New SG2440 - Disable hardware TCP segmentation offload

pfswor · Apr 4, 2015, 8:16 PM

Hi,

Just received new SG2440 from pfsense store. I noticed that the following two options are checked (disabled):

Disable hardware TCP segmentation offload
Disable hardware large receive offload

I would think the intel nics in the new boxes should be able to handle these…any reason I should not uncheck?

Thanks,

dennypage · Apr 4, 2015, 11:31 PM

I'm running with offloading enabled. No issues for me on the wired interfaces.

stephenw10 · Apr 6, 2015, 12:48 AM

Generally speaking you should leave those disabled. They only really help in a situation where you're terminating the tcp connection such as server. You shouldn't be running pfSense as a server.

Steve

dennypage · Apr 6, 2015, 4:47 AM

While the default pfSense doesn't have a lot TCP connections terminated on the system, there are some (such as OpenVPN). And there are packages that can add a lot of them (such as squid).

As long as the hardware handles it correctly, is there a disadvantage to hardware offload?

doktornotor · Apr 6, 2015, 7:24 AM

@dennypage:

While the default pfSense doesn't have a lot TCP connections terminated on the system, there are some (such as OpenVPN).

If you are running OpenVPN over TCP, you are already lost… offloading certainly will not improve the performance. Do what you want, the warnings below the checkboxes are self-explanatory.

stephenw10 · Apr 6, 2015, 8:58 AM

@dennypage:

As long as the hardware handles it correctly, is there a disadvantage to hardware offload?

Non that I've seen on Intel NICs but since there's no advantage either and almost everyone is running with them disabled you may be the one discovering some new edge case.
On some hardware and in some VMs it can result in very poor performance.

Steve

doktornotor · Apr 6, 2015, 9:27 AM

No matter what you do, kindly do NOT enable the polling "feature" – unless you like to get yourself cut off the firewall...

stephenw10 · Apr 6, 2015, 11:38 AM

Yeah, definitely don't enable polling!
As one customer put it recently 'very bad things happened'. ;)

Steve

jimp · Apr 6, 2015, 2:19 PM

tl;dr version: Leave the boxes checked, unless you know what you're doing, and then leave them checked anyhow because you realize that it's not desirable to uncheck them in >99% of cases.

Long version: It's explained in detail here: https://doc.pfsense.org/index.php/Advanced_Setup#Networking

dennypage · Apr 6, 2015, 4:13 PM

@jimp:

Leave the boxes checked, unless you know what you're doing, and then leave them checked anyhow because you realize that it's not desirable to uncheck them in >99% of cases.

Long version: It's explained in detail here: https://doc.pfsense.org/index.php/Advanced_Setup#Networking

Okay, you win.

dennypage · Apr 6, 2015, 4:19 PM

@doktornotor:

If you are running OpenVPN over TCP, you are already lost…

Unfortunately I end up having to use TCP a fair bit in mobile. I've encountered a number of networks that have UDP blocked or have harsh UDP session timeouts.

stephenw10 · Apr 6, 2015, 5:45 PM

You could be in the 1% then. :)
The options are there in case you need them, just be aware of what you're doing before enabling it.

Steve

jimp · Apr 6, 2015, 5:56 PM

There are occasional uses for them but it's cases where pfSense is not acting as a router but as an endpoint (e.g. stand-alone appliance for DHCP, DNS, etc).

It's not a deficiency in the hardware or the OS, it's just that TSO and LRO are not intended for use on a firewall/router. The details are on the wiki.