Re: [pfSense] NIC Offloading Setting Questions

[Jim Thompson]

> On Mar 4, 2015, at 5:48 PM, Bryan D.  wrote:
> 
> On 2015-Mar-04, at 2:08 PM, Jim Thompson  wrote:
>> 
>> You’re aware that I work for Netgate, right?
> 
> Well ... yes, but that item was in response to the posting by 
> comp...@hotrodpc.com.
> 
> More importantly, when I see "Jim Thompson" I immediately think "ah, 
> expert-level response follows" -- and you always seem to come from the 
> understanding that many of us don't "breath 'n eat networking."  I sincerely 
> appreciate (and learn from) such list/forum/blog/etc. postings.

Interestingly, when people inside the company see email from “Jim Thompson” the 
reaction is often, “oh no...”

> OTOH, I admit that I've sort o' lumped Netgate with pfSense, assuming little 
> separation ... which, I'm guessing is not the right way to think of things.  
> As a low-priority item, it'd be nice to see a statement about this 
> relationship (which may already exist, but I was unable to coax it out of Mr. 
> Google -- maybe I just don't know the "magic phrase”).

It’s been covered to death on the forum.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] [Bulk] Re: default firewall rules

[PiBa]

Dont forget to move host-overrides / domain-overrides , and set the 
'Harden Glue' on dnsresolver/advanced settings.


Sean schreef op 5-3-2015 om 3:49:


LOL. That simple eh?
Thanks.

On Mar 4, 2015 8:27 PM, "Randy Bush" > wrote:


> Pardon the hijack but if I was using dnsmasq and upgraded to 2.2
and wanted
> to use unbound instead whats the best way to switch? (Note:
already did
> the upgrade to 2.2).

services / dns forwarder / disable
services / dns resolver / enabla



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] default firewall rules

[Sean]

LOL. That simple eh?
Thanks.
On Mar 4, 2015 8:27 PM, "Randy Bush"  wrote:

> > Pardon the hijack but if I was using dnsmasq and upgraded to 2.2 and
> wanted
> > to use unbound instead whats the best way to switch?  (Note: already did
> > the upgrade to 2.2).
>
> services / dns forwarder / disable
> services / dns resolver / enabla
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] default firewall rules

[Randy Bush]

> Pardon the hijack but if I was using dnsmasq and upgraded to 2.2 and wanted
> to use unbound instead whats the best way to switch?  (Note: already did
> the upgrade to 2.2).

services / dns forwarder / disable
services / dns resolver / disable
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] default firewall rules

[Randy Bush]

> Pardon the hijack but if I was using dnsmasq and upgraded to 2.2 and wanted
> to use unbound instead whats the best way to switch?  (Note: already did
> the upgrade to 2.2).

services / dns forwarder / disable
services / dns resolver / enabla
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] default firewall rules

[Sean]

Pardon the hijack but if I was using dnsmasq and upgraded to 2.2 and wanted
to use unbound instead whats the best way to switch?  (Note: already did
the upgrade to 2.2).


On Sat, Feb 28, 2015 at 11:37 AM, Brian Candler  wrote:

> On 28/02/2015 15:16, Randy Bush wrote:
>
>> if i upgraded, can i cause it to switch to unbound?
>>
> Yes: pfSense 2.2 comes with unbound *instead of* bind.
>
> pfSense 2.1.x can have unbound installed as a package.
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Bryan D.]

On 2015-Mar-04, at 2:08 PM, Jim Thompson  wrote:
> 
>> On Mar 4, 2015, at 2:02 PM, Bryan D.  wrote:
>> 
>> On 2015-Mar-04, at 6:20 AM, compdoc  wrote:
>> 
>>> For me, what happens after enabling or disabling those settings are
>>> immediately apparent.
>> 
>> I guess my approach w.r.t. a mailing list has always been that I'd like to 
>> help others avoid spending time learning something I can help with.  As such 
>> (paraphrasing) "try it and you'll see" isn't a response I'd give.  Of 
>> course, in absence of finding the answer in the documentation or via Mr. 
>> Google, we can always set up a test system and investigate (given the 
>> ominous warnings, I wouldn't have done so on a production system) ... but 
>> then why have the list?
> 
> You’re aware that I work for Netgate, right?

Well ... yes, but that item was in response to the posting by 
comp...@hotrodpc.com.

More importantly, when I see "Jim Thompson" I immediately think "ah, 
expert-level response follows" -- and you always seem to come from the 
understanding that many of us don't "breath 'n eat networking."  I sincerely 
appreciate (and learn from) such list/forum/blog/etc. postings.

OTOH, I admit that I've sort o' lumped Netgate with pfSense, assuming little 
separation ... which, I'm guessing is not the right way to think of things.  As 
a low-priority item, it'd be nice to see a statement about this relationship 
(which may already exist, but I was unable to coax it out of Mr. Google -- 
maybe I just don't know the "magic phrase").

