I have a firewalla purple. it’s idiot mode networking and I love it, but I have never been too thrilled with it’s cloud shit and really don’t to rely on it as my only option right now.
A while back I tried spinning up a VM with opnsense and never got good performance off my home ryzen server. I tried multiple NICs and even bare metal installs and while bare metal was a little more performant, it was never able to reach gigabit on WAN. the firewalla falls just a hair short of gigabit WAN but its still way ahead of my more muscular server. I notice the CPU load spikes high. it seems nothing I do can bring down that CPU load for opnsense. openwrt performed a bit better but still never hit gigabit speeds and was still below the firewalla’s performance. bare metal was again a bit better but still not matching the firewalla.
The firewalla is a heavily optimized amlogic based pi. it’s not special. but it works right and my crap doesnt. I have other SBCs I can use if folding into the home server as a VM just isnt practical but the server is always on anyway and already has extra resources I can throw into this so I’d like to just throw it all in there, snapshot a working config and be done with it if I can.
I walked away from this a while back thinking I would have a fix if I took a break and came back to it later but I’m still stumped. How are other people doing this?
You must log in or register to comment.
What CPU? If it was hitting 100% then that was probably your bottleneck. It just couldn’t handle the packets that fast.
Also note that the more features you turn on (firewalling, routing, inspection, etc.) the more processing has to be done on each packet.
Also also note that due to network overhead, gigabit speed for a real-world download is about 800 Mbps.
$409.00
The firewalla is a heavily optimized amlogic based pi. it’s not special.
Damn sure seems special. WOW! What features are/were you running on Opnsense?
I looked for specs on the Firewalla Purple. However, to compare, I’m running pFsense on an Intel Celeron CPU J3160 @ 1.60GHz/4 core/32gb RAM with pfblockerng, suricata, ntopng, and Tailscale, unbound, with customized and publicly available DNSBL lists.
Load average 0.80, 0.51, 0.45
As @frongt@lemmy.zip said, the more ‘things’ you have running, the more load, and 800 Mbps is about what I can do even with a gigabit connection and CAT6 pulled for every connection. If I were try to run huge generic block lists, I will start peeking, which is why I run mostly slimmed down, targeted, custom lists. When you stop and think about it, the amount of list checking, resolving, etc, it’s really pretty amazing.
I tried a while back to see if I could better the 800 Mbps, but nothing produced any thing much higher than the standard 800 Mbps which frustrated me. I just finally accepted the fact that getting as close to a gigabit connection would be the best I could do with what I’ve got. Being the type of person I am, I was rather verklempt I couldn’t squeeze that extra 200 Mbps.
Running it as a VM or even on a server that is running other services and potentially competing for I/O or memory bandwidth also introduces many other potential sources of inefficiency. I always recommend running a firewall on dedicated bare metal hardware, it is a very specialized task with very particular requirements on behalf of both the hardware and the software and it has very little tolerance for other sources of latency or delays. That doesn’t mean you need to use a pre-built appliance, but it does explain why it’s so common, and running it on a VM on a server that is doing other stuff is likely contributing to your issues significantly.
Personally, I run my firewall/router on a very stripped-down Debian with almost no non-essential services and a custom built kernel. I hand-picked a multi-port PCIe x4 Intel NIC with good Linux compatibility and drivers, and I’m using foomuuri to handle the routing and kea to handle DHCP/DNS for my internal network. This is a very minimal, bare-bones configuration and I wouldn’t really recommend it unless you really know what you’re doing, and it’s absolutely not “idiot mode networking” and if that’s what you want you’re going to have a real bad time if you try to follow in my footsteps, because I am a very different kind of idiot. But it works for me, so it’s proof that it is possible.
I can easily push gigabit speeds out of a Pentium G3220 running OPNSense so that sounds like a virtualization performance issue.
