Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reroot exposes SSH, Telnet, Web UI to WAN

    Scheduled Pinned Locked Moved General pfSense Questions
    29 Posts 7 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Yes, that's a nice catch. It should definitely be documented.

      Did you try both 2.6 and 22.01 or just noted they are closely equivalent?

      U 1 Reply Last reply Reply Quote 0
      • U
        User1337 @stephenw10
        last edited by

        @stephenw10 Just 2.6.0.

        1 Reply Last reply Reply Quote 1
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Given the description of how TOE works I would have expected it to always bypass pf and not just at reroot. I'll try to work a working against using that into the docs but I'm not sure where it might fit that users would see it. The most likely place would seem to be https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#chelsio-cxgbe-4-cards

          In the future, if you believe you have discovered a security vulnerability, please report it privately as described on https://www.netgate.com/security and not on a public forum post. That way we can investigate it and work on a fix before it is widely known to the public.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Also I wonder how this works then:

            https://redmine.pfsense.org/issues/9091

            Maybe it's different on the T4 vs T5 cards? Or maybe you need that module loaded so TOE works as expected.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • U
              User1337
              last edited by User1337

              @jimp Yes, I also load t4_tom as part of the script mentioned above. As for why those services become exposed after reroot, I'm not sure, perhaps something to do with the startup sequence and that 600ms exception. The real issue is there's no mention of TOE bypassing pf in Chelsio's FreeBSD manual. However obvious it is to most, it's quite the gotcha for someone like me and unfortunately resulted in creating this thread. A lot of things are poorly or not documented at all.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Yeah that is definitely unexpected, and also very inconsistent.

                Were you seeing any actual measurable performance gains from TOE for traffic passing through the firewall?

                Usually for connection-based offloading like that (e.g. TSO, LRO) it primarily benefits when acting as an endpoint and can degrade performance when acting as a router.

                I'm still trying to figure out how best to warn about this in the docs because I'm wondering if there is any time we should even recommend enabling that, not just warning against it.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                U 1 Reply Last reply Reply Quote 1
                • U
                  User1337 @jimp
                  last edited by User1337

                  @jimp fetch http://ping.online.net/1000Mo.dat ~1.12s, but after enabling TOE on cxl0 the download speed is severely kneecapped for the firewall itself, from my PC the speed is as expected. Reroot made no difference in regards to speed.

                  GertjanG jimpJ 2 Replies Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @User1337
                    last edited by

                    @User1337 said in Reroot exposes SSH, Telnet, Web UI to WAN:

                    .... on cxl0 the download speed is severely kneecapped for the firewall itself

                    Totally normal.
                    A firewall is optimized for packet handling.
                    Downloading a file from the firewall command line make packets enter into user land, to be stored on some drive afterwards, that takes extra time.

                    You just discovered why 'speed tests should be done on LAN devices, not the firewall itself'.

                    @User1337 said in Reroot exposes SSH, Telnet, Web UI to WAN:

                    from my PC the speed is as expected.

                    Point proven.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate @User1337
                      last edited by

                      @User1337 said in Reroot exposes SSH, Telnet, Web UI to WAN:

                      @jimp fetch http://ping.online.net/1000Mo.dat ~1.12s, but after enabling TOE on cxl0 the download speed is severely kneecapped for the firewall itself, from my PC the speed is as expected. Reroot made no difference in regards to speed.

                      That's just one part of it. Is it better/worse with or without TOE in each of those cases?

                      Just one single stream downloading a large file isn't a great test, but not everyone has a setup capable of testing things in multiple ways (different numbers of traffic streams, packet sizes, etc.)

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      U 1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        I went ahead and added a warning in the docs:

                        https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#chelsio-tcp-offload-engine-toe

                        I can always refine it from there but I'd say for now it doesn't look like something anyone should be running in a firewall role. That kind of offloading is meant for initiating/terminating connections on the device in question, not for passing through traffic.

                        Someone might want to do that if they're doing something like using pfSense as a GUI for HAProxy or Squid internally (not on an edge).

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 2
                        • U
                          User1337 @jimp
                          last edited by

                          @jimp I gave up, the download speed was around 2Mbps with TOE enabled.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.