> 
>> On 2015-Mar-04, at 7:17 AM, Jim Thompson  wrote:
>> 
>> So your effort can be of maximum benefit, I've submitted a slightly 
>> edited/formatted version of this to be included in the WiKi's applicable 
>> pfSense documentation page.
> 
> I’m sure the pfSense guys will enjoy that.

... and, hopefully, others.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Jim Thompson]

> On Mar 4, 2015, at 2:02 PM, Bryan D.  wrote:
> 
> On 2015-Mar-04, at 6:20 AM, compdoc  wrote:
> 
>> For me, what happens after enabling or disabling those settings are
>> immediately apparent.
> 
> I guess my approach w.r.t. a mailing list has always been that I'd like to 
> help others avoid spending time learning something I can help with.  As such 
> (paraphrasing) "try it and you'll see" isn't a response I'd give.  Of course, 
> in absence of finding the answer in the documentation or via Mr. Google, we 
> can always set up a test system and investigate (given the ominous warnings, 
> I wouldn't have done so on a production system) ... but then why have the 
> list?

You’re aware that I work for Netgate, right?

> On 2015-Mar-04, at 7:17 AM, Jim Thompson  wrote:
> 
>> Answering any question post-sale is “support”.
> 
> Ah, so I should have asked _before_ ordering the NICs?  $;-)

There are many of you, and few of us.

>>> Does anyone know the answer to my questions about the various offloading 
>>> settings that should be used with these cards?
>> 
>> LRO works by aggregating [...]
>> 
>> In case it’s not clear by now, these settings are all *disabled* by default 
>> in pfSense.
> 
> Thank you for an answer that nicely goes "above and beyond" my expected "(we) 
> use these settings" response.
> 
> So your effort can be of maximum benefit, I've submitted a slightly 
> edited/formatted version of this to be included in the WiKi's applicable 
> pfSense documentation page.

I’m sure the pfSense guys will enjoy that.

Jim

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Jens Tautenhahn]

Am 04.03.2015 um 16:17 schrieb Jim Thompson:
> LRO works by aggregating multiple incoming packets from a single
> stream into a larger buffer before they are passed higher up the
> networking stack, thus reducing the number of packets that have to be
> processed.
> 
> LRO should not be used on machines acting as routers, (and it is
> quite likely that you’re using pfSense as a router or, equivalently,
> a router), as it breaks the end-to-end principle and can
> significantly impact performance.
> 
> TSO is similar, but for sending.  It works by queuing up large
> buffers and letting the network interface card (NIC) split them into
> separate packets just before transmit.
> 
> Both LRO and TSO can help if you are an endpoint, *not a router*.
> If you were using pfSense an an appliance (say, for DNS), they would
> possibly help performance.
> 
> Now onto “hardware checksum offload”:
> 
> First, let’s briefly discuss where checksumming is used.
> 
> The Ethernet hardware calculates the Ethernet CRC32 checksum and the
> receive engine validates this checksum. If the received checksum is
> wrong pfSense won’t even see the packet, as the Ethernet hardware
> internally throws away the packet.  (There are exceptions, such as if
> the interface is in promiscuous mode.)
> 
> Higher level checksums are “traditionally” calculated by the protocol
> implementation and the completed packet is then handed over to the
> hardware.  Recent network hardware can perform the IP checksum
> calculation, also known as checksum offloading. The network driver
> won’t calculate the checksum itself but will simply hand over an
> empty (zero or garbage filled) checksum field to the hardware.
> 
> Some cards will additionally process TCP and UDP checksums, as above,
> this isn’t going to be of any value on a router.
> 
> It’s possible, if everything else is right, then IP checksum offload
> can provide a modest performance improvement, but this is unlikely to
> be more than “noticeable” at the speeds where most individuals run
> pfSense.   However, at 10Gbps (or above), these engines become quite
> useful.   Support for these is an important component of our “3.0”
> effort.
> 
> In case it’s not clear by now, these settings are all *disabled* by
> default in pfSense.

This good explanation should find a way into the wiki!

Jens
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Bryan D.]

On 2015-Mar-04, at 6:20 AM, compdoc  wrote:

> For me, what happens after enabling or disabling those settings are
> immediately apparent.

I guess my approach w.r.t. a mailing list has always been that I'd like to help 
others avoid spending time learning something I can help with.  As such 
(paraphrasing) "try it and you'll see" isn't a response I'd give.  Of course, 
in absence of finding the answer in the documentation or via Mr. Google, we can 
always set up a test system and investigate (given the ominous warnings, I 
wouldn't have done so on a production system) ... but then why have the list?


On 2015-Mar-04, at 7:17 AM, Jim Thompson  wrote:

> Answering any question post-sale is “support”.

Ah, so I should have asked _before_ ordering the NICs?  $;-)


>> Does anyone know the answer to my questions about the various offloading 
>> settings that should be used with these cards?
> 
> LRO works by aggregating [...]
> 
> In case it’s not clear by now, these settings are all *disabled* by default 
> in pfSense.

