SG-2100 Network Interfaces Question

JonathanLee

Hello fellow Netgate community members,

Can you please help?

Does anyone know the default recommended settings here for the SG2100??

stephenw10

Checksum offloading is enabled by default and should work on mvneta.

JonathanLee

@stephenw10 Thank you,

Is this the recommended now for SG-2100MAX

mcury

@JonathanLee If using suricata, it is recommended that you disable LRO and hardware checksum offloading.
https://docs.suricata.io/en/suricata-7.0.2/performance/packet-capture.html#offloading
https://forum.netgate.com/topic/184858/suricata-blocking-ips-on-passlist-legacy-mode-blocking-both/75

JonathanLee

@mcury Thanks for the reply,

I do not use Suircata only Snort and Squid. I just always wondered what is recommended here for years.

mcury

@JonathanLee said in SG-2100 Network Interfaces Question:

@mcury I do not use Suircata only Snort and Squid

I don't think that there is a difference between Snort and Suricata when it comes to LRO/hardware checksum offload..

bmeeks speaking about this

more info: https://forum.netgate.com/topic/166908/snort-4-1-4_3-snort-inline-mode-crashes-wan-interfaces/5

JonathanLee

@mcury My issues is the 2100 is an ARM so it can't run inline mode and will not load *.SO rules.

So is this a different on the 2100 @stephenw10 @bmeeks

I have always wondered about this for years

@stephenw10 said in SG-2100 Network Interfaces Question:

Checksum offloading is enabled by default and should work on mvneta.

mcury

@JonathanLee said in SG-2100 Network Interfaces Question:

Checksum offloading is enabled by default and should work on mvneta.

According to bmeeks, not when you are running Snort and/or Suricata. Legacy mode or not.

JonathanLee

@mcury Thank you

stephenw10

Yeah I would disable it with Snort. Though I'm not aware of issues with it in mvneta specifically. It really doesn't help much so disabling it won't hurt.

JonathanLee

@stephenw10 Than you for the reply

bmeeks

The IDS/IPS packages prefer checkum offloading be disabled. And in many (or even most) cases you could expand that to "require" it be disabled. You are usually better off disabling all the hardware-assisted features such as LRO, checksum offloading, etc., when using either of the IDS/IPS packages.

JonathanLee

@bmeeks thanks for the reply

JonathanLee

Happy new year everyone

mcury

@JonathanLee said in SG-2100 Network Interfaces Question:

Happy new year everyone

Happy new year to everyone !! =)

Going to meet my friend now, Mr. Jack Daniels.. Nice guy.. hehe