Networking Tab¶

IPv6 Options¶

Let IPv6¶

The Allow IPv6 pick controls a set of cake rules which forestall IPv6 traffic from beingness handled by the firewall.

Notation

This option does not disable IPv6 functions or prevent it from being configured, it just controls traffic menstruation.

When the choice is enabled, IPv6 traffic will be allowed when permitted by firewall rules and/or automated rules, depending on the firewall configuration. This choice is enabled by default on new configurations.

When the option is unchecked, all IPv6 traffic volition be blocked. This behavior is like to how IPv6 was treated before it was supported by pfSense® software. Configurations imported from or upgraded from versions older than 2.1 will have this choice unchecked, so they carry consistently later on upgrade.

IPv6 over IPv4 Tunneling¶

The Enable IPv6 over IPv4 Tunneling option enables forwarding for IP protocol 41/RFC 2893 to an IPv4 address specified in the IPv4 address of Tunnel Peer field.

When configured, this forwards all incoming protocol 41/IPv6 traffic to a host backside this firewall instead of handling it locally.

Tip

Enabling this option does not add firewall rules to permit the protocol 41 traffic. A rule must exist on the WAN interface to let the traffic to pass through to the local receiving host.

Adopt IPv4 over IPv6¶

When set up, this option causes the firewall itself to adopt sending traffic to IPv4 hosts instead of IPv6 hosts when a DNS query returns results for both.

In rare cases when the firewall has partially configured, only not fully routed, IPv6 this tin permit the firewall to continue reaching Cyberspace hosts over IPv4.

Note

This selection controls the beliefs of the firewall itself, such equally when polling for updates, parcel installations, downloading rules, and fetching other information. It cannot influence the beliefs of clients behind the firewall.

IPv6 DNS Entry¶

This option controls whether or not the firewall creates local DNS entries for the firewall itself with IPv6 addresses, when bachelor.

Past default (unchecked), the firewall automatically adds DNS entries for itself using its local IPv4 and IPv6 interface addresses. In some cases, such as with dynamic IPv6 addresses like tracked interfaces, the IPv6 address may disappear or change and clients may endeavour to utilise an outdated address until their buried DNS response expires.

When the option is checked, the firewall but adds DNS entries for its IPv4 addresses.

DHCP6 DUID¶

This pick controls the DHCPv6 Unique Identifier (DUID) used past the firewall when requesting an IPv6 address. The firewall generates a DUID automatically, but in some cases, an administrator may want to utilise a different DUID. For instance, if the operating organisation was reinstalled and the firewall should apply the same DUID it had in the past, or if an upstream network ambassador requires a specific DUID.

Notation

Most users practice non need to modify this to whatsoever specific value, the default beliefs is fine for virtually all environments. When in dubiety, leave information technology alone unless directed to change it by an upstream network provider.

At that place are several possible DUID formats that this option can take, called by the drop-downward carte. When a format is called, the GUI displays a dissimilar gear up of input boxes specific to the selected format. The exact format depends upon the needs of the network administrator (east.1000. Internet access provider, datacenter, etc) and they would provide the format and values.

The available DUID formats are:

Raw DUID

DUID represented exactly as observed in a DUID file or in logs. Entered as:

Raw DUID

A single text area in which the DUID tin can exist entered.

This option also includes a fa-clone Copy DUID push which copies the DUID from the placeholder (automatically generated past the firewall) into the text box so that the existing DUID tin easily be placed into the configuration.

DUID-LLT

DUID format with Link-Layer Accost Plus Time. Entered as:

Time

Fourth dimension (in seconds) since January 1st, 2000 UTC

Link-Layer Address

The link-layer address (MAC) of an interface on the firewall in the format xx:xx:xx:xx:20:20 .

DUID-EN

DUID assigned by a vendor based on Enterprise Number. Entered every bit:

Enterprise Number

IANA Individual Enterprise Number of the vendor.

Identifier

Variable length identifier in the format xx:twenty:20:xx . The length depends upon the vendor.

DUID-LL

DUID based on only Link-Layer Address. Entered every bit:

Link-Layer Address

The link-layer address (MAC) of an interface on the firewall in the format xx:xx:xx:xx:xx:20 .

