Following on from:
Here, to start, are some lightly tested mirage firewall configurations that have been working well for me.
Use case: firewall qube as netvm for LAN-only utilities:
qvm-prefs sys-m-firewall-lan memory 32
(i.e. the recommended default) I use this firewall to isolate access to the 192.168.*.* subnet. It’s only for intra-LAN ssh and configuring my router over its web admin frontend.
Use case: firewall qube as netvm for several light-use WAN browser qubes:
qvm-prefs sys-m-firewall-browse memory 32
(i.e. the recommended default)
Use case: firewall qube as netvm for gateway qube to ethernet connection to NAS:
qvm-prefs sys-m-firewall-nas memory 48
What characterizes this networking path is bursty batch traffic; sporadic large file/stream transfers to/from the Qubes workstation over nfs. I believe 32MB was throttling throughput, but this is based on feeling rather than benchmarking.
Use case: toplevel WAN firewall qube, mediating all browsing, VPN, sys-whonix, light torrenting:
qvm-prefs sys-m-firewall-wan memory 64
qvm-prefs sys-m-firewall-wan kernelopts '--nat-table-size 10000'
(Default nat-table-size: 5000)
In this case I’m confident 32MB was throttling performance compared to a Linux-based firewall. The above are the first adjustments I tried in order to regain performance, and they worked, and I haven’t tried tweaking them for greater efficiency.