Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense crashes with TCP Segmentation Offload or Large Receive Offload Enabled

    Scheduled Pinned Locked Moved Hardware
    2 Posts 2 Posters 576 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      willk
      last edited by

      Hi All,

      We have three PFSense machines. Two were purchased directly from NetGate and work fine. The last is a SuperMicro 1018D-FRN8T. It has an X10SDV-7TP8F motherboard with both Intel I210 and Intel I350 NICs.

      We found that under a UDP attack there would be a huge number of CPU interrupts, even though CPU usage remained below 30%, but the PF would stop being able to process packets quickly enough. This is exactly what LRO was designed to prevent. However, when we turn LRO on, the system crashes within a few minutes every time, this was with about 400k states which should be no problems with the system (32 Core Xeon).

      We have 128GB of RAM in the machine, and the MBUF usage was not an issue.

      We had also changed the defaults in the system tunables to these settings with no change in behaviour:
      kern.ipc.nmbclusters 2000000
      kern.ipc.nmbjumbop 1000000
      net.inet.tcp.sendbuf_max 4194304
      net.inet.tcp.recvbuf_max 4194304

      Note that we are not testing under an attack, just switching LRO on with our regular load (about 200-250k states and under 500mb/s bandwidth) causes the system to crash.

      Any advice on getting the most out of this system with PF would be greatly appreciated as we are at a loss at how to improve it's capabilities and mitigate UDP flood attacks with the PF.

      Thanks,
      Will

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Was it blocked UDP packets?

        Did you see some Cores pegged at 100% during that time?

        What is the crash you see with LRO enabled? We usually recommend leaving that disabled though for just this reason, it can be unstable.

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.