvantages?

And at the moment, this is OPNSense. As you talk about mitigations: It’s even based on HardenedBSD!
So of course it has all meltdown/spectre patches with several other security mitigations on top.

Same security, 3x more performance. That is the situation for me.

As IPFire is free, i am of course relaxed about it and just switch. But if i would be a customer who paid, i would want my money back, because the performance it delivers at the moment is not acceptable.

But … maybe the new Kernel will work better, let’s hope the best :slight_smile:


“for increasing performance its applications are now built with link-time optimizations (LTO).”

Is IPFire built with LTO? This can be a big difference.

Hi,

Well, i don’t care about apples or oranges. What counts for me is only one thing:
Which system can get the job done in the best way without any disadvantages?

again, what CPU vulnerabilities do you suffer from, and how are they mitigated in IPFire and OPNsense? You just stated you basically do not care about those details, however, they are what this topic is about.

And at the moment, this is OPNSense. As you talk about mitigations: It’s even based on HardenedBSD!
So of course it has all meltdown/spectre patches with several other security mitigations on top.

Frankly, being based on something does not tell the entire truth as settings could be changed by applying custom patches or shipping your own configurations. Thereof, it is way too easy to say “X is based on Y, which comes with all mitigations enabled, so X is intrinsically secure as well”.

Same security, 3x more performance. That is the situation for me.

Well, go ahead an use OPNsense then.

As IPFire is free, i am of course relaxed about it and just switch. But if i would be a customer who paid, i would want my money back, because the performance it delivers at the moment is not acceptable.

This is hilarious.

Is IPFire built with LTO? This can be a big difference.

You obviously have no idea about what you are talking here.

Thanks, and best regards,
Peter Müller

4 Likes

Interesting. Maybe it’s a coincidence, but my ipfire build has been giving me a solid 50+ MB/s for a year since install. Today I noticed it tops out at the 25 MB/s range. I haven’t changed a thing other than the build 150 update recently. I haven’t done much troubleshooting yet, so we’ll see, but it’s very strange for my setup. I’m running 500/75 FTTP and I’ve never ever seen a slowdown.

I maxed out my connection and my CPU tops out at 10% usage. Memory usage at 60%. I’m running IPS, location block, and OpenVPN. Will keep tinkering.

Hi,

welcome to the IPFire community. :slight_smile:

I haven’t changed a thing other than the build 150 update recently.

This is interesting indeed as Core Update 150 did not contain anything special apart from a kernel version:

I maxed out my connection and my CPU tops out at 10% usage. Memory usage at 60%. I’m running IPS, location block, and OpenVPN. Will keep tinkering.

As mentioned by other users above, the IPS often makes a huge difference (unfortunately). Do you get the desired throughput if you disable it?

Thanks, and best regards,
Peter Müller

Has kernel been compiled with different flags? (I read somewhere about preemptive kernel in future).
Maybe firmware blobs slowing network interfaces down and not able to load CPU?

Also… QoS?

I am just sitting on my sofa reading this and I cannot decide whether I want to laugh or cry.

OP clearly has no idea what he is talking about. But he has a concern. Fair. But this attitude is not going to help to make IPFire better.

I highly doubt that there is a general problem here. It is just another user spending nothing in their hardware and is expecting the world.

If there are any actual concerns about some bottleneck we will look at it. But if you have off the shelf hardware with the worst network chip that there is in the world, we won’t. It is not worth anyone’s time.

We have made big leaps forward to make some components perform a lot better. At the same time Intel has been throwing stones at us. Go and complain to them.

It’s disappointing to read things like that. But I hope he is happy with the alternative that he has found now.

5 Likes

Interesting you mention Kernel 5.9. I thought IPFire stayed with LTS versions (5.4 latest)?
Also 5.8 is currently supported & 5.9 is stable. 5.8 was a big change regarding CPUs:

Either way, as the developers have said, using CPUs that require low level mitigations will experience slow down. AMD CPUs are on form at the moment, so if can afford, they are probably a good choice.

It really really really isn’t as simple as that.

I will leave this at that.

1 Like

I recently reinstalled IPFire to update to 64-bit and I may be wrong, but I could swear that before updating to the latest core version, my upload achieved the advertised 1000 MBit/s using Speedtest.net and now tops-out around 900 MBit/s. IPS is disabled.

htop looks like this under load:

Not sure if it’s relevant…

image

With IPS activated it looks pretty much the same:

It’s not that important for me because 900MBit is more than what I need, but maybe the information helps in this topic to clarify if there is a potential issue or not.

On a PC-Engines APU4 I get the full 1 Gbit/s speed and the CPU-load is less than 40%. So if even this extremely modest and cheap little board can do it, it is more than likely that your ancient hardware is the culprit. That, incidentally, BSD manages to squeeze 350 Mbit/s out of this prehistoric stuff instead of 250 MBits/s for Linux doesn’t mean much IMHO. A system based on the aforementioned hardware will cost you less than 200 $ or Euros.
I would really consider getting some halfway recent hardware for your firewall, doesn’t have to be anything very fancy, after all.

3 Likes

While on the Intel thought, maybe answered elsewhere cannot remember, for the current Kernel versions, what is performing best for IPFire, Intel or AMD ? any optimizations one over the other ?

one thing have to be careful doing sped tests between OS’s for network performance, is most boards are going to be software driven mostly with cheap network hardware, and that performance could be different on how well the firmware in each OS for that hardware. I have been involved on the development side of networking and firewall designing, mostly hardware components for many years, and one system OS A would do better than OS B but another system with different motherboard using different network manufacturer results were opposite, go figure. So testing just one system against two OS’s is not going to really be a great test of which is better but only for that hardware combination. Another system may have completely different results.

4 Likes

Hard to say. I would not recommend buying any of them in particular. They both have issues. They both can be good and reliable products sometimes.

I have blogged a couple of times about all of this:

It depends on more than just the processor alone. Strictly they did not become slower. We just need to do more work on certain workloads to protect memory from unauthorised access. With network controllers being very different from system to system it can simply be passive network interfaces where all work needs to be done in software.

1 Like

Thanks so much from the links to the previous blogs will be checking those out

Just a smale question: How can i determine if a NIC is active or passive?
I use 2x Intel i210-T1 (PCIe x1) and my IPFire on an ASRock Q1900M (J1900) is bored all the time - even if i test the network under full speed, i have a CPU-load of approx. 6-10%

Basically reading the driver code :slight_smile:

As a rule of thumb: Realtek’s stuff is all passive and therefore not usable for a firewall at all in my opinion. The Intel i2xx series is somewhere in the middle, but is a cheaper version of a proper active Intel NIC. The Intel i3xx series are all active and quite good. All Broadcom NICs are active as far as I am aware.

2 Likes

Can I add this to the Networks section of the Requirements? (is that the right area in the Wiki?)