Advanced Configuration Settings question

jc1976 · Jun 23, 2021, 4:55 PM

hello everyone!

still trying to learn all about firewalling so go easy on me. LOVE pfsense!

going through the advanced configuration settings, towards the bottom are the options for disabling hardware checksum, TSO, and LRO handling. by default, mine are 'unchecked', meaning the nic is handling these tasks.. up until last night, i assumed this is a good thing.

upon reading up on it (and it would make more sense if i understood it better), the documentation seems to say that 'if it's used as a firewall only, i should check these boxes to disable the hardware offloading'.

my firewall is an old dell optiplex 790 with an i7-2600k cpu (hyperthreading disabled, because suricata doesn't seem to like it). 16GB of ram, the onboard intel nic for the LAN side, and an Intel dual port server nic for the wan side (because it's far more powerful than the onboard chip).

it does firewalling, IPS/IDS, clamAV, pfblocker, and all that stuff ONLY. dhcp to my wired and wireless devices is handled by an asus wifi router, that doesn't do anything other than dhcp and wifi.. the pfsense box just stands between me and my cable modem for protection. Yes, overkill, but trying to learn these things.

so, can someone explain to me what i should do? (leave enabled or disable the tso and lro hardware offloading)?

thank you!!

KOM · Jun 23, 2021, 5:48 PM

@jc1976 If it ain't broke, don't fix it. Are you getting the expected performance for your link without any weird connection problems? If so, you might want to leave it alone.

However...

Those are conservative settings to make sure it just works for the greatest amount of users. You could try re-enabling them all and see it if gives you any problems or gains (lower RAM /CPU use).

SteveITS · Jun 23, 2021, 6:14 PM

@jc1976 Since you mentioned Suricata, our notes say we should "Disable hardware checksum offload" if using Suricata or Snort. IIRC this is because otherwise Suricata (in Legacy mode) complains about checksums in the copies of packets it analyzes.

(also for Suricata, we disable ALL stream-events.rules in it, or it will block lots of traffic on false positives)

jc1976 · Jun 23, 2021, 7:16 PM

@kom Thanks for the reply.

I haven't touched the settings, so as of now all hardware offloading is occurring. I have a 100x5 comcast internet connection through a motorola modem, and i get about 100-115 down, 6Mb up. however my apps that i run ARE latency sensitive.. plus it says in the documentation (as i understand it) that the hardware offloading could be detrimental to performance.

yeah, i'm kinda splitting hairs, but..

Thanks!!