Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

SG-2100 Network Interfaces Question

General pfSense Questions

4

15

968

Log in to reply

J

JonathanLee
last edited by JonathanLee

Hello fellow Netgate community members,

Can you please help?

Does anyone know the default recommended settings here for the SG2100??
Make sure to upvote
1 Reply Last reply
Reply Quote 0
S

stephenw10 Netgate Administrator
last edited by

Checksum offloading is enabled by default and should work on mvneta.
J 1 Reply Last reply
Reply Quote 1
J

JonathanLee @stephenw10
last edited by

@stephenw10 Thank you,

Is this the recommended now for SG-2100MAX
Make sure to upvote
M 1 Reply Last reply
Reply Quote 0
M

mcury @JonathanLee
last edited by

@JonathanLee If using suricata, it is recommended that you disable LRO and hardware checksum offloading.
https://docs.suricata.io/en/suricata-7.0.2/performance/packet-capture.html#offloading
https://forum.netgate.com/topic/184858/suricata-blocking-ips-on-passlist-legacy-mode-blocking-both/75
J 1 Reply Last reply
Reply Quote 1
J

JonathanLee @mcury
last edited by JonathanLee

@mcury Thanks for the reply,

I do not use Suircata only Snort and Squid. I just always wondered what is recommended here for years.
Make sure to upvote
M 1 Reply Last reply
Reply Quote 0
M

mcury @JonathanLee
last edited by mcury

@JonathanLee said in SG-2100 Network Interfaces Question:

@mcury I do not use Suircata only Snort and Squid

I don't think that there is a difference between Snort and Suricata when it comes to LRO/hardware checksum offload..

bmeeks speaking about this

more info: https://forum.netgate.com/topic/166908/snort-4-1-4_3-snort-inline-mode-crashes-wan-interfaces/5
J 1 Reply Last reply
Reply Quote 0
J

JonathanLee @mcury
last edited by

@mcury My issues is the 2100 is an ARM so it can't run inline mode and will not load *.SO rules.

So is this a different on the 2100 @stephenw10 @bmeeks

I have always wondered about this for years

@stephenw10 said in SG-2100 Network Interfaces Question:

Checksum offloading is enabled by default and should work on mvneta.
Make sure to upvote
M 1 Reply Last reply
Reply Quote 0
M

mcury @JonathanLee
last edited by mcury

@JonathanLee said in SG-2100 Network Interfaces Question:

Checksum offloading is enabled by default and should work on mvneta.

According to bmeeks, not when you are running Snort and/or Suricata. Legacy mode or not.
J 1 Reply Last reply
Reply Quote 1
J

JonathanLee @mcury
last edited by

@mcury Thank you
Make sure to upvote
1 Reply Last reply
Reply Quote 1
S

stephenw10 Netgate Administrator
last edited by

Yeah I would disable it with Snort. Though I'm not aware of issues with it in mvneta specifically. It really doesn't help much so disabling it won't hurt.
J 1 Reply Last reply
Reply Quote 1
J

JonathanLee @stephenw10
last edited by

@stephenw10 Than you for the reply
Make sure to upvote
1 Reply Last reply
Reply Quote 0
B

bmeeks
last edited by

The IDS/IPS packages prefer checkum offloading be disabled. And in many (or even most) cases you could expand that to "require" it be disabled. You are usually better off disabling all the hardware-assisted features such as LRO, checksum offloading, etc., when using either of the IDS/IPS packages.
J 1 Reply Last reply
Reply Quote 3
J

JonathanLee @bmeeks
last edited by

@bmeeks thanks for the reply
Make sure to upvote
1 Reply Last reply
Reply Quote 0
J

JonathanLee
last edited by

Happy new year everyone
Make sure to upvote
M 1 Reply Last reply
Reply Quote 0
M

mcury @JonathanLee
last edited by

@JonathanLee said in SG-2100 Network Interfaces Question:

Happy new year everyone

Happy new year to everyone !! =)

Going to meet my friend now, Mr. Jack Daniels.. Nice guy.. hehe
1 Reply Last reply
Reply Quote 1

1 / 1