PfSense not properly implementing igb vf driver. VLAN tags being stripped
-
I currently an running pfsense 2.3.3 as a KVM guest on Ubuntu 16.04. I'm assigning VF NICs to the VM using SR-IOV with the intel igb driver.
Everything works fine if I do not use VLANs. Untagged packets pass through just fine. However, it seems that the FreeBSD igb vf driver is stripping vlan tags prematurely. So if I setup a vlan, nothing on that vlan works, but untagged packets continue to pass normally. If I run tcpdump on pfsense, and ping a host on the same vlan, I see the outgoing ARP requests, but nothing else. That other host sees the ARP requests and responds, but pfsense never gets them. So there is some bug that is causing pfsense to not see vlan tagged incoming packets.
To clarify, I am not setting any vlan tagging in my KVM configuration, and anti-spoofing is disabled on the Linux side. This same configuration works with a vyos guest VM.
This bug occurred with the ixgbe driver as well and was fixed. This bug with the igb driver was confirmed on the FreeBSD 10.3 mailing list: https://lists.freebsd.org/pipermail/freebsd-bugs/2016-May/067788.html
Does anyone know how to fix this? Or a way to get it patched in pfsense? It looks like there may be an upstream patch: https://reviews.freebsd.org/D4788
https://reviews.freebsd.org/D4186 is the patch to fix the bug on ixgbe.
Thanks.
-
the ixgbe patch you refer to, is in pfSense 2.3.3: https://github.com/pfsense/FreeBSD-src/commit/15873ac96fcc4e81a25d35e735a1fbae9d727360
there doesn't appear to be a patch for igb
-
Bah, based on the history of that bug and what it took to get it resolved (FreeBSD not working on AWS instances), I have a feeling no one will be committing resources to getting it fixed on the igb driver anytime soon…
Would perhaps simply installing the latest official Intel FreeBSD driver work? https://downloadcenter.intel.com/download/15815/Intel-Network-Adapter-Driver-for-82575-6-and-82580-based-Gigabit-Network-Connections-under-FreeBSD-
-
This change was suggested as a possible fix: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209581#c4
Does anyone have any insight into if it would actually work? If so, I could try setting up a build environment and compiling the driver, but I don't want to waste the time figuring out how to do that if it likely won't work.
-
Hi "ingenium",
looks like i'm having a similar issue with pfsense 2.4.3 and an Intel i350 NIC.
=> https://forum.pfsense.org/index.php?topic=147766.0Have you managed to fix the issue finally?
Thanks,
Dieter -
No I never got it working.
-
hi Ingenium, I know it might be a bit late for an answer, but I think one solution for your VLAN on VF problem might be to bind a VLAN on a VF on the host.
You can use "ip link set PF vf X vlan Y" on the host to bind a VLAN on the VF. Replace PF with your PF-interface name, X is the VF interface and Y is the VLAN. You would end up in having a VF for each additional VLAN.
The VLAN header is stripped/inserted by the VF and the interface can be used just like a standard interface in pfSense. No need to configure VLAN in pfSense.
check out https://doc.dpdk.org/dts/test_plans/vf_vlan_test_plan.html for reference.