diff --git a/vm/common.nix b/vm/common.nix
index 8ba94f4..33ddda1 100644
--- a/vm/common.nix
+++ b/vm/common.nix
@@ -2,6 +2,7 @@
   environment.defaultPackages = [
     pkgs.inetutils
     pkgs.tcpdump
+    pkgs.iperf
   ];
 
   networking = {
@@ -30,5 +31,21 @@
     initialHashedPassword = lib.mkForce null;
   };
 
+  systemd = {
+    timers."tx-onload" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnStartupSec = 30;
+    };
+    services."tx-onload" = {
+      script = ''
+        ${lib.getExe' pkgs.busybox "ip"} l |\
+          grep '^[0-9]' |\
+          sed 's/^[0-9]*: \(.*\)\(@.*\)\?: .*$/\1/' |\
+          xargs --replace=%I ${lib.getExe pkgs.ethtool} -K %I tx off tx-checksumming off
+
+      '';
+    };
+  };
+
   system.stateVersion = "25.05";
 }
diff --git a/vm/vm.nix b/vm/vm.nix
index 3ca87a9..6aa4915 100644
--- a/vm/vm.nix
+++ b/vm/vm.nix
@@ -1,4 +1,5 @@
 {
+  pkgs,
   lib,
   ...
 }:
@@ -50,6 +51,7 @@ let
               "10-eth0" = {
                 name = "eth0";
                 address = [ "10.0.${toString sw}.${toString (vni - 999)}/16" ];
+                linkConfig.Promiscuous = true;
               };
             };
           };
@@ -82,6 +84,7 @@ let
                   name = "eth0";
                   address = [ "10.0.0.${toString (sw + 1)}/24" ];
                   networkConfig.VXLAN = map (vtep_vxlan_name sw) vnis;
+                  linkConfig.Promiscuous = true;
                 };
               }
               // listToAttrs (
@@ -91,6 +94,7 @@ let
                     name = "10-${vtep_name sw vni}";
                     value = {
                       name = vtep_name sw vni;
+                      linkConfig.Promiscuous = true;
                       networkConfig = {
                         Bridge = vtep_br_name sw vni;
 
@@ -106,6 +110,7 @@ let
                     name = "10-${vtep_br_name sw vni}";
                     value = {
                       name = vtep_br_name sw vni;
+                      linkConfig.Promiscuous = true;
                       networkConfig = {
                         LinkLocalAddressing = false;
                         LLDP = false;
@@ -119,6 +124,7 @@ let
                     name = "10-${vtep_vxlan_name sw vni}";
                     value = {
                       name = vtep_vxlan_name sw vni;
+                      linkConfig.Promiscuous = true;
                       networkConfig = {
                         Bridge = vtep_br_name sw vni;
 
@@ -195,6 +201,9 @@ in
     enable = true;
     settings.PermitRootLogin = "yes";
   };
+  environment.defaultPackages = [
+    pkgs.pwru
+  ];
 
   containers =
     {
@@ -231,6 +240,7 @@ in
             name = "10-${name}";
             value = {
               inherit name;
+              linkConfig.Promiscuous = true;
               networkConfig = {
                 LinkLocalAddressing = false;
                 LLDP = false;
@@ -247,6 +257,7 @@ in
                 name = "10-${vtep_name sw vni}";
                 value = {
                   name = vtep_name sw vni;
+                  linkConfig.Promiscuous = true;
                   networkConfig = {
                     LinkLocalAddressing = false;
                     LLDP = false;