Disabling Hardware Offloading

Offloading or acceleration is the technique of offloading computing operations onto computer hardware or systems that have been expressly developed to do certain jobs more effectively than software running on a general-purpose CPU. In networking, hardware offloading transfers network task processing from the CPU to the network interface card (NIC). This frees up CPU cycles and removes system bottlenecks such as the Peripheral Component Interconnect (PCI) bus, which provides the possibility of enhancing throughput, efficiency, and latency. Hardware offloading to current NICs is a strategy that may enhance throughput, efficiency, and latency, as well as enable the cost-effective implementation of several security functions.

Although hardware offloading is beneficial, not all CPUs, NICs, and features are compatible with this technology. Likewise, this feature is incompatible with netmap, the interface used by Zenarmor to collect packets from the wire. Therefore, it is always a good practice to deactivate interface hardware offloading at boot time on your Zenarmor ® next-generation firewall with netmap deployment. This avoids firewall delays and also saves at least one interface down/up event. This may have survived the Zenarmor packet engine's offloading settings if the user has expressly allowed offloading.

Disabling Hardware Offloading on OPNsense

Since the Hardware Offloading feature is incompatible with netmap, make sure that the following hardware offloading are disabled on your OPNsense node by navigating to Interfaces > Settings:

• Hardware Checksum Offloading (Both IPv4 and IPv6)

• Hardware TCP Segmentation Offload (TSO)

• Hardware Large Receive Offload (LRO)

• Hardware VLAN Tagging & Filtering

Figure 1. Disabling Hardware Offloading on OPNsense

Disabling Hardware Offloading on pfSense ® software

Since the Hardware Offloading feature is incompatible with netmap, make sure that the following hardware offloading is disabled on your pfSense ® software node by navigating to System > Advanced > Networking > Network Interfaces :

• Hardware Checksum Offloading (Both IPv4 and IPv6)

• Hardware TCP Segmentation Offloading (TSO)

• Hardware Large Receive Offloading (LRO)

After saving the settings, reboot the machine.

Figure 2. Disabling Hardware Offloading on pfSense ® software

If you have a Zenarmor-protected VLAN interface you must disable hardware-level VLAN filtering on the related physical interface by running the next command (by replacing igb0 with your own ethernet interface name):

ifconfig igb0 -vlanhwfilter -vlanhwtso

Beware that this will temporarily disable VLAN Hardware filtering on the interface. You may follow the steps to disable hardware-level VLAN filtering permanently:

1. Install shellcmd package that is used to manage commands on system startup via pfSense web UI.

   

   Figure 3. Installing shellcmd package

2. Backup config.xml file by navigating to Diagnostics > Backup & Restore.

   

   Figure 4. Backup config.xml configuration file

3. Connect your pfSense CLI via ssh or console as root.

4. Run the next command to edit the conf/config.xml configuration file.

   viconfig

5. Add a the following line above the </system> line (by replacing igb0 with your own ethernet interface name):

   <shellcmd>ifconfig igb0 -vlanhwfilter -vlanhwtso</shellcmd>

6. Save the changes to the configuration.

Disabling Hardware Offloading on FreeBSD

Since the Hardware Offloading feature is incompatible with netmap, make sure that the following hardware offloading is disabled on your FreeBSD node:

• Hardware Checksum Offloading (Both IPv4 and IPv6)

• Hardware TCP Segmentation Offload (TSO)

• Hardware Large Receive Offload (LRO)

• Hardware VLAN Tagging & Filtering

You may disable this hardware offloading temporarily by running the next command on your FreeBSD (by replacing igb0 with your own ethernet interface name):

ifconfig igb0 -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso -vlanhwfilter

Or you may update your ethernet card configuration in the /etc/rc.conf file to disable offloading permanently:

ifconfig_igb0="DHCP -rxcsum -rxcsum6 -txcsum -txcsum6 -lro -tso -vlanhwtso -vlanhwfilter"

Disabling Hardware Offloading on Linux Platforms

If you are using netmap deployment mode of Zenarmor on your Linux node, make sure that the following hardware offloading is disabled. Since the Hardware Offloading feature is incompatible with netmap:

• Hardware Checksum Offloading (Both IPv4 and IPv6)

• Hardware TCP Segmentation Offload (TSO)

• Hardware Large Receive Offload (LRO)

• Hardware VLAN Tagging & Filtering

note

To disable hardware offloading you need ethtool package installed on your Linux node. You may install ethtool on your Ubuntu/Debian system by running the next command:

sudo apt install ethtool

You may install ethtool on your CentOS/Alma Linux/Rocky Linux system by running the next command:

sudo yum -y install ethtool

Or

sudo dnf -y install ethtool

You may disable this hardware offloading temporarily by running the next command on your Linux (by replacing igb0 with your own ethernet interface name):

ethtool -K igb0 tso off rx-checksumming off tx-checksumming off large-receive-offload off rx-vlan-filter off rx-vlan-offload off tx-vlan-offload off