Disable hardware-level VLAN filtering on igb network card
-
Hi,
try to switch from legacy mode to inline mode and see the following warning:
NOTICE: When using Inline IPS Mode with VLAN interfaces, hardware-level VLAN filtering should be disabled with most network cards. Follow the steps in the Netgate documentation here to disable hardware VLAN filtering.Can not find a point with hardware-level VLAN filtering in the documentation, does it mean "Flow Control"?
https://docs.netgate.com/pfsense/en/latest/hardware/tune.html#flow-control -
@slu
it refers to vlanhwtag, vlanhwcsum , vlanhwfilter , vlanhwtso on the network card
example:
ifconfig igb0 -vlanhwtag -vlanhwcsum -vlanhwfilter -vlanhwtso -
@kiokoman said in Disable hardware-level VLAN filtering on igb network card:
-vlanhwtag -vlanhwcsum -vlanhwfilter -vlanhwtso
There is nothing in the Netgate docs with this keywords.
Where do I have to disable that?pfSense Gold subscription
-
@slu
it's all written here
https://forum.netgate.com/topic/138613/configuring-pfsense-netmap-for-suricata-inline-ips-mode-on-em-igb-interfaces -
@kiokoman
thank you for the link.Look like there are many options to disable in my case on the parent interface:
options=500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>If I remove this options, for example "VLAN_HWTAGGING" vlan still work and it is tagged in software?
-
@slu said in Disable hardware-level VLAN filtering on igb network card:
the instruction only say to remove VLAN_HWCSUM and VLAN_HWTSO ,remove only that if you are using vlans -
@kiokoman said in Disable hardware-level VLAN filtering on igb network card:
the instruction only say to remove VLAN_HWCSUM and VLAN_HWTSO
Can not finde to remove "VLAN_HWCSUM" in the instruction, but maybe this goes also with VLAN_HWTSO away.
In pfSense 2.5.0 it is possible to disable VLAN_HWTSO over the GUI:
https://redmine.pfsense.org/issues/10836pfSense Gold subscription
-
@slu
install the package "Shellcmd"
and put the command inside
ifconfig igb0 -vlanhwcsum -vlanhwtsoor/and igb1/2/3
-
@kiokoman said in Disable hardware-level VLAN filtering on igb network card:
install the package "Shellcmd"
To save this change during reboot better to edit with viconfig:
https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html -
@slu
your choice, I prefer not to tamper with an essential file but you can do that for sure -
@slu said in Disable hardware-level VLAN filtering on igb network card:
@kiokoman said in Disable hardware-level VLAN filtering on igb network card:
the instruction only say to remove VLAN_HWCSUM and VLAN_HWTSO
Can not finde to remove "VLAN_HWCSUM" in the instruction, but maybe this goes also with VLAN_HWTSO away.
In pfSense 2.5.0 it is possible to disable VLAN_HWTSO over the GUI:
https://redmine.pfsense.org/issues/10836Disabling the hardware VLAN tagging is a chipset specific thing on NICs. And there are (or were) some outstanding FreeBSD bugs in this area where some NICs (one or more of the Intel ones, for example) would ignore this flag. So even if you issue the instruction via the shell, it would not actually take effect due to a driver bug at the FreeBSD level. Some of those may have been fixed, though. There are some NICs that require an down/up sequence with
ifconfigin order to turn off the tagging. You can search the FreeBSD bug reporting database here to see what's outstanding with regards to the VLAN hardware tags.Unfortunately there is a lot of "fine print" with regards to how the
netmapkernel device interacts with other parts of the FreeBSD networking stack. VLANs and all the hardware tagging things are one example. This "fine print" impacts how well the Inline IPS Mode works with both Suricat and Snort because that mode uses the kernelnetmapdevice. -
@bmeeks said in Disable hardware-level VLAN filtering on igb network card:
Disabling the hardware VLAN tagging is a chipset specific thing on NICs. And there are (or were) some outstanding FreeBSD bugs in this area where some NICs (one or more of the Intel ones, for example) would ignore this flag.
What is not 100% clear to me, disable this in hardware will use software for this?
With other words, my network interface do not stop working with vlans?Unfortunately there is a lot of "fine print" with regards to how the
netmapkernel device interacts with other parts of the FreeBSD networking stack. VLANs and all the hardware tagging things are one example. This "fine print" impacts how well the Inline IPS Mode works with both Suricat and Snort because that mode uses the kernelnetmapdevice.Yes it is, i learned lot of things in the last days... :)
-
@slu said in Disable hardware-level VLAN filtering on igb network card:
@bmeeks said in Disable hardware-level VLAN filtering on igb network card:
Disabling the hardware VLAN tagging is a chipset specific thing on NICs. And there are (or were) some outstanding FreeBSD bugs in this area where some NICs (one or more of the Intel ones, for example) would ignore this flag.
What is not 100% clear to me, disable this in hardware will use software for this?
With other words, my network interface do not stop working with vlans?Unfortunately there is a lot of "fine print" with regards to how the
netmapkernel device interacts with other parts of the FreeBSD networking stack. VLANs and all the hardware tagging things are one example. This "fine print" impacts how well the Inline IPS Mode works with both Suricat and Snort because that mode uses the kernelnetmapdevice.Yes it is, i learned lot of things in the last days... :)
Disabling the hardware VLAN stuff won't impact your networking. Once it's turned off it will be the same as if you were using a NIC card that does not support that feature.
However, I'm pretty sure that when you make that change via the CLI it will bounce the interface as the NIC driver requires a "down/up" sequence to make the swap. So in that sense your network traffic on that interface will be temporarily disrupted.
-
@slu you can also try this patch:
https://redmine.pfsense.org/issues/10836
