The Intel network card cannot work in full-duplex mode. In half-duplex mode

[wuwzy]

The Intel network card cannot work in full-duplex mode. In half-duplex mode, there are errors in both incoming and outgoing.

Just upgraded to the latest version：
OPNsense 22.7.2-amd64
FreeBSD 13.1-RELEASE-p1
OpenSSL 1.1.1q 5 Jul 2022
----------------------------------------

There was no problem before, I will give feedback and hope to get attention. Currently in half-duplex mode, it can still be used, but there will be packet errors.

network card that can be used normally



Full-duplex can be used before, but now only half-duplex network cards can be used.



There will be packet errors


 

[wuwzy]

After I swapped the intel network card with the dell network card, the problem was solved. It seems that there are some problems with the support for intel network cards. But the specific intel network card model I have to remove it to find out.

[JeroenS]

Hello Wuwzy and other OPNsense forum members,

In our office we have been running 22.1 for over a year connected to our ISP.
The ISP has fixed the internet connection to 100Mbit Full Duplex and auto negotiation is disabled.
So we had the WAN Intel NIC set to 100Mbit Full Duplex.

After upgrading to 22.7.4 the WAN connection is lost.

I changed the configuration of the WAN interface to default, the internet connection is up again, but with packet loss. As the OPNsense box will try to auto negotiate but fails and will fall back to 100Mbit Half Duplex, while the ISP is configured to 100Mbit Full Duplex.

Clearly this is something that is broken in the upgrade between 22.1 and 22.7.1. And upgrading to 22.7.4 did not solve the issue.

The devices used in this firewall are:

igb0@pci0:1:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb1@pci0:2:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb2@pci0:3:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb3@pci0:4:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb4@pci0:5:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
igb5@pci0:6:0:0:        class=0x020000 rev=0x03 hdr=0x00 vendor=0x8086 device=0x1539 subvendor=0x8086 subdevice=0x0000
    vendor     = 'Intel Corporation'
    device     = 'I211 Gigabit Network Connection'
    class      = network
    subclass   = ethernet

These devices are onboard and cannot be swapped.

Please let me know if you need more information. Currently i do not know what more useful information to share, but please let me know.

To wuwzy, you can check the network interface type via the commandline when you ssh into the device.
pciconf -lv

[wuwzy]

My solution is to replace the network card. Obviously, what you describe is the same thing I encountered. Fortunately, I'm using an old dell tower server. I didn't have time to research the problem a little bit, it was a device that couldn't be stopped for a long time, so I just replaced the NIC and it solved it. According to experience, the network card of inter should be supported for a long time. But in the latest update, that legend was put to an end.

[JeroenS]

I have done some tests connecting an interface to an unused network switch.
When the switch and firewall are set to auto negotiation everything is fine.
As soon as you set the interface to fixed to 100 Mbit for the switch and firewall the interface stays down.
When you leave the equipment set to auto, and only advertise 10Mbit on the network switch the firewall works.
However changing the network switch to allow voor 100Mbit the interface on the firewall stays on 10Mbit.

It looks like something is not working correctly in the driver, which was not a problem in the 22.1 version.

Can somebody from the OPNsense project give more insight on the changes regarding the Intel network interfaces? Or is it something that is a problem in FreeBSD itself?

[lilsense]

Make sure it's set to auto on both ends. Auto/Full = Half as opposed to auto/auto=Full or Full/Full = Full.

[JeroenS]

Hi lilsense,

Thank you for helping.
While doing the tests I had both sides configured the same way. Otherwise one of the devices will drop packets.

The thing is when both network switch and firewall to 100Mbit Full Duplex the link does not come up. If I configure my laptop interface to 100Mbit full duplex and connect to the switch the link works. But if I connect the laptop to the interface of the firewall the link is down.

I did not have this problem with 21.1 but occurred while upgrading to 21.7. did it from home at a time no body was in the office. Afterwards I had to go to the office because internet was down.

[lilsense]

What happens when you set both to auto.

[WN1X]

You may want to check to see if that Intel card is a fake. Check the Yottamark: http://verify.yottamark.com/

[csutcliff]

https://forum.opnsense.org/index.php?topic=29916.0

It's a bug in 22.7. Revert to 22.1 for now

I think I've got some attention on this via Reddit.

[csutcliff]

Fix here:

https://www.reddit.com/r/opnsense/comments/xw4oiz/comment/ir4vchi/?utm_source=share&utm_medium=web2x&context=3

[JeroenS]

@lilsense, if both interfaces are set to auto then it works fine.

I have been out of the office for work, but i will check if they are genuine Intel cards as well as have a look at the bug.
If it is the case I will join Reddit as well to get some more attention to this problem.

Many thanks for the support so far.

[franco]

If it's the reddit issue it was already technically resolved in a test kernel, but not yet in 22.7.x


Cheers,
Franco

[JeroenS]

That is great news franco.

Do you need the test kernel to be tested on our platform? Is this something i can help with? as i assume it may take some time for the new kernel to be released?

I found the answers in the Reddit page.
https://www.reddit.com/r/opnsense/comments/xw4oiz/comment/ir4qdc8/

This week i will try the update at my firewall at home. If it works i will patch the firewall in the office. and remove the network switch, which is currently converting 100Mbit full duplex fixed to auto negotiation.

[JeroenS]

I have updated the kernel to the 22.7.5-e1000 version. Now the link is immediately up and solves the problem with the intel network cards. Thank you Franco and csutcliff for pointing in the right direction.

Looking through the diff here https://reviews.freebsd.org/D34449 it seems that something is implemented to comply with a standard, which has changed after millions of network switches and devices are not doing auto negotiation when they are set fixed to 10 or 100 Mbit, half or full duplex.

The problem with changing this is that the device on the other side must be changed as well. Often this is outside of the control of the person implementing this change.

In our case the ISP has configured a network switch to 100Mbit Full duplex and will not change there procedures as it is identical for all their customers. And this is difficult to change as it will require actual negotiation between people to reconfigure both devices at the same time to auto negotiation in order to keep the connection up with minimum downtime as possible.

I will keep an eye on the reddit threats and the freeBSD diff to see when it will be fixed in the next mainstream release.

I have suggested to the ISP that instead they set their interfaces to 100Mbit Full duplex to enable auto negotiation but only advertise 100Mbit full duplex. This is much easier for their customers as they do not have to configure their device and if the customer upgrades to 1Gbit in the future, they just advertise the 1Gbit as well.

But it is difficult to migrate to this solution, as it will require al their current customers to switch from fixed 100Mbit Full Duplex to auto negotiation. So i doubt they will implement this.