Disable hardware checksum offload via Shell

[MarieSophieSG]

Hello,
Like a good newb' I have removed all check in Interfaces Setting, including "Disable hardware checksum offload" which was working fine until I set the IDS/IPS ... and I lost access to the GUI (But I'm still connected to Internet)

Is there a way *Through the Console* (As I lost access to GUI)
- to reverse last changes to prior config
- or to specifically re-check the "Disable hardware checksum offload"
- or to specifically uncheck IDS/IPS (To regain access to GUI and check "Disable hardware CRC"
 
=> or do I have to reinstall the whole system and start over ?

[MarieSophieSG]

Silly me ...
Shell option 8, restore backup.

I've tried a few strating from the most recent (to try to keep as much changes as possible, not having to re-do them all) and found one that did indeed reestablish the access to GUI !

[Saarbremer]

Another solution is to use

Code Select Expand

ifconfig [-]rxcsum,[-]txcsum

etc.

check its manpage for more options. Or the source code of the web ui for its usage.

https://github.com/opnsense/core/blob/3cbc7927db174f51eec007739b4fcf4247a18948/src/etc/inc/interfaces.lib.inc#L548

[dunxd]

I've done exactly the same thing just now, and can't access the web GUI.  It also seems to have stopped SSH from working.  But the internet connection is still up (for now).
I had enabled Zenarmor, and didn't realise that this had the same issues with hardware offloading as Suricata.
Do I really need to attach a monitor and keyboard to my hardware (which is in my dark basement) in order to resolve this?

[meyergru]

This is the second time this topic came up today: https://forum.opnsense.org/index.php?topic=49613

Do you folks ever read any docs? See the hardware CRC section here: https://docs.opnsense.org/manual/interfaces_settings.html

To address your question: Unless you have access from the internet side or other out-of-band access, you will have to revert to the previous configuration via the console.

You can use the os-auto-recovery-community from mimugmails repository to schedule an automatic revert before making potentially unsafe changes, but now it is too late.

[dunxd]

Yeah - I read the docs (not what you linked but docs for Zenarmor and Suricata do say to disable offloading ) but did it anyway not realising the results of doing that would be so extreme :-)

Mistakes are better teachers than the manual...

[dunxd]

Here's how I tried to fix it.

Connect monitor and keyboard to device.  The console didn't come up on the screen so I hit CTRL + ALT + DEL which rebooted OPNsense and I could see the boot process and got to the login screen. After logging in I saw a lot of lines relating to errors, so I pulled all the network cables which allowed me to interact with the CLI.

I then ran ifconfig to list all interfaces, and could see all the hardware offloading was enabled on igb0, igb1 and lo0,

I then ran these commands to disable all the offloading:

Code Select Expand

sudo ifconfig igb0 -txcsum -rxcsum -txcsum6 -rxcsum6 -tso -lro -vlanhwtag -vlanhwcsum -vlanhwfilter -vlanhwtso
sudo ifconfig igb1 -txcsum -rxcsum -txcsum6 -rxcsum6 -tso -lro -vlanhwtag -vlanhwcsum -vlanhwfilter -vlanhwtso
sudo ifconfig lo0 -txcsum -rxcsum -txcsum6 -rxcsum6 -tso -lro -vlanhwtag -vlanhwcsum -vlanhwfilter -vlanhwtso
These flags are referenced on https://docs.opnsense.org/manual/interfaces_settings.html

I confirmed this had worked with another ifconfig to see the current settings of the interfaces.

Unfortunately this didn't result in me being able to access the webgui, so I fell back to the recovery steps detailed at https://docs.opnsense.org/troubleshooting/config_reset.html and restored from a backup immediately before I enabled the hardware offsetting.  Once I rebooted I was able to login to the WebGUI and all was well again. Phew. 

I double checked that all the hardware offsetting is disabled and indeed it is.

os-auto-recovery-community sounds very helpful so I will go ahead and set that up now. Thanks for the suggestion meyergru!