Chelsio T520 not working as WAN interface

mikenemat · Oct 10, 2018, 10:24 PM

Replaced the T520 with an Intel X520-DA2. Worked perfectly the first time. Chelsio = garbage.

stephenw10 · Oct 11, 2018, 1:04 PM

It's certainly very unusual to be using a 10G card of any type for PPPoE. Do you really have a >1Gbps connection using that?

You could well be the only person using it in which case any bugs that might exist for that combination simply may not have been discovered, until now.

The next step here would be to test it with FreeBSD 11.2 and if it fails there report it upstream.

Steve

mikenemat · Oct 11, 2018, 3:05 PM

@stephenw10

Yep. I really am :) Bell Canada's new 1.5gbps FTTH service works over PPPoE. Apparently this is very common in Japan as well. Their supplied equipment links a SFP GPON module at 2.5gbps. However, their supplied equipment is junk and aside from many other issues, the only way to reach 1.5gbps is to use the wired 1gbps LAN interface and the wireless interface simultaneously, since it is not a 10G appliance. This is not ideal.

So in order to move past this, I'm using a ubiquiti ES-16-XG to link the SFP GPON module. The ES-16-XG is one of the rare pieces of hardware to support linking a SFP module at 2.5gbps. I've configured it to strip the VLAN tag (35), and pass it to pfsense over a proper 10G link. At that point, I'm able to establish a PPPoE session and utilize the full 1.5gbps over a 10G LAN interface.

Forgive my frustration - this issue has been a nightmare to troubleshoot and my appetite for taking down my internet connection for hours at a time (which I use for business as well) is dwindling. I'm going to resell the Chelsio card to someone who hopefully has a more conventional use case. The Intel X520-DA2 has been working flawlessly for over 24 hours now. I think I prefer the Intel card anyways, much less firmware-driven magic going on.

login-to-view

stephenw10 · Oct 11, 2018, 5:58 PM

I understand. Interesting use case.

Steve

posto587 · Feb 7, 2019, 3:16 PM

We are seeing a similar issue but not related with pppoe.

Hardware:
supermicro h2sdi-4c-ln4f
chelsio T520-SO-CF

WAN on the chelsio seems to work ok in our case via DAC on 10G.
If we dial in via ipsec the ipsec connection is established but partly blocked.
So we can ping the pfsense lan interface and other devices on the LAN but not reach the webinterfaces etc.

Switching the WAN from the chelsio to the onboard intel RJ45 solves the problem.

pfsense 2.4.4p2

Same issue on two identical hardware setups.

After pfctl -d access was possible but ipsec allow any rule was present.

stephenw10 · Feb 8, 2019, 1:19 AM

Hmm, if you're coming over IPSec then it's not a TCP off-loading issue. Perhaps an MTU issue though. Try setting enabling mss clamping on IPSec.

Steve

posto587 · Feb 8, 2019, 8:05 AM

@stephenw10 said in Chelsio T520 not working as WAN interface:

Perhaps an MTU issue though. Try setting enabling mss clamping on IPSec.
Steve

We are not onsite today but I will check MTU settings.
The strange thing is, that disabling pf resolved the issue with blocking access. This shouldn't change MTU settings?
Are you guessing it is MTU related because ping works and probably bigger packets are blocked/dropped?

edit: MTU on cxl (chelsio 10G) and ix (intel 1G) are on 1500 but enc0 is on 1536.

stephenw10 · Feb 8, 2019, 2:51 PM

Yes large packets would be my first thought. Disabling pf wouldn't affect that though.
However it does disable pf-scrub. Perhaps you have packet fragments that are not being assembled correctly. Maybe the Chelsio card is doing something with them, it has all sorts of offloading hardware that we don't use.

You can disable pfscrub separately in System > Advanced > Firewall & NAT.

Steve

ssjucrono · Sep 17, 2019, 8:57 PM

Hello I am having a very similar issue! I have a chelsio t404-bt and I am using Centurylink. Which WAN tags vlan201 and pppoe. This setup worked fine with 2 intel nics. Now with the chelsio card I get an WAN IP and I can traceroute from pfsense out but I have no internet on my devices.

Any solution to this?

stephenw10 · Sep 17, 2019, 10:27 PM

Do you have other connectivity from pfSense itself? Can it check for updates or install packages for example?

If so it's a different issue. Probably no NAT.

Steve

ssjucrono · Sep 17, 2019, 10:33 PM

@stephenw10 no I cannot get a list of packages either on pfsense

stephenw10 · Sep 17, 2019, 10:40 PM

Ok so you can ping out though?

Try pinging out with large packets:
ping -s 1000 -c 3 1.1.1.1

Try different sized packets to see if you really are seeing an MTU issue.

Steve