SG-1100 NIC Offload - enable or disable?
-
Hi
Just got my SG-1100 today and what a nifty little device :-)
Unfortunately I forgot to look at the NIC hardware offload settings (Checksum, TCP segmentation and Large Send) before I imported my config (adapted with the switchsettings for the 1100).
Everything is working fine with all three settings enabled (Which disables all NIC hardware offload).
How are these settings intended on the 1100? - is there any additional speed to be had / CPU cycles to be saved by enabling some of the offload features (disable the setting)?Thanks for helping out :-)
-
You can uncheck Disable hardware checksum offload as that works fine.
As for TSO and LRO, those should always be checked for firewalls, doesn't matter what the hardware is. They are only useful when acting purely as an endpoint (standalone appliance for something like a proxy server, perhaps)
-
Thanks - exactly the kind of knowledge I was looking for :-)
-
@jimp
Is that advice true for all Netgate hardware (e.g., SG-3100) or just the 1100? -
Which part?
You don't need to disable checksum offloading on any Netgate hardware I'm aware of.
The TSO/LRO advice applies to any pfSense instance acting as a firewall, it's not specific to Netgate hardware.
-
@jimp
Thanks for the validation. I was referring to the "uncheck Disable hardware checksum offload" part. I am getting checksum errors with Suricata after a recent reboot (running on the SG-3100), so I'm still looking into it. -
If that is an issue it would be specific to Suricata, not the hardware in general
-
@msf2000 said in SG-1100 NIC Offload - enable or disable?:
checksum errors with Suricata
With Suricata we always
- check "Disable hardware checksum offload" (System->Advanced->Networking)
- disable ALL stream-events.rules or it will block lots of traffic on false positives
Otherwise we get the checksum errors also. https://forum.netgate.com/topic/122571/suricata-floods-the-log-with-invalid-checksum
