In some cases, we recommend disabling TCP segmentation offload, also known as TCP offloading. This applies, for example, to performance issues with pfSense. But ... what is TCP offloading and why would you turn it on or off?
TL-DR; TCP offloading splits network traffic into MTU size parts. This should only be done from the end-point server. A firewall should not use TCP offloading because the servers behind it are already performing TCP offloading.
What is TCP offloading?
TCP offloading ensures that your network interface adapter (NIC) splits network packets into parts of the MTU (Maximum Transmission Unit) size at most. The MTU size is the maximum size in bytes of a network packet or frame that can be sent in a packet or frame network. Suppose you visit a website, the content of the website is then divided into packets and sent to your client machine. Each of these packets cannot be larger than the MTU size.
For example, you check your MTU value with the 'ip a' command in Linux (here the MTU size is 1500 bytes):
TCP offloading or not
If you do not use TCP offloading, your OS will split up packets into parts of at most the MTU size, instead of your NIC. Using TCP offloading can therefore improve your server's performance: Instead of your CPU, other dedicated hardware (the NIC) takes care of the splitting of packets.
It is best to have TCP offloading performed only from the end-point server, or the server that offers certain content (e.g. a website). For example, suppose you have a firewall with 10 servers behind it. It is then not advisable to enable TCP offloading on the firewall. Not only do those 10 servers themselves already use TCP offloading, but with TCP offloading on on your firewall, it would also apply TCP offloading for the traffic coming from those 10 servers. This would cause your firewall to do 10 times as much work for TCP offloading than the servers behind it. In addition, it also concerns packets that did not even originate from the firewall itself.
TCP offloading is a very useful technique, but on a firewall, it has a negative impact on the performance of the firewall and as such your network as a whole. It is therefore advisable to use TCP offloading only on the end-point servers. It is usually enabled by default in your OS and you should normally only need to disable TCP offloading on your firewalls (pfSense, Sophos UTM, etc).
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.