SMT vs multicore

This is my 1st post, so please forgive my ignorance if the answer should be obvious. I am a home user and considering IPFire to replace an Asus router. I will likely buy a PC Engines board, or perhaps a TLSense unit from TekLager. I am also open to other hardware as well.

In May 2019, this post indicates that SMT (hyper-threading) will be disabled. https://blog.ipfire.org/post/security-announcement-disabling-smt-by-default-on-affected-intel-processors

Has this occurred?

For Intel CPU’s, does this mean that the CPU will only function with one core? For example, an i3-4010U, has 2 cores, but with SMT (re Hyper-Threading) it supports 4 threads. Will disabling SMT also disable 1 of the 2 cores? Or, will it function with 2 cores, limited to 1 thread per core (2 threads total)? Or will it just function as 1 thread and only activate a single core?

I am on a steep learning curve, thanks to the community for what seems like the best solution for me.

Thank you

1 Like

Hi John,

Welcome to the club, I have been there just recently as well.

I hope I’m right but to the best of my memory Intel Hyperthreading has been disabled because of Spectre.

I think a lot of folks here prefer AMD for that reason,

The APU is a good start, the AMD Jaguar works pretty well for IPFIre, including VPN, IPS etc…

I think the units with 4GB RAM and Intel 210-AT are the best for the time being, They have a pretty good support for a few more years if I remember.

2 Likes

Welcome … ipfire will use 2 cores.

1 Like

Short answer. IPFire uses all available cores ( processors ), but with the setting ‘one thread per core’. This makes control of processed code optimal. Multithreading/-processing is controlled by the OS and not by the processor, which can be manipulated by Spectre etc.

Hi John,

The amount of processing power that IPFire requires is highly dependent on:

  • additional optional processing - particularly IPS
  • Internet bandwidth

On low bandwidth and with no additional processing, my nanopi R1 rarely uses more than 10% on its 4 single-threaded 1.2 GHz cores. An entry level AMD APU should do similar and is easier to set up than an ARM processor.

1 Like

NanoPi R1 looks interesting,

@rodneyp how much RAM do you have on your NanoPi?

I have 1 GB RAM plus metal case. I think that 512 MB would be false economy - see IPFire recommendations. My free RAM averages about 66% and rarely falls below 60% - the minimal was 38%.

I have only 14 Mb/s Internet and have never seen that download speed actually reported.

If you have not used ARM SBC then be aware that nanopi R1 requires use of the serial port for installation.

1 Like

Hello to everyone,

thank you very much for all of your answers and suggestions. I’m fairly excited to get started but I wanted to have a better understanding of any hardware issues and limitations before I selected my hardware.

I am on Fiber to the home, so I have about 1Gbps maximum throughput available. If possible, I would like to select hardware that might get me close to that maximum.

I would anticipate running:

  • Web Proxy to filter content for my children; and
  • Snort for an IDS.

I don’t think I need a VPN, though for privacy, I have considered running one. I’m not sure if it would be worth the bandwidth penalty.

Thanks again,

John

Hi @specfire

If you want to run an IPS and have high throughput then you need to read this link in the wiki re performance.

https://wiki.ipfire.org/configuration/firewall/ips/performance-considerations

Hello Adolf,

thank you for that link. That is helpful, however, I would like to clarify IDS vs IPS. I think I am looking for an IDS and not a full IPS.

As such, are the numbers quoted in that article using Snort+Guardian or Suricata as an IPS? I think I would be able to use just Snort on it’s own as an IDS vice a full IPS.

I don’t actually have much of any level of understanding on the difference between IDS and IPS, I’m hoping to learn once I dive in. The description of Guardian on the Add-ons page is as follows:

“Guardian (wiki.ipfire.org - The Guardian 2.0 Addon) transforms the default Snort network intrusion detection system (IDS) to a network intrusion prevention system (IPS)”

Thanks, John

Hi John,

The basic difference is that the IDS just detects and reports but lets the packets continue. IPS protects because it both detects and blocks.

The throughput numbers in that link are related to Suricata which is called IPS (Intrusion Protection System on the IPFire menu. However, you can tick the Monitor traffic only checkbox and then it will act as an IDS.

The main aim of the Monitor only option is to allow tuning of the rules selected to ensure the right ones for your use case have been selected and that overblocking is prevented. After tuning the idea is that Suricata should then have monitor only turned off but you can decide to leave it on but then you need to be very regularly going through the reports to see what has been picked up as occurring in your system to decide what action you want to take.

The main performance impact comes from the detection element rather than from the blocking element. So having an IDS will not reduce significantly the performance impact compared to an IPS.

This wiki link describes the suricata IPS.
https://wiki.ipfire.org/configuration/firewall/ips

Snort is no longer in IPFire. It was replaced by the Suricata in Core Update 131. Suricata has different rulesets that can be selected and some of these include the Snort rulesets (both free and subscription).

Guardian now is used to identify SSH brute-force attacks and brute-force attacks against the IPFire WebUI according to the same addon wiki page.

I think the line you found indicates that the wiki page for Guardian needs to be updated.

Hope the above helps. Let us know if there are any further questions.

Hello John, nice to see you ‘upgrading’ from an Asus router to your own router/gateway. I am provisioned for a 1,200 mbps download rate and able to achieve around 1,400 mbps with comcast over-provisioning using a rather old AMD A8-3850 APU. I am not using a web proxy or IPS.

Here are my full specs for reference
https://fireinfo.ipfire.org/profile/27f6bacbb1315f1258f8de74f76e7bd2c1c1bbf8

1 Like