Just wondering of I can use bridge filtering functionality (or IP firewall filtering on the bridge) without disabling HW offload on LAN interface.
Scenario:
Mangle rules created to mark packets between 2 LAN devices connected to eth2 and eth4
Bridge is configured to use IPfirewall rules
Simple queue created to manage traffic marked as per mangle rule
with this scenario, there is no traffic flow between interfaces
With above scenario, port4 configured with disabled HW offload. The traffic flow starts to show in mangle rules and in the queue
The consequence of the HW offload disabled on one port:
a. the traffic throughput decreases by like 3 times including the interfaces the should not be affected. So instead 1Gb speeds, I get 300-350mbps on average between other bridged LAN devices.
b. CPU usage usage spikes and holds at 100%
At the moment I’m using HAP AC as my main router. Wifi is disabled as I’m using other wifi6 solution, so Mikrotik acts as a pure router.
I also have HAP AC2 and WAP AC which I haven’t tried in this scenario
So the question is if I can have bridge filtering working somehow without tremendous decrease of the router performance (hw offload stays enabled)
The hAP AC has QCA8337 switch chip. The Switch Chip Features section of the documentation describes the capabilities of the QCA8337 switch chip too.
Mind the warning:
Currently, CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and RTL8367, 88E6393X, 88E6191X, MT7621 and MT7531 switch chips (since RouterOS v7) are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the > Basic VLAN switching > guide. If an improper configuration method is used, your device can cause throughput issues in your network.
Also heed the followings there:
On > QCA8337 > and > Atheros8327 > switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
and
By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the > Bridge Hardware Offloading > section with supported features.
To use bridge filtering you have to disable hardware offload. When offloading is active the packets are processed within the switch, so are never seen by the CPU.