Disable hardware checksum offload

jriofrio

Hello. I have been running pfsense 2.7.2 for a few months now with very little issues (I am a nooby at this). Caouple days ago i needed to setup a 2nd LAN.

I have a HP PC with 1 Ethernet port, plus i added a Intel 540 card with 4 ports.
Setting up pfsense and make it work was fairly easy. BUT once i enable the 2nd LAN (Opt1), I have trouble accessing the internet, I could ping outside but no website i was able to access. Reading and watching videos i was able to make it work. the solution was to "Disable hardware checksum offload " in system/advance setting/networking.
Question: with the 1st LAN (Opt0) all worked just fine not problems at all, but once the second LAN was (Opt1) was enable. i had the issue with the intenet access. Anyway, WHY now it was necessary to Disable the Hardware checksum in the card that it has been working OK for months. Just because enabling the 2nd port the issue arise.
Just want to know the "why" in a card with 4 ports, all share the same circuitry.
A good explanation is welcome please, thanks

stephenw10

I assume the onboard NIC is used for the WAN?

The hardware checksum off-loading should work fine on an X540 NIC. It probably has nothing to with that setting. Making that requires a reboot and that likely restored the connectivity.

Do you have more than one gateway defined?

If so make sure the default IPv4 gateway is set to WAN specifically rather than auto in System > Routing > Gateways.

Steve

jriofrio

@stephenw10
Yes, the onboard NIC is the wan. Thanks for your reply.

yeah, it did required a reboot after disabling the hardware checksum.
also, it is selected the wan as the default gateway.

BUT, my question still need some clarification though....
Why it wasn't need to disable the hardware checksum when i was using just one of the first ports of the intel nic???

if i may, on a different curiosity. Why there are 2 automatic created rules in Firewall/NAT/Outbound. I included a screen shot.

Thank you for your attention

stephenw10

There should be no reason that checksum offloading works any differently between ports on the same NIC.

I would speculate that the reboot required to apply that change is what actually corrected whatever was blocking traffic.

The two auto outbound NAT rules are; one for IPSec traffic that requires a static port 500 source and one for everything else.
A lot of IPSec clients these days don't require that static port but many older client still do.

jriofrio

@stephenw10
Just to clarify....
You don't think that disabling the hardware checksum didn't fix the issue I was having (not able to access any website but only able to ping the Internet) but just by rebooting of the firewall would had fixed my issue...?

On another note: I follow the steps given in this forum about how to setup a 2nd LAN, ... One of the steps was to create a firewall rule setting the DNS for the 2nd LAN port, but also started that if I am using DNS over TLS, to create another rule.
My question is: is it necessary to have both rules?
I do use the DoT, my conundrum is if DoT takes care of DNS services, why both rules are necessary?
Thanks very much for your feedback, so helpful to me to be able in how this things works.... Much appreciated

stephenw10

Yes, it seems very unlikely that checksum off-loading would work on one port but not on another on the same NIC. It's just possible that whatever it's connected to is actually sending back packets.

The rules required on a second LAN could be widely variable!
But, yes, if you're specifically passing DNS from clients then you would also need to pass DoT if they are using that. But that would only be for clients using DoT directly. Not if pfSense is using DoT to reach upstream servers.

jriofrio

@stephenw10
Well, DoT is set up in the firewall and all the clients (PCs in the internal network) are setup to use the firewall as the DNS server and the firewall is setup of course to use a couple public DNS server.
So in this case would it be only needed to have just one rule setup with DoT in order the clients have DNS services?...
Best regards

stephenw10

Probably not because the clients themselves would using regular DNS to reach Unbound in pfSense. The DoT connection is between pfSense and the upstream servers.

So you shouldn't need any special firewall rules on a LAN side interface.

jriofrio

@stephenw10
Yes, thanks that makes sense.
I'm glad to have this conversation with you. I like to understand how things work and why.

I appreciate your time very much.
Have a good night....

jriofrio

@jriofrio
Just to corroborate your statement about (in my case) not need it to disable the hardware checksum with the intel x540.

You are correct, I enable it back and reboot the firewall, tested the connection of OPT1 (2nd LAN) and all works good, no problems accessing websites.
Also, I deleted the DoT rule for the 2nd LAN.

All good.. I'm please with the results.

PS: couldn't sleep , so i decided to do the changes now that no one is using the internet....