Thank you for an answer that nicely goes "above and beyond" my expected "(we) 
use these settings" response.

So your effort can be of maximum benefit, I've submitted a slightly 
edited/formatted version of this to be included in the WiKi's applicable 
pfSense documentation page.


Bryan D.
http://www.derman.com/

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Using iperf to test throughout

[Manojav Sridhar]

Folks,

I am running pfSense 2.2 64-bit on a APU1D4 box. I have installed the iperf 
package. If I start iperfin either  I then I loose all connectivity to my VLAN. 
The router is accessible only via the serial console. From the console I am 
able to ping WAN ips via the WAN interface but nothing on either my home or 
guest VLAN

Rebooting the box is the only way I can get connectivity back. This happens in 
client or sever mode. Any ideas what is going on? Nothing is obvious on the 
syslog. 

Manoj

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[Jim Thompson]

> On Mar 4, 2015, at 12:54 AM, Bryan D.  wrote:
> 
> Today, having received a pair of SuperMicro AOC-SG-i2 NICs from the pfSense 
> store, I asked about the applicable pfSense "offloading" settings (via the 
> pfSense contact form).
> 
> 
> Receiving an oblique (non-)response, I re-sent a query that included the 
> following text:
> ---
> [...] specifically, what should the pfSense settings be for:
> - Hardware Checksum Offloading
> - Hardware TCP Segmentation Offloading
> - Hardware Large Receive Offloading
> 
> I.E., can each of these be enabled when using AOC-SG-i2 NICs?
> 
> With my current systems, segmentation and large receive offloads are 
> disabled.  I don't remember what the default was (and it's not stated on the 
> configurator page) [...]
> 
> Understand that the configurator page has warnings about these capabilities 
> being "... broken in some hardware drivers, ..." so, even though the NICs are 
> spec'd to support these capabilities, there's still the question whether the 
> drivers work properly [...]  That's the reason for my query.
> ---
> 
> 
> To which I received the following response (an attitude that left me feeling 
> considerably less enthusiastic about trying to support the project):
> ---
> We do not provide pfSense support for these cards unless they are installed 
> in a system we sell. My suggestion is to search the forums for the tuning you 
> desire.
> 
> I know this is not the answer you desire but that is our official response.
> ---
> 
> For the record, I don't really consider these questions to be "support" ... 
> just a clarification of the specs, which should be straightforward given that 
> it's a 1-product organization (and would be best stated on the store's 
> web-page).

Answering any question post-sale is “support”.   You are using a free open 
source product. The only cost to you is to figure out how to make it work.  If 
you are unable or unwilling, then we (and others) offer paid support options.  
There is also, as whomever from Netgate explained, support options including 
the forum and this list.

> Does anyone know the answer to my questions about the various offloading 
> settings that should be used with these cards?

LRO works by aggregating multiple incoming packets from a single stream into a 
larger buffer before they are passed higher up the networking stack, thus 
reducing the number of packets that have to be processed.

LRO should not be used on machines acting as routers, (and it is quite likely 
that you’re using pfSense as a router or, equivalently, a router), as it breaks 
the end-to-end principle and can significantly impact performance.

TSO is similar, but for sending.  It works by queuing up large buffers and 
letting the network interface card (NIC) split them into separate packets just 
before transmit.

Both LRO and TSO can help if you are an endpoint, *not a router*.   If you were 
using pfSense an an appliance (say, for DNS), they would possibly help 
performance.

Now onto “hardware checksum offload”:

First, let’s briefly discuss where checksumming is used.

The Ethernet hardware calculates the Ethernet CRC32 checksum and the receive 
engine validates this checksum. If the received checksum is wrong pfSense won’t 
even see the packet, as the Ethernet hardware internally throws away the 
packet.  (There are exceptions, such as if the interface is in promiscuous 
mode.)

Higher level checksums are “traditionally” calculated by the protocol 
implementation and the completed packet is then handed over to the hardware.  
Recent network hardware can perform the IP checksum calculation, also known as 
checksum offloading. The network driver won’t calculate the checksum itself but 
will simply hand over an empty (zero or garbage filled) checksum field to the 
hardware.

Some cards will additionally process TCP and UDP checksums, as above, this 
isn’t going to be of any value on a router.

It’s possible, if everything else is right, then IP checksum offload can 
provide a modest performance improvement, but this is unlikely to be more than 
“noticeable” at the speeds where most individuals run pfSense.   However, at 
10Gbps (or above),
these engines become quite useful.   Support for these is an important 
component of our “3.0” effort.

In case it’s not clear by now, these settings are all *disabled* by default in 
pfSense.

Jim




___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] NIC Offloading Setting Questions

[compdoc]

> With my current systems, segmentation and large receive offloads are 
>disabled.  I don't remember what the default was (and it's not stated 
>on the configurator page) [...]


For me, what happens after enabling or disabling those settings are
immediately apparent.



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold