Disable hardware-level VLAN filtering on igb network card

slu

@kiokoman said in Disable hardware-level VLAN filtering on igb network card:

-vlanhwtag -vlanhwcsum -vlanhwfilter -vlanhwtso

There is nothing in the Netgate docs with this keywords.
Where do I have to disable that?

kiokoman

@slu
it's all written here
https://forum.netgate.com/topic/138613/configuring-pfsense-netmap-for-suricata-inline-ips-mode-on-em-igb-interfaces

slu

@kiokoman
thank you for the link.

Look like there are many options to disable in my case on the parent interface:

options=500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO>

If I remove this options, for example "VLAN_HWTAGGING" vlan still work and it is tagged in software?

kiokoman

@slu said in Disable hardware-level VLAN filtering on igb network card:
the instruction only say to remove VLAN_HWCSUM and VLAN_HWTSO ,remove only that if you are using vlans

slu

@kiokoman said in Disable hardware-level VLAN filtering on igb network card:

the instruction only say to remove VLAN_HWCSUM and VLAN_HWTSO

Can not finde to remove "VLAN_HWCSUM" in the instruction, but maybe this goes also with VLAN_HWTSO away.

In pfSense 2.5.0 it is possible to disable VLAN_HWTSO over the GUI:
https://redmine.pfsense.org/issues/10836

kiokoman

@slu
install the package "Shellcmd"
and put the command inside
ifconfig igb0 -vlanhwcsum -vlanhwtso

or/and igb1/2/3

slu

@kiokoman said in Disable hardware-level VLAN filtering on igb network card:

install the package "Shellcmd"

To save this change during reboot better to edit with viconfig:
https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html

kiokoman

@slu
your choice, I prefer not to tamper with an essential file but you can do that for sure

bmeeks

@slu said in Disable hardware-level VLAN filtering on igb network card:

@kiokoman said in Disable hardware-level VLAN filtering on igb network card:

the instruction only say to remove VLAN_HWCSUM and VLAN_HWTSO

Can not finde to remove "VLAN_HWCSUM" in the instruction, but maybe this goes also with VLAN_HWTSO away.

In pfSense 2.5.0 it is possible to disable VLAN_HWTSO over the GUI:
https://redmine.pfsense.org/issues/10836

Disabling the hardware VLAN tagging is a chipset specific thing on NICs. And there are (or were) some outstanding FreeBSD bugs in this area where some NICs (one or more of the Intel ones, for example) would ignore this flag. So even if you issue the instruction via the shell, it would not actually take effect due to a driver bug at the FreeBSD level. Some of those may have been fixed, though. There are some NICs that require an down/up sequence with ifconfig in order to turn off the tagging. You can search the FreeBSD bug reporting database here to see what's outstanding with regards to the VLAN hardware tags.

Unfortunately there is a lot of "fine print" with regards to how the netmap kernel device interacts with other parts of the FreeBSD networking stack. VLANs and all the hardware tagging things are one example. This "fine print" impacts how well the Inline IPS Mode works with both Suricat and Snort because that mode uses the kernel netmap device.

slu

@bmeeks said in Disable hardware-level VLAN filtering on igb network card:

Disabling the hardware VLAN tagging is a chipset specific thing on NICs. And there are (or were) some outstanding FreeBSD bugs in this area where some NICs (one or more of the Intel ones, for example) would ignore this flag.

What is not 100% clear to me, disable this in hardware will use software for this?
With other words, my network interface do not stop working with vlans?

Unfortunately there is a lot of "fine print" with regards to how the netmap kernel device interacts with other parts of the FreeBSD networking stack. VLANs and all the hardware tagging things are one example. This "fine print" impacts how well the Inline IPS Mode works with both Suricat and Snort because that mode uses the kernel netmap device.

Yes it is, i learned lot of things in the last days... :)

bmeeks

@slu said in Disable hardware-level VLAN filtering on igb network card:

@bmeeks said in Disable hardware-level VLAN filtering on igb network card:

Disabling the hardware VLAN tagging is a chipset specific thing on NICs. And there are (or were) some outstanding FreeBSD bugs in this area where some NICs (one or more of the Intel ones, for example) would ignore this flag.

What is not 100% clear to me, disable this in hardware will use software for this?
With other words, my network interface do not stop working with vlans?

Unfortunately there is a lot of "fine print" with regards to how the netmap kernel device interacts with other parts of the FreeBSD networking stack. VLANs and all the hardware tagging things are one example. This "fine print" impacts how well the Inline IPS Mode works with both Suricat and Snort because that mode uses the kernel netmap device.

Yes it is, i learned lot of things in the last days... :)

Disabling the hardware VLAN stuff won't impact your networking. Once it's turned off it will be the same as if you were using a NIC card that does not support that feature.

However, I'm pretty sure that when you make that change via the CLI it will bounce the interface as the NIC driver requires a "down/up" sequence to make the swap. So in that sense your network traffic on that interface will be temporarily disrupted.

viktor_g

@slu you can also try this patch:
https://redmine.pfsense.org/issues/10836