DUID-UUID

DUID based on the host Universally Unique Identifier (UUID). Entered as:

DUID-UUID

The UUID for this host in the format nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn

Network Interfaces¶

Hardware Checksum Offloading¶

When checked, this option disables hardware checksum offloading on the network cards. Checksum offloading is ordinarily beneficial as it allows the checksum to be calculated (approachable) or verified (incoming) in hardware at a much faster rate than information technology could be handled in software.

Note

When checksum offloading is enabled, a packet capture will see empty (all zero) or flag wrong package checksums. These are normal when checksum handling is happening in hardware.

Checksum offloading is broken in some hardware, particularly Realtek cards and virtualized/emulated cards such as those on Xen/KVM. Typical symptoms of broken checksum offloading include corrupted packets and poor throughput performance.

Tip

In virtualization cases such as Xen/KVM it may be necessary to disable checksum offloading on the host also as the VM. If operation is still poor or has errors on these types of VMs, switch the type of NIC if possible.

Hardware TCP Segmentation Offloading¶

Checking this option will disable hardware TCP sectionalization offloading (TSO, TSO4, TSO6). TSO causes the NIC to handle splitting upwards packets into MTU-sized chunks rather than handling that at the Os level. This tin exist faster for servers and appliances as it allows the OS to offload that task to dedicated hardware, simply when acting as a firewall or router this behavior is highly undesirable as it actually increases the load as this task has already been performed elsewhere on the network, thus breaking the cease-to-terminate principle past modifying packets that did non originate on this host.

Warning

This option is not desirable for routers and firewalls, but can benefit workstations and appliances. It is disabled by default, and should remain disabled unless the firewall is acting primarily or solely in an appliance/endpoint office.

Exercise not uncheck this choice unless directed to do so by a support representative. This offloading is cleaved in some hardware drivers, and can negatively impact functioning on affected network cards and roles.

Hardware Large Receive Offloading¶

Checking this option will disable hardware large receive offloading (LRO). LRO is similar to TSO, simply for the incoming path rather than outgoing. It allows the NIC to receive a large number of smaller packets before passing them up to the operating system as a larger chunk. This can exist faster for servers and appliances as it offloads what would usually be a processing-heavy task to the network card. When acting as a firewall or router this is highly undesirable every bit it delays the reception and forwarding of packets that are non destined for this host, and they will have to exist split back up once more on the outbound path, increasing the workload significantly and breaking the stop-to-terminate principle.

Alarm

This option is non desirable for routers and firewalls, but tin benefit workstations and appliances. Information technology is disabled past default, and should remain disabled unless the firewall is interim primarily or solely in an appliance/endpoint function.

Do not uncheck this selection unless directed to practice so by a support representative. This offloading is broken in some hardware drivers, and can negatively impact functioning on affected network cards and roles.

hn ALTQ Support¶

Checking this selection will enable back up for ALTQ traffic shaping on hn(4) network interfaces in Hyper-V.

For ALTQ to piece of work on hn(iv) interfaces, the operating arrangement must disable the multi-queue API which may reduce the system capability to handle traffic. The administrator must decide if this reduction in performance is worth the benefit of traffic shaping.

The firewall must exist rebooted for this setting to have event.

Suppress ARP letters¶

The firewall makes a log entry in the main arrangement log when an IP address appears to switch to a unlike MAC address. This log entry notes that the device has moved addresses, and records the IP address and the old and new MAC addresses.

This event can be completely beneficial beliefs (e.g. NIC teaming on a Microsoft server, a device beingness replaced) or a legitimate customer problem (e.g. IP disharmonize), and it could bear witness upward constantly or rarely if ever. It all depends on the network environment.

The best exercise is to allow these ARP letters to exist printed to log since there is a chance it will report a problem worth the attention of a network administrator. However, if the network surround contains systems which generate these letters while operating ordinarily, suppressing the errors tin brand the system log more useful as information technology volition not exist cluttered with unneeded log messages.

Reset All States¶

When set up, if an interface IP address changes, the firewall will reset the entire land table instead of simply immigration states for the onetime interface IP address.

This behavior is potentially disruptive, and is off by default. In unmarried WAN environments, this is non typically any more than confusing than the WAN address changing, since clients already have to reestablish all connections.

In most cases, this behavior is not necessary, but it tin can help in sure situations where WAN addresses alter rapidly and the normal beliefs misses states for former IP addresses.