Solved Cannot Disable Interface's Promiscuous mode on FreeBSD 11.0 STABLE

[ssoorruu]

Hi folks,

I want to disable promiscuous mode on interfaces, on FreeBSD 11.0 STABLE, but seem there's nothing happened after I run "ifconfig ix0 -promisc".

I've tried reboot it again and again, but still, there's nothing changed.

I've tried to disable the promiscuous mode, but nothing's changed:
http://imgur.com/a/f4E8A

dmesg: http://pastebin.com/XGq4nf3g
/var/log/messages: http://pastebin.com/UBmxN2Kd

[root@phy-freebsd2 ~]# uname -a
FreeBSD phy-freebsd2 11.0-STABLE FreeBSD 11.0-STABLE #0 r308135: Mon Oct 31 19:17:52 UTC 2016     [EMAIL]root@releng2.nyi.freebsd.org[/EMAIL]:/usr/obj/usr/src/sys/GENERIC  amd64
[root@phy-freebsd2 ~]# more /etc/rc.conf
sendmail_enable="NONE"
sshd_enable="YES"
ntpd_enable="YES"
dumpdev="AUTO"
hostname="phy-freebsd2"
ifconfig_ix0="inet 192.168.14.42  netmask 255.255.255.0 -promisc up"
ifconfig_ix1="inet 192.168.200.42 netmask 255.255.255.0 -promisc up"
ifconfig_ix0_alias0="vhid 14 alias 192.168.14.40/32"
ifconfig_ix1_alias0="vhid 200 alias 192.168.200.1/32"
ifconfig_igb0="up"
ifconfig_igb1="up"
cloned_interfaces="lagg0"
ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 192.168.201.42/24"
defaultrouter="192.168.14.1"
pf_enable="YES"
pflog_enable="YES"
pf_rules="/etc/pf.conf"
pglog_logfile="/var/log/pflog"
pfsync_enable="YES"
pfsync_syncdev="lagg0"
gateway_enable="YES"
[root@phy-freebsd2 ~]# more /boot/loader.conf
carp_load="YES"
[root@phy-freebsd2 ~]# more /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.carp.ifdown_demotion_factor=240
net.inet.carp.senderr_demotion_factor=240
net.inet.carp.demotion=0
net.inet.carp.log=1
net.inet.carp.preempt=1
net.inet.carp.allow=1
net.pfsync.carp_demotion_factor=240

Can you show me how to disable promiscuous mode completely on FreeBSD 11.0 STABLE?


Thank you in advance

 

[SirDice]

Promiscuous mode is turned off by default. Only root has the ability to turn it on (running tcpdump(1) for example enables it).

Using ifconfig {...} -promisc simply turns promiscuous mode on or off, it doesn't disable it.

 

[ssoorruu]

Hi SirDice,

Thank you for answered to my question.
(Sorry for my bad English, I'm still practising).
man ifconfig: http://imgur.com/a/tY9Xj


Yes, by login as root, I have executed "ifconfig ix0 -promisc", "ifconfig ix1 -promisc", but why the "PROMISCUOUS" flag is still exist? Is this normal? (refer to: http://imgur.com/a/f4E8A )


Many thanks.

 

[SirDice]

You can turn promiscuous mode on or off, why do you want to disable it?

 

[ssoorruu]

Hi SirDice,

I have make sure that there's no tcpdump process running anywhere in the OS (FreeBSD 11.0 STABLE is installed on physical machine). I even reboot it many times, but still the "PROMISCUOUS" flag is still there, this flag means that the promiscuous mode is still on, right?
Even running "ifconfig <my interface> -promisc", didn't turning off the promiscuous mode.

How to do it right?

You can turn promiscuous mode on or off, why do you want to disable it?

I don't quite understand the definition and difference between turning off promiscuous mode and disabling promiscuous mode.

 

[SirDice]

I have make sure that there's no tcpdump process running anywhere in the OS (FreeBSD 11.0 STABLE is installed on physical machine). I even reboot it many times, but still the "PROMISCUOUS" flag is still there, this flag means that the promiscuous mode is still on, right?

No, it means the interface has a feature called "promiscuous".

I don't quite understand the definition and difference between turning off promiscuous mode and disabling promiscuous mode.

If something is disabled it cannot be turned on.

Again, what are you trying to accomplish?

 

[ssoorruu]

If something is disabled it cannot be turned on.

Thank you, I will try to keep that in mind.

Again, what are you trying to accomplish?

In April 2016, we have setup a FreeBSD 9.3 in a physical server, for NAT using PF.
The ix0 has static public IP connected to a WAN switch, the ix1 has static private IP connected to a LAN switch.
After the FreeBSD server fully booted-up, I connect the ix0 to the WAN switch, but suddenly the other public servers that also connected to the same WAN switch and also has static public IP, were suddenly experiencing bad pings latency, fluctuating between 17ms-35ms, this is when we ping it from cloud.
After I poweroff the FreeBSD server, the pings latency of the other public servers are suddenly back to normal/stable at 12ms constantly.

At that time, we haven't done anything yet to the FreeBSD, actually there's no PF rules yet, the CARP is not yet setup.
So I guess, maybe it because of the promiscuous mode, maybe the packets from the other public servers were forced to get through the FreeBSD first instead of directly go to the ISP gateway.

So I decided to try again with the latest stable FreeBSD with promiscuous mode turned off.

No, it means the interface has a feature called "promiscuous".

I don't understand why on the same server with another interface (which is NIC pci card, instead of the onboard ix0-ix1), when we do "ifconfig igb0 promisc", the PROMISCUOUS flag is appear, and when we do "ifconfig igb0 -promisc", the PROMISCUOUS flag disappear.
Screen shot: http://imgur.com/a/mApDR
How can we get the same behaviour as above with the on-board interfaces? (ix0 and ix1)

 

[SirDice]

After the FreeBSD server fully booted-up, I connect the ix0 to the WAN switch, but suddenly the other public servers that also connected to the same WAN switch and also has static public IP, were suddenly experiencing bad pings latency, fluctuating between 17ms-35ms, this is when we ping it from cloud.
After I poweroff the FreeBSD server, the pings latency of the other public servers are suddenly back to normal/stable at 12ms constantly.

This has nothing to do with promiscuous mode. A more likely scenario is a duplicate IP address or, when dealing with virtual servers, a duplicate MAC address.

So I guess, maybe it because of the promiscuous mode, maybe the packets from the other public servers were forced to get through the FreeBSD first instead of directly go to the ISP gateway.

No, this never happens, even with promiscuous mode on.

So I decided to try again with the latest stable FreeBSD with promiscuous mode turned off.

Promiscuous mode is off by default. It needs to be turned on explicitly.

 

[ssoorruu]

Thank you SirDice for your explanation to my questions.