pfSense template

[olivierlambert]

We should add another extra "empty" template by default in XCP-ng: pfSense.

This template should contains all the settings needed to work correctly (eg no hardware eth checksum etc).

@Fohdeesha can you give me all the right settings to do?

[Fohdeesha]

This is a really good idea! The only thing that needs changing on the xen side is other-config:ethtool-tx="off" for every interface added to the VM. Is there a way we can have the template do this for interfaces added during VM creation, but also interfaces added later? (after the VM has been created).

There's a couple commands that need to be ran in the VM afterwords to install xentools, but I don't think we can handle those with a template. My info here has everything needed (some guides say to turn off checksumming in pfsense UI, or turn off other offload settings in xen, but from testing they don't do anything at best and actually harm performance at worst) https://forum.netgate.com/topic/97553/pfsense-2-3-on-xen-server/5

[Fohdeesha]

also FYI freebsd keeps saying this will be fixed so maybe one day it won't be necessary, but after seeing it supposedly fixed and then still broken in freeBSD 10, 11, and now 12, I don't have my hopes up

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=188261

[olivierlambert]

I need to check if there is a way to have a kind of "sticky" config that would disable eth-tool thing for each VIF created then. I'm not sure it exists.

You don't need to disable it for RX?

[Fohdeesha]

nope, just tx

[borzel]

Edited my wiki entry (https://github.com/xcp-ng/xcp/wiki/Guest-System-Support#pfsense) to redirect to this thread

[De-Occultist]

This script is useful to run against the VM instance ID to turn off TCP offloading https://github.com/cloudnull/XenServer-Offloading-Off

XenServer Turning Off TCP Offloading

If you are looking for a simple solution that can allow you to disable TCP checksumming on a XenServer Hypervisor this script is what you have been looking for. Here are the highlights of this script :

• Disables Hardware offloading using the ethtool
• Able to disable VIF Hardware offloading on a particular Instance
• Has Instance ID Checking to ensure action will be valid
• Able to disable PIF Hardware offloading on a particular Device
• Has the ability to disable ALL of the off loading for the entire Host Server
• Enforces a sanity check before performing actions on the entire Host Server

To have an idea of what this script truly does please have a look at my previous article which goes into detail on disabling TCP Offloading. You can get to the article here : XenServer Network Tuning

When you run the script you have to pass a variable or the script will refuse to run. The two possible variables are ALL or the Instance ID, which is commonly referred to as the "name-label".

An example of the Instance ID : $ offloadingoff.sh pfSense-vm

Edit: The above is unnecessary for the pfSense VMs as per @Fohdeesha. The script can be useful and modified accordingly in certain cases to troubleshoot other offloading issues, which is what I'm doing atm.

[Fohdeesha]

on the latest xenserver and pfsense, all of that is unnecessary (and can actually hurt performance) except for xe vif-param-set uuid=$VIFUUID other-config:ethtool-tx="off" - this is the only modification necessary

[maayant]

While on the topic, although I'm not sure if this requires a dedicated thread. Going over 7 NICs for pfSense freezes the VM (tested on latest XCP and pfSense versions).

https://redmine.pfsense.org/issues/8207 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=183337

[stormi]

Do we still need a specific pfSense template?

[olivierlambert]

nope, also you can't really configure other config in VIF in a template. This was the main reason of this issue.

[stormi]

If I understood the answer correctly, there is not need for this template anymore (unless we still want to provide one as a convenience). Closing, feel free to reopen.