TCP Offloading (TOE) Question

tman222 · Aug 25, 2018, 4:50 PM

Hi all,

I have a quick related to NIC tuning and configuration: I've read in several places that it makes sense to disable TCP offloading (TOE) on NIC's that are used within routers/firewalls (e.g. pfSense). Is this because in a router/firewall like pfSense each packet has to be processed by the CPU anyway, so there is really no point in off loading that work to the NIC (i.e. it just adds extra complexity or latency), or is it mainly done for speed reasons (i.e. the CPU can process packets faster than the NIC)? Or are there other reasons? Thanks in advance for your help and explanation, I really appreciate it.

stephenw10 · Aug 27, 2018, 12:34 PM

Mostly it's because the vast majority of traffic though the firewall is not connections terminated on it. It's connections between clients behind the firewall and servers on the Internet. Those offloading options only help TCP connections terminated at the firewall.

Of that small proportion of traffic the benefits of offloading are minimal and some drivers don't support it correctly so there is risk of it breaking.

Leaving the default settings works on almost every case. Very very occasionally we see something that doesn't work with TCP checksum offloading and that also has to be disabled.

Steve

tman222 · Aug 28, 2018, 12:44 AM

Thanks @stephenw10. Did you mean leave the default TOE settings that the NIC driver dictates, or leave the pfSense default offloading settings? Thanks again.

stephenw10 · Aug 28, 2018, 5:51 PM

I mean leave the pfSense default settings unless you have some really good reason to change them.

Steve