8x igb Intel(R) I211 / checksums - enable or disable / suricata

stephenw10

pfSense applies settings to the NICs when it sets them up at boot with ifconfig. If they are not assigned they never get settings applied to them.
If you have set global driver variables via loader values those will be applied to all NICs using that driver.
If you have set sysctls for the driver those will be applied to the specific NIC they are set for.

Steve

4o4rh

@stephenw10 I mean my config is;

Advanced Networking
Hardware Checksum Offloading - unchecked
Disable hardware TCP segmentation offload - checked
Disable hardware large receive offload - checked

System Tunables
Enable TCP Segmentation Offload (1) - 0

Loader Config Local
net.inet.tcp.tso=0

igb0 - pppoe ** why tso6/tso4 + rxcsum/txcsum
igb1 - cable modem ** why rxcsum/txcsum + ipv6
igb2 - not connected
igb3 - 100M end point ** why rxcsum/txcsum + ipv6
igb4 - lagg0
igb5 - lagg0
igb6 - uplink switch
igb7 - not connected

4o4rh

@stephenw10 so i added the below to config.xml;

<shellcmd>ifconfig igb0 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb1 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb3 -txcsum -rxcsum -tso4 -tso6 -lro -txcsum6 -rxcsum6 -vlanhwtso</shellcmd>

I got the below after boot, noting that igb1 is still showing the txc/rscsums.
If i run the command again for igb1 manually, it seems to work.

needs to be run with a delay or a test if the interface is up maybe?
** I tell a lie. It takes it momentarily, but then reverts back to the full settings

ifconfig igb7
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb6
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb5
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb4
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb3
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb2
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

ifconfig igb1
options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,NOMAP>

ifconfig igb0
options=48120b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

stephenw10

By unchecking the box in Sys > Adv > Networking you are enabling checksum offloading globally. So whenever an interface is configured it will be set as enabled. Probably igb1 linked/unlinked after that shellcmd ran so it was enabled again.

4o4rh

@stephenw10 so actually, the command should be then;
<shellcmd>ifconfig igb0 -tso4 -tso6 -lro -vlanhwtso</shellcmd>
as it is only tso and lro that we need to turn off right

but in any case, the system is doing it's own thing.

If i enter the below, some turn rxc/txc on and some off, but if i run the command from the shell it works.

<shellcmd>ifconfig igb0 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb1 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb2 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb3 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb4 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb5 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb6 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>
<shellcmd>ifconfig igb7 rxcsum txcsum -tso4 -tso6 -lro rxcsum6 txcsum6 -vlanhwtso</shellcmd>

stephenw10

Since you don't have igb0 assigned dircetly it doesn't make any difference there. The ppp traffic using it cannot be off-loaded. Part of the reason PPPoE is always slower.

You can use the afterfilterchnageshellcmd type to apply settings when an interface is relinked if you need to.
You probably don't need to do any of that though.

4o4rh

@stephenw10 i thought you meant

<system>
<afterfilterchangeshellcmd></afterfilterchangeshellcmd>
</system>

took down my system ;-)

I can't find any document on setting that value

stephenw10

It will run the command everytime the filter is reloaded.

It may have created a loop if running that command triggers the filter to reload.

4o4rh

@stephenw10 i mean i edited the config.xml which crashed the machine. I didn't realize there was a shellcmd package to install

stephenw10

Ah, yes, much safer to use the package!

4o4rh

@stephenw10 except it only allows one afterfiltercmd.

p.s. very weird. after adding the command for igb0 in the afterfilter all igb interfaces now have the desired settings

4o4rh

@stephenw10 i thought this was fixed, but it seems the suricata package was not updated properly.
once i reinstalled the suricata package, the problem of different settings per igb is back.

using the aftersfilterchangeshellcmd does work, for the specific interface but you can only do one.

stephenw10

Use a script in the shellcmd that runs on whatever interfaces you need.