> On Mar 4, 2015, at 12:54 AM, Bryan D. <pfse...@derman.com> wrote:
> Today, having received a pair of SuperMicro AOC-SG-i2 NICs from the pfSense 
> store, I asked about the applicable pfSense "offloading" settings (via the 
> pfSense contact form).
> Receiving an oblique (non-)response, I re-sent a query that included the 
> following text:
> ---
> [...] specifically, what should the pfSense settings be for:
> - Hardware Checksum Offloading
> - Hardware TCP Segmentation Offloading
> - Hardware Large Receive Offloading
> I.E., can each of these be enabled when using AOC-SG-i2 NICs?
> With my current systems, segmentation and large receive offloads are 
> disabled.  I don't remember what the default was (and it's not stated on the 
> configurator page) [...]
> Understand that the configurator page has warnings about these capabilities 
> being "... broken in some hardware drivers, ..." so, even though the NICs are 
> spec'd to support these capabilities, there's still the question whether the 
> drivers work properly [...]  That's the reason for my query.
> ---
> To which I received the following response (an attitude that left me feeling 
> considerably less enthusiastic about trying to support the project):
> ---
> We do not provide pfSense support for these cards unless they are installed 
> in a system we sell. My suggestion is to search the forums for the tuning you 
> desire.
> I know this is not the answer you desire but that is our official response.
> ---
> For the record, I don't really consider these questions to be "support" ... 
> just a clarification of the specs, which should be straightforward given that 
> it's a 1-product organization (and would be best stated on the store's 
> web-page).

Answering any question post-sale is “support”.   You are using a free open 
source product. The only cost to you is to figure out how to make it work.  If 
you are unable or unwilling, then we (and others) offer paid support options.  
There is also, as whomever from Netgate explained, support options including 
the forum and this list.

> Does anyone know the answer to my questions about the various offloading 
> settings that should be used with these cards?

LRO works by aggregating multiple incoming packets from a single stream into a 
larger buffer before they are passed higher up the networking stack, thus 
reducing the number of packets that have to be processed.

LRO should not be used on machines acting as routers, (and it is quite likely 
that you’re using pfSense as a router or, equivalently, a router), as it breaks 
the end-to-end principle and can significantly impact performance.

TSO is similar, but for sending.  It works by queuing up large buffers and 
letting the network interface card (NIC) split them into separate packets just 
before transmit.

Both LRO and TSO can help if you are an endpoint, *not a router*.   If you were 
using pfSense an an appliance (say, for DNS), they would possibly help 

Now onto “hardware checksum offload”:

First, let’s briefly discuss where checksumming is used.

The Ethernet hardware calculates the Ethernet CRC32 checksum and the receive 
engine validates this checksum. If the received checksum is wrong pfSense won’t 
even see the packet, as the Ethernet hardware internally throws away the 
packet.  (There are exceptions, such as if the interface is in promiscuous 

Higher level checksums are “traditionally” calculated by the protocol 
implementation and the completed packet is then handed over to the hardware.  
Recent network hardware can perform the IP checksum calculation, also known as 
checksum offloading. The network driver won’t calculate the checksum itself but 
will simply hand over an empty (zero or garbage filled) checksum field to the 

Some cards will additionally process TCP and UDP checksums, as above, this 
isn’t going to be of any value on a router.

It’s possible, if everything else is right, then IP checksum offload can 
provide a modest performance improvement, but this is unlikely to be more than 
“noticeable” at the speeds where most individuals run pfSense.   However, at 
10Gbps (or above),
these engines become quite useful.   Support for these is an important 
component of our “3.0” effort.

In case it’s not clear by now, these settings are all *disabled* by default in 


pfSense mailing list
Support the project with Gold! https://pfsense.org/gold

Reply via email to