It is my understanding that WG performance can be increased by using the WG kernel module and/or by disabling the spectre/meltdown mitigation under Tunables.
The subject of spectre/meltdown is highly technical and very complex; and apparently still evolving.
I am trying to understand if it's safe to disable the mitigations. It only seems to pose a potential risk when OPNsense is used in multihosted VM environment. Is that correct? Ohterwise, I would very much appreciate it if somebody could provide me with some guidance that would help me in assessing the potential risk/s. I just don't know where to start.
I am using a dedicated desktop as an OPNsense firwall. It's not a dual boot system and I don't run any VMs.
Thank you very much
I personally would not like the trade-of security vs. performance on my perimeter firewall. Get a decent piece of hardware for the performance you need. The newer the lower the power consumption, the faster you save the money you spent...
What kind of multi-tenancy do you have on a firewall appliance that makes Spectre/Meltdown a concern?
The attack vector is that a regular user authorised to run individual code can snoop memory of other users running their applications. Do you have shell users on your OPNsense?
I disable these mitigations. If you have an RCE, you are screwed, anyway.
@pmhausen I don't have OPNsense deployed in a multi-tenancy environment. OPNsense is running on dedicated hardware (Optiplex 780), no VMs. This is a single user environment with shell access. I am not familiar with RCE? Thank you
@chemlud I think my hardware is decent enough. This is not an enterprise level production environment, so load is not really a concern at all with the exception of WG, which only provides ~800kps throughput at best. Sources suggest to disable spectre/meltdown mitigation and to enable WG kernel mode. Thank you
RCE - remote code execution.
@pmhausen ::) silly me, thank you Sir