Assistance with CGNAT, L3HW Offloading on CCR2216

webtelza · May 4, 2025, 10:53am

Hi

I am trying to implement CGNAT on our CCR2216 BNG. Users are connecting using DHCP and currently getting public IP addresses. I changed them to CGNAT addresses and they have no internet while L3 HW Offloading is enabled but when L# HW Offloading is disabled then they have internet but CPU usage spikes to 80%

This is the configuration I have:

I have these firewall rules:

/ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; FastTrack for CGNAT users
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="FastTrack”

/ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; CGNAT for FTTH Users
chain=srcnat action=src-nat to-addresses=196.61.x.0/24 src-address-list=cgnat-ftth out-interface=qsfp28-1-1
(address list cgnat-ftth contains prefix 100.64.0.0/16)

/ip/dhcp-server/network/print
Columns: ADDRESS, GATEWAY, DNS-SERVER

ADDRESS GATEWAY DNS-SERVER

0 100.64.0.0/16 100.64.0.1 1.1.1.1

[wt-admin@WTS-WC-PPPOE1] > /ip/address/print
Flags: X - DISABLED, I - INVALID, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

0 100.64.0.1/16 100.64.0.0 XXXFNO-ENNI-01-VLAN
1 196.61.x.1/24 196.61.x.0 qsfp28-1-1

If there is anything else required to assist with config please let me know.

vasek · May 4, 2025, 11:40am

Do you have the switch chip (ASIC) set according to the documentation? https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading#L3HardwareOffloading-SwitchPortConfiguration
For example, /interface/ethernet/switch set 0 l3-hw-offloading=yes and on ports where L4 sessions HW offloaded should be disabled /interface/ethernet/switch/port set [find] l3-hw-offloading=no

webtelza · May 4, 2025, 2:50pm

Hi

It is configured and all interfaces are on the bridge.

/interface/ethernet/switch/print
Columns: NAME, TYPE, L3-HW-OFFLOADING, QOS-HW-OFFLOADING

NAME TYPE L3-HW-OFFLOADING QOS-HW-OFFLOADING

0 switch1 Marvell-98DX8525 yes yes

vasek · May 4, 2025, 4:24pm

Hello,

can you please provide an export of your configuration? Remove passwords and exploitable parameters.
Please also provide ROS version + current version of RouterBOARD firmware.

Thank you for your cooperation.

webtelza · May 4, 2025, 5:10pm

Hi.

Please see attached file
export.rsc (19.7 KB)

vasek · May 4, 2025, 8:03pm

If I understood the configuration correctly, as I wrote, L3HW offloading is not disabled on the ports.

/interface/ethernet/switch/port set "interface-name" l3-hw-offloading=no

I don’t know if L4HW offloading will work with the bonding interface, I haven’t tested that.

At the very least you will need to execute this command:

/interface/ethernet/switch/port set qsfp28-2-1 l3-hw-offloading=no

and then also on all uplink interfaces, or rather on all interfaces where you want to do L4HW offloading on the ASIC chip and not on the CPU (you can easily do it on all of them). If I remember correctly L4HW offloading has minor issues with PPPoE, but not sure about that, but I have read about it in some threads.

However, you won’t get anything for the test.

chechito · May 4, 2025, 8:29pm

if you also run pppoe server on this router dont expect too much performance improvement after solving the issues with Fast-track HW offload

webtelza · May 6, 2025, 6:33am

Hi
Just to confirm :
Should I disable HW offloading on qsfp28-2-1 (which is the FNO link attached to VLAN 3335) or should I remove qsfp28-1-1 which is the uplink port to WAN?

As a test I removed qsfp28-1-1 from HW offloading and DHCP CGNAT worked for a user I was testing with.

Second question if you dont mind. I need to gradually move users from public IP’s to CGNAT. How can I send the other traffic to fastrack for HW offload (eg 160.119.x.0/22). Is there a firewall filter rule I can create to get the public IP’s to be HW offloaded as qsfp-28-1-1 is disabled on HW offload

webtelza · May 8, 2025, 5:01pm

I see these errors. I have not put all users on CGNAT yet only about 200 DHCP users.

connection tracking table full
Fasttrack HW table utilization 100%

mkx · May 9, 2025, 8:20am

The connection tracking table doesn’t depend solely on number of “CGNAT users” but also on activity of those users (total connection tracking table length is sum of all connections of all users).

And yes, HW table is typically pretty short when it comes to large number of “local” addresses … which means that some portion (can be large portion in worst case) of traffic will be routed using CPU. Description of L3HW does axplain this to certain extent: connected subnets (the ones where router has its own IP address with a more or less long subnet mask) will cause lots of HW table entries, one per connected active IP address. Because HW table is typically similar to ARP table (containing IP address with mask and next-hop MAC address) … for routed destinations it will be single line (with MAC address of next hop) but for connected destinations it’ll be one line per connected host (each IP address is paired with different MAC address). Comment 1 to table of HW capabilities is talking about “higher netmask” being preferred by hardware which seems a bit illogical to me since it prefers HW offloading routing between individual hosts instead of routing between subnets …

But anyway: this message is supposed to be a warning, not an error … and it warns you that not all traffic can be HW offloaded. Switch chip (doing HW fasttrack) in CCR2216 is pretty beefy but still supports only 4.5k fasttrack and 4k NAT connections (that’s around 20 per each of your 200 CGNAT users), so you won’t be able to get around it … other than use many more CGNAT routers (“concentrators”), each serving up to say 100 users or some such (my simple home router, serving a single bittorent server, is showing around 760 active connections and I don’t consider my home setup to be excessive when it comes to activity).