8x igb Intel(R) I211 / checksums - enable or disable / suricata

4o4rh

@stephenw10 I understand if using suricata with inline, it is necessary to have the checksums off. But I am using suricata with a lagg interface so it only supports legacy anyway.

The other package I am using are pfblockerng.

Given that, would it not be better to enable the checksums, so obtain the performance advantages?

Interestingly, when i check igb0 is not disabling the checksums, but all the others are.

igb0:options=4e527bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

igb1:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
igb2:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
igb3:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
igb4:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
igb5:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
igb6:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>
igb7:options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

4o4rh

Does the dev.igb.0.eee_control setting need to be in loader.conf.local or can it be in the tunables?

Dobby_

@gwaitsi said in 8x igb Intel(R) I211 / checksums - enable or disable / suricata:

Does the dev.igb.0.eee_control setting need to be in loader.conf.local or can it be in the tune ables?

Both may be working fine, but surviving an upgrade will perhaps only the lines inside of the #/boot/load.conf.local

So if you want to be sure that the tunings will be
there after an upgrade.

4o4rh

@Dobby_ as best as I can tell, "hw.em.eee_setting" in freebsd is listed as defaulted to 1 for disabled. so we shouldn't need to touch it

stephenw10

Yes, I expect it to be disabled by default.

igb0 wouldn't get that setting (or any other) if it's not assigned.

Try enabling checksum offloading and see. Generally igb is well supported so it should work there.

Steve

4o4rh

@stephenw10 what I don't understand is; why am i having different options on the igb interfaces if the settings are global?

I have h/w checksums enabled, TSO disabled, LRO disabled and net.inet.tcp.tso = 0

looking at the below options 2,4,5,6,7 have the correct settings but 0,1,3 do not.

ifconfig igb0
options=4e523bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP> 

ifconfig igb1 
options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

ifconfig igb2
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb3
options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

ifconfig igb4
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb5
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb6
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb7 
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

stephenw10

pfSense applies settings to the NICs when it sets them up at boot with ifconfig. If they are not assigned they never get settings applied to them.
If you have set global driver variables via loader values those will be applied to all NICs using that driver.
If you have set sysctls for the driver those will be applied to the specific NIC they are set for.

Steve

4o4rh

@stephenw10 I mean my config is;

Advanced Networking
Hardware Checksum Offloading - unchecked
Disable hardware TCP segmentation offload - checked
Disable hardware large receive offload - checked

System Tunables
Enable TCP Segmentation Offload (1) - 0

Loader Config Local
net.inet.tcp.tso=0

igb0 - pppoe ** why tso6/tso4 + rxcsum/txcsum
igb1 - cable modem ** why rxcsum/txcsum + ipv6
igb2 - not connected
igb3 - 100M end point ** why rxcsum/txcsum + ipv6
igb4 - lagg0
igb5 - lagg0
igb6 - uplink switch
igb7 - not connected

4o4rh

@stephenw10 so i added the below to config.xml;

<shellcmd>ifconfig igb0 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb1 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb3 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso</shellcmd>

I got the below after boot, noting that igb1 is still showing the txc/rscsums.
If i run the command again for igb1 manually, it seems to work.

needs to be run with a delay or a test if the interface is up maybe?
** I tell a lie. It takes it momentarily, but then reverts back to the full settings

ifconfig igb7
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb6
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb5
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb4
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb3
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb2
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb1
options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

ifconfig igb0
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

stephenw10

By unchecking the box in Sys > Adv > Networking you are enabling checksum offloading globally. So whenever an interface is configured it will be set as enabled. Probably igb1 linked/unlinked after that shellcmd ran so it was enabled again.

4o4rh

@stephenw10 so actually, the command should be then;
<shellcmd>ifconfig igb0 -tso4 -tso6 -lro -vlanhwtso</shellcmd>
as it is only tso and lro that we need to turn off right

but in any case, the system is doing it's own thing.

If i enter the below, some turn rxc/txc on and some off, but if i run the command from the shell it works.

<shellcmd>ifconfig igb0 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb1 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb2 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb3 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb4 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb5 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb6 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb7 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>

stephenw10

Since you don't have igb0 assigned dircetly it doesn't make any difference there. The ppp traffic using it cannot be off-loaded. Part of the reason PPPoE is always slower.

You can use the afterfilterchnageshellcmd type to apply settings when an interface is relinked if you need to.
You probably don't need to do any of that though.

4o4rh

@stephenw10 i thought you meant

<system>
<afterfilterchangeshellcmd></afterfilterchangeshellcmd>
</system>

took down my system ;-)

I can't find any document on setting that value

stephenw10

It will run the command everytime the filter is reloaded.

It may have created a loop if running that command triggers the filter to reload.

4o4rh

@stephenw10 i mean i edited the config.xml which crashed the machine. I didn't realize there was a shellcmd package to install

stephenw10

Ah, yes, much safer to use the package!

4o4rh

@stephenw10 except it only allows one afterfiltercmd.

p.s. very weird. after adding the command for igb0 in the afterfilter all igb interfaces now have the desired settings

4o4rh

@stephenw10 i thought this was fixed, but it seems the suricata package was not updated properly.
once i reinstalled the suricata package, the problem of different settings per igb is back.

using the aftersfilterchangeshellcmd does work, for the specific interface but you can only do one.

stephenw10

Use a script in the shellcmd that runs on whatever interfaces you need.