Hi,
This post summarizes my experience setting up a Raspberry Pi Compute Module 4 with IpFire, specifically a Raspberry Pi compute module 4 with a DFRobot Router Carrier Board Mini. I thought it might be helpful to share this experience, in case anyone else is interested in a similar set up.
This carrier board has a PCIe attached second gigabit NIC, and various video reviews indicate that it can saturate the gigabit NICs for NAT.
It wasn’t completely clear if IpFire is supported with the latest Raspberry Pi 4 boards. The good news is that this appears to be the case with the new board I purchased a week ago (yes I managed to purchase one, finally).
The installation on a compute module is a bit tricky, especially with an eMMC flash version (which is what I bought). In order to get the image onto the eMMC flash, it’s necessary to install the board onto the separate I/O board and set the J2 jumper in order that the onboard storage is exposed as a flash drive. This thus requires that the board is physically installed onto the I/O board, removed, then installed again onto the DFRobot board. The other problem I found was that I couldn’t get my PC to connect to the board via the Raspberry Pi usbboot tool, and so I ended up setting up a separate Raspberry Pi 4 (that I already had) in order to write the image to the compute module 4 storage.
I would thus advise not bothering with the onboard storage version, and just go for a lite compute module, along with a separate micro SD card (which can then be imaged separately), as the DFRobot carrier board has a micro SD slot.
The other gotcha I discovered is that the USB ports are disabled by default, so a bit of config is required to be added to config.txt:
dtoverlay=dwc2,dr_mode=host
org_mode=1
After that, I was then able to configure IpFire with a keyboard/HDMI connected monitor, with the compute module still mounted onto the I/O board. As the I/O board only has a single NIC, I did not configure the RED interface. I then enabled permanent SSH access via the web interface, in order to configure the RED interface via SSH.
Once finished, I removed the compute module from the I/O board, mounted it onto the DFRobot dual NIC board, logged in via SSH, configured the RED interface, and then disabled SSH access.
Once that was done, everything worked great, apart from one thing, that may or may not be an issue depending on your line speed.
So after finishing the installation, I did some performance testing with a gigabit WAN link. The first test was just with speedtest. The second test was with iperf3 between a client on the GREEN side and a PC set up as another router on the RED side.
With the initial set up, I only got about 250 Mbps, both with speedtest and with iperf3. I did some investigation, and found (via top) that the NICs were saturating one core of the CPU with software interrupts. After configuring the NIC interrupt affinity to be on different cores, I managed to get about 500 Mbps with speedtest and iperf3.
I was thus a bit puzzled, as the video reviews I had watched had indicated that this set up should saturate the NICs when used as a NAT router. So finally I decided to investigate further, by wiping the IpFire installation, installing a Linux distribution, and configuring an iptables masquarade manually.
With this set up, I was able to get consistent 930-950 Mbps.
So in conclusion, it looks like IpFire has some performance issue, compared with a basic Linux installation with masquerading. I made sure that all services were turned off from within the UI, no additional firewall rules were defined, and intrusion prevention / blocklists were turned off.
I guess this performance loss doesn’t matter for slower WAN links, but I thought I would nevertheless finish this post with a question: what is the nature of this drop in performance? It would be great to be able to use this hardware set up with a Gb WAN speed that can use all the bandwidth.