I have a couple of VLANs in a network comprising CRS326 and MT router. I have set up VLANs and inter-VLAN routing with firewall rules on the router, all working as expected.

However, I would like to route some inter-VLAN connections directly in the switch to avoid a sizeable amount of traffic going to the router and back again. It seems this should be possible with simple switch rules (before e.g. even trying HW L3 offloading)

In my set up on the switch I have access port for VLAN_10 (ether_1) and a trunk port (ether_2) that includes VLAN_20 (among others). I would like to apply VLAN routing in the switch to HTTP connections originating from VLAN_10 to a host in VLAN_20. (I understand this would require two switch rules, from ether_1 to ether_2, and back again.)

I tried VLAN translation on the switch with:
But once the rules are enabled they stop connections getting through between the VLANs (that previously did via the router).

I’d appreciate any pointers and suggestions.

Thanks

You have a CRS3, switch it should be setup the same as your router basically following viewtopic.php?t=143620, for the router and similar on the switch,
For the switch read this thread and take note of the ap/switch config AND THE CORRECTIONS.

viewtopic.php?t=204967

Thanks, I had indeed followed the tutorials to set up my VLANs. It is all working. However, I would like to apply simple, local optimization for inter-VLAN routing on the switch via ACL filter rule as outlined my question above, similar to this example: https://help.mikrotik.com/docs/display/ ... ranslation

It appears, with some diagnosing with Torch, in my case the switch is not applying VLAN translation in the first rule: ether_1 is an access port with pvid=10 . I tried the rule without vlan_id/header params, but to no avail. Is there a limitation on switch rule VLAN translation that it can't be applied between access and trunk ports?

Well if your not going to use the proper vlan filtering method for CRS3Xx switches, you will need to get help from someone that understands doing it whatever way you have decided to use.

I would like to apply simple, local optimization for inter-VLAN routing on the switch via ACL filter rule ...

I may be wrong, but IMO you can't do it. Normal hosts work like this:

1. if destination IP address is in the same IP subnet (same subnet address with same network mask), then they expect to communicate directly.
   They look for destination's MAC address (using ARP who has protocol) and then send ethernet frame with IP packet with DST-MAC set to destination's MAC. Destination then only picks up ethernet frames with their own MAC address in DST-MAC address (and broadcast MAC addresses, but this is pretty irrelevant in this case), the rest of ethernet frames are silently ignored.
2. if destination IP address is in different IP subnet, then they will use gateways. So sender determines which gateway to use (IP routing table) and searches for router's MAC address. Then they send out ethenet frame with IP packet (dst-address set to final destination) and with DST-MAC address set to router's MAC address. Router then picks up such frame, decapsulates IP packet, does the routing decission and does similar procedure for egress interface (e.g. uses destination's MAC address as DST-MAC and sets own MAC address as SRC-MAC).

And L3HW routing does all of this in ASIC, but:

1. clients still have to be aware that L3HW-offloaded device is their gateway
2. ASIC has to be aware that it's routing so that it can perform appropriate DST-MAC and SRC-MAC replacements

If you want to do it transparently by a switch, then ACLs won't do necessary MAC address replacements. So what happens: packet, sent out by source device in certain subnet and sent with router's MAC address set as DST-MAC, will be "pushed over" into another L2 network (which may even be correct for destination IP address), but it will be otherwise identical ethernet frame. However DST-MAC address doesn't exist in that L2 network (if router does one subnet per interface) and nobody will pick up the frame. If router with same MAC address exists in destination L2 network (because router uses same MAC address for all VLANs on same physical interface), then frame will be picked up by router (so it's still pegging router), but router may decide to drop it because ingress interface will be wrong.

So if you want to use your CRS as wirespeed router between some of your VLANs, you'll have to set it as gateway on those VLANs (and provide route towards main router for routing towards other destinations) ... and follow normal L3HW setup.

I thought the whole idea of routers and smart switches is that the router is only involved when access to the internet is required or cross vlan traffic ( firewall rules ).

Any traffic on the same vlan behind the switch doesn't go to the router, and stay within the wirespeed of the switch regardless of which ports are being used on the switch for that vlan.
This would hold true for cascaded switches as well.

I thought the whole idea of routers and smart switches is that the router is only involved when access to the internet is required or cross vlan traffic ( firewall rules ).

Yes, but @OP wants to use ACLs to route between

src-address=192.168.20.17/24
and
dst-address=192.168.30.17/24

These are distictively in different IP subnets, hence devices expect to use router(s). L3HW offloaded routers can route at wirespeed, hence they remove one reason (there are plenty of other reasons) to keep devices, which talk to each other a lot, in same subnet. But they have to be configured properly.

Thank you, exactly the detail I was missing. I was hoping simple switch rules might do without going into L3HW setup for the reasons you outlined.

This was inspired by a terse note on Mikrotik's documentation https://help.mikrotik.com/docs/display/ ... ranslation. I wonder what type of setup they had in mind, where such VLAN-translation rules would work.

As a possible workaround, I tried routing via VLAN interfaces on the switch (using them as gateway overrides for select DHCP clients) with the ACLs. But, as you noted, it looks like CRS indeed decides to drop "pushed over" packets in this case.

It seems L3HW setup is the only route here. I will try to localize CRS gateway to its clients and pass over other traffic to the router (incl the same VLAN), to make this transparent to the router and leave its setup unchanged. It appears this should be possible with mangling rules, but I hope that does not interfere with L3HW offloading.

This was inspired by a terse note on Mikrotik's documentation https://help.mikrotik.com/docs/display/ ... ranslation. I wonder what type of setup they had in mind, where such VLAN-translation rules would work.

The short section you're linking also contains a warning that his kind of "routing" only works nicely for a pair of devices, connected to a pair of ports. And keep in mind that there are L3 protocols other than IP ... this kind of setup is also useful in IP network, but both devices have to be set as members of same IP subnet (so they expect to communicate directly). I too am at loss as to what kind of setup expects certain pair of devices to communicate directly but are put in different L2 broadcast domains.