Hello. I’ve read about Mirage-firewall, and beside pros I noticed that the biggest con for me to use it would be a drop in bandwith for a fast internet connection. Can someone bring in more details about it, please?
I would especially want to thank Hannes who worked for a long time on this firewall and really a lot on the last version which made it possible to release it quickly.
As for the drop in bandwidth my current tests are with iperf3 server and client in two AppVM on the same laptop connected by a Mirage/Linux firewall.
Iperf3 burn my cpu (core i5 8th) to 100% on the firewall VM or on one side of iperf in each case (so this is the bottleneck right now in that experience). Mirage have a bandwitch around 73% of Linux for TCP (510Mbits/s vs 700Mbits/s), and around 90% for UDP (660Mbits/s vs 730Mbits/s) (Slower bandwidth compared to sys-firewall · Issue #130 · mirage/qubes-mirage-firewall · GitHub). There’s of course some work to be done here for investigating bottlenecks
Beside that experiment, for my daily usage (web, mail, visio with teams/zoom) this is not noticeable at all (the CPU usage is really low and the CPU is not the bottleneck there).
This is exciting! Thank you @palainp and Hannes.
How does mirage-fw get added to the community repo (i.e. how can qubes users follow process or help)? Sorry if sound impatient just very interested.
I just tried a Cisco VPN with this setting:
AppVM → mirage-fw → vpn (with openconnect to https://…) → mirage-fw2 → sys-net
Which works correctly (I have the VPN ip in AppVM from the outside POV).
I can also try with a Fortinet VPN (openfortivpn to https://…), but I unfortunately have no access to an OpenVPN server.
EDIT: I can confirm that it works too with the setting:
AppVM → mirage-fw → vpn (with openfortivpn to https://…) → mirage-fw2 → sys-net
Those does not serve any purpose but testing. Of course, you can remove any of them in the setup
You can filter domains accessible by AppVM in mirage-fw, and domains accessible by your VPN client in mirage-fw2. I can’t remember where but a qmf user reported that having mirage-fw before or after the VPN works and the other doesn’t, so here I tried both.
I have one MFW (fitting acronym for this firewall, btw) in front of and behind the Wireguard VM. The one upstream was working fine since it was using IP addresses as inputs. When I tested 0.8.3 I had the same setup and everything works fine, so you can also report that MFW works with Wireguard as well.
Also, in the previous thread I noted that the test browser VM stopped working, but it turns out that was due to me not putting in the right address for DNS-over-HTTPS (it wasn’t 1.1.1.1 @ 443).
I mention this because even though I accidentally got to the correct answer (DNS issues with MFW), the process used to get there was somewhat faulty and I just got lucky.