PFsense, MDS Mitigation, General Tuning Tips

n3tizen · August 8, 2020, 8:08pm

Hi,

Tell me different ways I can make my install even better than it is.

My Network topology is pretty simple (all wired connections are Cat-6):
ISP Modem (bridged) > PFSense (DHCP; Open VPN; DNS TLS; PFblockerng) > Router ( Static IP; AP mode) as AP/Switch > Devices wired and wireless (mix of Static and Dynamic IPs)

My install is running great, I have no problems, but I am pretty certain there’s something I overlooked. Could I better optimize the /swap /var /log etc?
As it stands I don’t think I am even keeping any logs of much. I am pretty sure I set it all to RAM, as I was concerned about overwriting to the SSD initially.

My specific question(s) about the MDS mitigations: As a person using PFsense in a home environment, do I have as much need to be concerned re: the MDS stuff, if so how much performance impact do the mitigations have in this sort of role?

On the plus side, I finally got my head around making the PFblockerng play well with the DNS resolver, and what I did to not make them work well. The resulting ad-block gore is always amazing
Screenshot_2020-08-08 pfSense localdomain - Status Dashboard(1)

Dexter_Kane · August 8, 2020, 10:24pm

My understanding is that if you don’t have multiple users accessing the firewall who can execute arbitrary code or you’re not using code from outside the package manager / webui then enabling that will only introduce a 10-15% performance hit with no benefit. Same goes for the kernel PTI option but I don’t think the performance hit is as high.

Basically the option to enable mitigations for spectre and meltdown are there if you want to use them but a firewall appliance isn’t really vulnerable to them and they introduce a performance hit which is why they are disabled by default.