Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Spectre/Meltdown and Wirguard Performance
« previous
next »
Print
Pages: [
1
]
Author
Topic: Spectre/Meltdown and Wirguard Performance (Read 1476 times)
z0rk
Jr. Member
Posts: 51
Karma: 1
Spectre/Meltdown and Wirguard Performance
«
on:
December 06, 2022, 08:11:03 pm »
It is my understanding that WG performance can be increased by using the WG kernel module and/or by disabling the spectre/meltdown mitigation under Tunables.
The subject of spectre/meltdown is highly technical and very complex; and apparently still evolving.
I am trying to understand if it's safe to disable the mitigations. It only seems to pose a potential risk when OPNsense is used in multihosted VM environment. Is that correct? Ohterwise, I would very much appreciate it if somebody could provide me with some guidance that would help me in assessing the potential risk/s. I just don't know where to start.
I am using a dedicated desktop as an OPNsense firwall. It's not a dual boot system and I don't run any VMs.
Thank you very much
Logged
OPNsense 24.7.2
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Spectre/Meltdown and Wirguard Performance
«
Reply #1 on:
December 06, 2022, 09:00:05 pm »
I personally would not like the trade-of security vs. performance on my perimeter firewall. Get a decent piece of hardware for the performance you need. The newer the lower the power consumption, the faster you save the money you spent...
«
Last Edit: December 06, 2022, 10:13:48 pm by chemlud
»
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: Spectre/Meltdown and Wirguard Performance
«
Reply #2 on:
December 06, 2022, 10:25:49 pm »
What kind of multi-tenancy do you have on a firewall appliance that makes Spectre/Meltdown a concern?
The attack vector is that a regular user authorised to run individual code can snoop memory of other users running their applications. Do you have shell users on your OPNsense?
I disable these mitigations. If you have an RCE, you are screwed, anyway.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
z0rk
Jr. Member
Posts: 51
Karma: 1
Re: Spectre/Meltdown and Wirguard Performance
«
Reply #3 on:
December 07, 2022, 12:47:51 am »
@pmhausen I don't have OPNsense deployed in a multi-tenancy environment. OPNsense is running on dedicated hardware (Optiplex 780), no VMs. This is a single user environment with shell access. I am not familiar with RCE? Thank you
@chemlud I think my hardware is decent enough. This is not an enterprise level production environment, so load is not really a concern at all with the exception of WG, which only provides ~800kps throughput at best. Sources suggest to disable spectre/meltdown mitigation and to enable WG kernel mode. Thank you
«
Last Edit: December 07, 2022, 12:50:42 am by z0rk
»
Logged
OPNsense 24.7.2
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: Spectre/Meltdown and Wirguard Performance
«
Reply #4 on:
December 07, 2022, 09:20:07 am »
RCE - remote code execution.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
z0rk
Jr. Member
Posts: 51
Karma: 1
Re: Spectre/Meltdown and Wirguard Performance
«
Reply #5 on:
December 08, 2022, 04:29:25 pm »
@pmhausen
silly me, thank you Sir
Logged
OPNsense 24.7.2
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.7 Legacy Series
»
Spectre/Meltdown and Wirguard Performance