• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Advanced Configuration Settings question

Scheduled Pinned Locked Moved Firewalling
4 Posts 3 Posters 563 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jc1976
    last edited by jc1976 Jun 23, 2021, 4:55 PM Jun 23, 2021, 4:52 PM

    hello everyone!

    still trying to learn all about firewalling so go easy on me. LOVE pfsense!

    going through the advanced configuration settings, towards the bottom are the options for disabling hardware checksum, TSO, and LRO handling. by default, mine are 'unchecked', meaning the nic is handling these tasks.. up until last night, i assumed this is a good thing.

    upon reading up on it (and it would make more sense if i understood it better), the documentation seems to say that 'if it's used as a firewall only, i should check these boxes to disable the hardware offloading'.

    my firewall is an old dell optiplex 790 with an i7-2600k cpu (hyperthreading disabled, because suricata doesn't seem to like it). 16GB of ram, the onboard intel nic for the LAN side, and an Intel dual port server nic for the wan side (because it's far more powerful than the onboard chip).

    it does firewalling, IPS/IDS, clamAV, pfblocker, and all that stuff ONLY. dhcp to my wired and wireless devices is handled by an asus wifi router, that doesn't do anything other than dhcp and wifi.. the pfsense box just stands between me and my cable modem for protection. Yes, overkill, but trying to learn these things.

    so, can someone explain to me what i should do? (leave enabled or disable the tso and lro hardware offloading)?

    thank you!!

    K S 2 Replies Last reply Jun 23, 2021, 5:48 PM Reply Quote 0
    • K
      KOM @jc1976
      last edited by Jun 23, 2021, 5:48 PM

      @jc1976 If it ain't broke, don't fix it. Are you getting the expected performance for your link without any weird connection problems? If so, you might want to leave it alone.

      However...

      Those are conservative settings to make sure it just works for the greatest amount of users. You could try re-enabling them all and see it if gives you any problems or gains (lower RAM /CPU use).

      J 1 Reply Last reply Jun 23, 2021, 7:16 PM Reply Quote 0
      • S
        SteveITS Galactic Empire @jc1976
        last edited by Jun 23, 2021, 6:14 PM

        @jc1976 Since you mentioned Suricata, our notes say we should "Disable hardware checksum offload" if using Suricata or Snort. IIRC this is because otherwise Suricata (in Legacy mode) complains about checksums in the copies of packets it analyzes.

        (also for Suricata, we disable ALL stream-events.rules in it, or it will block lots of traffic on false positives)

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • J
          jc1976 @KOM
          last edited by Jun 23, 2021, 7:16 PM

          @kom Thanks for the reply.

          I haven't touched the settings, so as of now all hardware offloading is occurring. I have a 100x5 comcast internet connection through a motorola modem, and i get about 100-115 down, 6Mb up. however my apps that i run ARE latency sensitive.. plus it says in the documentation (as i understand it) that the hardware offloading could be detrimental to performance.

          yeah, i'm kinda splitting hairs, but..

          Thanks!!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received