Intel NIC I-226V

Antibiotic

Hello please give me a tip:
In general, for this NIC should be enable Hardware Checksum Offloading, Hardware TCP Segmentation Offloading, Hardware Large Receive Offloading?
Second question in case of using traffic shaping, what can be enable or cannot for better result?

Antibiotic

Guys and girls, any reply? regarding your experience, I don't ask by academic education grade.

bmeeks

For a router/firewall, it is generally better to leave all of these options disabled. This is especially true if you run one of the IDS/IPS packages as hardware offloading options can adversely impact how an IDS/IPS sees network packets.

Antibiotic

@bmeeks I have tried disable all but without Hardware Checksum Offloading my ISP speed is dropping noticeably ( 1Gb up/1Gb down)

Antibiotic

@bmeeks What about traffic shaping, this is options could worse/better or doesn't matter?

bmeeks

@Antibiotic said in Intel NIC I-226V:

@bmeeks I have tried disable all but without Hardware Checksum Offloading my ISP speed is dropping noticeably ( 1Gb up/1Gb down)

With modern CPUs, that option should result in no degradation of throughput whether enabled or disabled. Quantify what you mean by "dropping noticeably".

Antibiotic

@bmeeks Speed is jumping ( Intel Alder Lake N100) but could, due to traffic shaping working. The Fast.com one speed Waveform another speed. But have a router in AP mode connecting to switch and without Hardware Checksum Offloading on pfSense box speed is going down about 1.5

Antibiotic

@Antibiotic BTW tried Snort in inline mode and AP router speed dropped down till 80/100Mb insteed of my 1Gb.

bmeeks

@Antibiotic said in Intel NIC I-226V:

@Antibiotic BTW tried Snort in inline mode and AP router speed dropped down till 80/100Mb insteed of my 1Gb.

If that CPU can't do better than 80/100 MB with Snort inline, then something else is seriously wrong with your configuration. At worst I would expect speeds to drop to about 50% of normal with Snort, and even less of a drop with Suricata (since it is multithreaded).

Seems that particular NIC may have issues. Here is a thread I found on Reditt: https://www.reddit.com/r/intel/comments/123kjuc/anyone_else_still_having_issues_with_i226v/. And another one from a different forum: https://www.overclock.net/threads/design-flaw-on-the-intel-ethernet-1226-v-2-5-gbe-controller.1805716/. And one more: https://forums.tomshardware.com/threads/i226-v-issues-hardware-or-software-related.3801887/.

Antibiotic

@bmeeks Thank to you my friend, will take a look. But this drop going on router in AP mode not home network like a PC over cable connection.

bmeeks

@Antibiotic said in Intel NIC I-226V:

@bmeeks Thank to you my friend, will take a look. But this drop going on router in AP mode not home network like a PC over cable connection.

You're making no sense here. Are you talking about speed issues over a wireless connection or a wired connection? Wireless is 1000% different from a wired connection. You can almost never get 1 Gig/sec speeds on wireless unless you stand like 5 feet from the AP, there is zero interference from any other device in the vicinity, and of course you have a 6E capable AP.

Antibiotic

@bmeeks I mean in complex wired and wireless, agree that with wireless could be a different cause of dropping. But anyway, with Hardware Checksum Offloading ON and snort deinstalled wireless speed almost as my ISP/ 1Gb on wireless router in AP mode ( But wireless router is power Asus RT-AX86U Pro)

bmeeks

@Antibiotic said in Intel NIC I-226V:

@bmeeks I mean in complex wired and wireless, agree that with wireless could be a different cause of dropping. But anyway, with Hardware Checksum Offloading ON and snort deinstalled wireless speed almost as my ISP/ 1Gb on wireless router in AP mode ( But wireless router is power Asus RT-AX86U Pro)

So, how is the Asus box connected to the Internet? Does its WAN port plug into the exact same port as you are connecting the pfSense WAN connection to? Is there perhaps a switch that both are plugging in to for connection to your ISP?

I am going to assume that English is not your native language because the way you are structuring your sentences and using words is quite confusing to me, especially with you seeming to switch back and forth talking one minute about wired and the next about wireless. I don't believe I am understanding your problem fully.

Antibiotic

@bmeeks Yep English not my native))) Connection going in this way: ISP cable to WAN of pfSense box than switch TL-SG108E to LAN of pfSense box. The rest home network connected over this switch as well AP router.

Antibiotic

@bmeeks The main question was is this NIC model support all these 3 options
(if any on forum have these cards and can confirmed) and possible to keep them during traffic shaping?

bmeeks

@Antibiotic said in Intel NIC I-226V:

@bmeeks Yep English not my native))) Connection going in this way: ISP cable to WAN of pfSense box than switch TL-SG108E to LAN of pfSense box. The rest home network connected over this switch as well AP router.

Okay, so all traffic (both wired and wireless) takes the same path through pfSense.

Now let's turn to what your problem is. Is your complaint that you are not seeing full ISP speed through pfSense ever, or only when you enable Snort (does the speed drop).

Where are your measuring speed? Be aware that you should not put a speedtest client on pfSense itself as servicing that application takes CPU cycles away from routing packets and will adversely impact the speedtest measurement. You should only test "through" pfSense by utilizing a speed test client on a machine in your LAN testing to a destination on the Internet. The traffic will pass through pfSense in that scenario but will not be "sourced/created" by pfSense and thus won't bog down routing by stealing CPU cycles.

bmeeks

@Antibiotic said in Intel NIC I-226V:

@bmeeks The main question was is this NIC model support all these 3 options
(if any on forum have these cards and can confirmed) and possible to keep them during traffic shaping?

I don't know. That is something you will have to research for the specific NIC model and firmware revision you have. There are multiple variations of that card and driver available now from Intel.

For symmetrical connections (where upload and download speeds are the same), traffic shaping is not as big of a deal as it is on asymmetrical connections where upload is much slower than download. Why do you want to use traffic shaping?

Antibiotic

@bmeeks Traffic shaping for my experience in pfSense , one more question can you tell me FreeBSD command to check specific NIC model and firmware revision in terminal?

Antibiotic

@bmeeks This one got from command:
igc0@pci0:1:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x 125c subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'Ethernet Controller I226-V'
class = network
subclass = ethernet

Can you please tell me, where can check by this info NIC support options?

bmeeks

@Antibiotic said in Intel NIC I-226V:

@bmeeks This one got from command:
igc0@pci0:1:0:0: class=0x020000 rev=0x04 hdr=0x00 vendor=0x8086 device=0x 125c subvendor=0x8086 subdevice=0x0000
vendor = 'Intel Corporation'
device = 'Ethernet Controller I226-V'
class = network
subclass = ethernet

Can you please tell me, where can check by this info NIC support options?

Here is where the driver for that hardware family was introduced into FreeBSD and thus pfSense (both the i225 and i226 are the same NIC family): https://cgit.freebsd.org/src/commit/?id=d7388d33b4dd. If you look through the git diff you can find the man page showing the supported tunables.