Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advanced Configuration Settings question

    Firewalling
    3
    4
    228
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jc1976
      last edited by jc1976

      hello everyone!

      still trying to learn all about firewalling so go easy on me. LOVE pfsense!

      going through the advanced configuration settings, towards the bottom are the options for disabling hardware checksum, TSO, and LRO handling. by default, mine are 'unchecked', meaning the nic is handling these tasks.. up until last night, i assumed this is a good thing.

      upon reading up on it (and it would make more sense if i understood it better), the documentation seems to say that 'if it's used as a firewall only, i should check these boxes to disable the hardware offloading'.

      my firewall is an old dell optiplex 790 with an i7-2600k cpu (hyperthreading disabled, because suricata doesn't seem to like it). 16GB of ram, the onboard intel nic for the LAN side, and an Intel dual port server nic for the wan side (because it's far more powerful than the onboard chip).

      it does firewalling, IPS/IDS, clamAV, pfblocker, and all that stuff ONLY. dhcp to my wired and wireless devices is handled by an asus wifi router, that doesn't do anything other than dhcp and wifi.. the pfsense box just stands between me and my cable modem for protection. Yes, overkill, but trying to learn these things.

      so, can someone explain to me what i should do? (leave enabled or disable the tso and lro hardware offloading)?

      thank you!!

      KOMK S 2 Replies Last reply Reply Quote 0
      • KOMK
        KOM @jc1976
        last edited by

        @jc1976 If it ain't broke, don't fix it. Are you getting the expected performance for your link without any weird connection problems? If so, you might want to leave it alone.

        However...

        Those are conservative settings to make sure it just works for the greatest amount of users. You could try re-enabling them all and see it if gives you any problems or gains (lower RAM /CPU use).

        J 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @jc1976
          last edited by

          @jc1976 Since you mentioned Suricata, our notes say we should "Disable hardware checksum offload" if using Suricata or Snort. IIRC this is because otherwise Suricata (in Legacy mode) complains about checksums in the copies of packets it analyzes.

          (also for Suricata, we disable ALL stream-events.rules in it, or it will block lots of traffic on false positives)

          Only install packages for your version, or risk breaking it. If yours is older, select it in System/Update/Update Settings.
          When upgrading, let it finish. Allow 10-15 minutes, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • J
            jc1976 @KOM
            last edited by

            @kom Thanks for the reply.

            I haven't touched the settings, so as of now all hardware offloading is occurring. I have a 100x5 comcast internet connection through a motorola modem, and i get about 100-115 down, 6Mb up. however my apps that i run ARE latency sensitive.. plus it says in the documentation (as i understand it) that the hardware offloading could be detrimental to performance.

            yeah, i'm kinda splitting hairs, but..

            Thanks!!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post