Currently, with L3HW enabled on my CRS309-1G-8S+, it seems that Mange Rules are not applied to traffic. Is there a way to make mangle rules work selectively or would I have to disable L3HW all together?
The goal of my mangle rules is, that I route my LAN traffic to the internet through an L7 firewall as default route which THEN goes to the NAT firewall but if the L7 firewall fails, I have a backup route (distance 10) to just leave out the L7 firewall and route directly to the NAT firewall. Port forwardings from the internet come in through the NAT firewall and therefore the return path of the packets should always go through the NAT firewall directly and not through the L7 firewall. The config below worked on a RB5009, which of course does not have L3HW offloading.
I have three default routes on my CRS309-1G-8S+ like this:
The first one is the real default route where 99,9% traffic should go out.
The second one is a backup route if the gateway of the first route isn’t available (hence distance=10)
The third route should ALWAYS route packets via 10.200.25.1, if the packet has “public-service-return-path” set as routing mark. This is because on 10.200.25.1 there are port forwardings from the internet to the internal network and the return path should not go over 192.168.31.52 from the first route but always over 10.200.25.1.
Additionaly, i have these mangle rules of course, to mark the routing:
Users must choose either HW-accelerated routing or firewall.
And as mangle rules are part of firewall I interpret it as mangle and L3HW offloading being mutually exclusive.
Can’t help you more though and it’s only my interpretation.
Correct. If you choose L3 HW Offloading on a port, none of that traffic will hit the CPU, and therefore none of it will hit the filter/nat/mangle/raw tables. If you want traffic from a port to be manipulated, disable offloading on that port. Enable fasttrack rules with hwoffload=yes to match already classified traffic and take advantage of some acceleration.
Thanks, makes absolutely sense. Is there a way to direct certain traffic through the CPU or the other way round to only offload traffic between certain networks or interfaces? basically any traffic that goes to the internet, doesn’t really need to be offloaded, because of limited internet speed. L3HW I basically only need for routing between LAN networks to reach 10G wire speed there…
Little followup to this topic.
Until now, just not offloading anything that exits ether1 worked for me. But since my main firewall lives there, where I also have some DMZ networks with servers in place, I today hit the CPU limit of my switch @ 200 Mbit/s throughput.
I’d now like to dig into the quoted sentence a bit more. Does that mean, that I can have HW offloading disabled on ether1, but using fasttrack rules and hwoffload=yes, I can still have already classified traffic accelerated?
Another solution would be to have a separate wire from the switch to the firewall, where I route my DMZ networks and where I’d have L3HW enabled. But that would make routing more complicated overall.
edit: I have this rule in place (and it sees tons of hits, while my file transfer is running @ 200 MBit/s):
update: i was on 7.11.2, which had a bug where fasttrack wouldn’t work anymore properly, with L3 HW.
updated to 7.12.1 and now fasttrack is working and cpu load has dropped significantly.
I don’t know how many filter rules you have on that firewall, but that’s probably why your CPU is higher. I know I can get about 800Mbps on the CRS300’s I’ve tested without any firewall rules (maybe one or two), so you could try testing to see which rule (or set of rules) is causing the CPU load.
Or better yet, get something like a hAP AC/AX 2/3 to act as your firewall and NAT router and have the switch simply switch. Any of those hAPs has plenty of CPU horsepower to handle 1Gbps or so with simple firewall and NAT rules.