diff --git a/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml b/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml
index c299537b..f23f129d 100644
--- a/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml
+++ b/ansible/roles/traffic-engine/files/helm/templates/deployment-proxy.yaml
@@ -169,6 +169,34 @@ spec:
           - "bash"
           - "-ec"
           - |
+            mount -o remount,rw /sys
+            # disable rpfilter
+            sysctl -w net.ipv4.conf.all.rp_filter=0
+            sysctl -w net.ipv4.conf.default.rp_filter=0
+
+            # fs
+            sysctl -w fs.file-max=1048576
+            sysctl -w net.core.somaxconn=131072
+
+            # tcp options about TIME_WAIT
+            sysctl -w net.ipv4.tcp_fin_timeout=10
+            sysctl -w net.ipv4.tcp_tw_reuse=1
+            sysctl -w net.ipv4.tcp_max_tw_buckets=4096
+            sysctl -w net.ipv4.tcp_max_syn_backlog=131072
+
+            # bbr
+            sysctl -w net.ipv4.tcp_congestion_control=bbr
+
+            # tcp feature
+            sysctl -w net.ipv4.tcp_ecn=0
+            sysctl -w net.ipv4.tcp_sack=1
+            sysctl -w net.ipv4.tcp_timestamps=1
+
+            # disable tcp windows scaling for kernel bugs
+            sysctl -w net.ipv4.tcp_window_scaling=0
+
+
+
             {{ template "traffic-engine.init" . }}
             ip tuntap add dev tap0 mode tap multi_queue
             /usr/sbin/ip link set tap0 address fe:65:b7:03:50:bd
@@ -233,7 +261,6 @@ spec:
             /usr/sbin/ip -6 rule add iif tap_c tab 102
             /usr/sbin/ip -6 rule add iif tap_s tab 102
 
-            mount -o remount,rw /sys
         securityContext:
           privileged: true
         env:
diff --git a/ansible/roles/tuned/files/tuned.conf b/ansible/roles/tuned/files/tuned.conf
index f7eb92e6..c2234454 100644
--- a/ansible/roles/tuned/files/tuned.conf
+++ b/ansible/roles/tuned/files/tuned.conf
@@ -43,6 +43,41 @@ assert2=${f:assertion:isolated_cores contains online CPU(s):${isolated_cores_exp
 /sys/devices/virtual/workqueue/*/cpumask = ${not_isolated_cpumask}
 /sys/devices/system/machinecheck/machinecheck*/ignore_ce = 1
 
+[sysctl]
+# read/write buffer
+net.core.rmem_default = 256960
+net.core.rmem_max = 33554432
+net.core.wmem_default = 256960
+net.core.wmem_max = 33554432
+
+# disable rpfilter
+net.ipv4.conf.all.rp_filter=0
+net.ipv4.conf.default.rp_filter=0
+
+# fs
+fs.file-max=1048576
+net.core.netdev_max_backlog=1000000
+net.core.somaxconn=131072
+
+# tcp options about TIME_WAIT
+net.ipv4.tcp_fin_timeout=10
+net.ipv4.tcp_tw_reuse=1
+net.ipv4.tcp_max_tw_buckets=4096
+net.ipv4.tcp_max_orphans=131072
+net.ipv4.tcp_max_syn_backlog=131072
+
+# bbr
+net.ipv4.tcp_congestion_control=bbr
+
+# tcp feature
+net.ipv4.tcp_ecn=0
+net.ipv4.tcp_sack=1
+net.ipv4.tcp_timestamps=1
+
+# disable tcp windows scaling for kernel bugs
+net.ipv4.tcp_window_scaling=0
+
+
 [systemd]
 cpu_affinity=${not_isolated_cores_expanded}