Hi
I have a question:
What is the ideal way to configure NAT on a CCR2216 to take advantage of L3 Hardware Offloading
A typical setup is:
/ip firewall nat
add chain=srcnat src-address=10.0.0.0/24 action=src-nat to-addresses=1.1.1.1 out-interface=WAN
in the CCR2216 I configured it the same, please help me with this for the best configuration to take advantage of L3 Hardware Offloading
L3HW support document states that NAT (for IPv4) can get offloaded to HW only if NAT connections can be fasttracked … Meaning that you have to make sure that NAT connections are eligible to fasttrack, the rest should happen automatically. So your NAT rule seems fine, but firewall filter section has to accompany it with matching action=fast-track rule.
Hi
i found this about configuring NAT using hw-offload
Offloading Fasttrack Connections
Firewall filter rules have hw-offload option for Fasttrack, allowing fine-tuning connection offloading. Since the hardware memory for Fasttrack connections is very limited, we can choose what type of connections to offload and, therefore, benefit from near-the-wire-speed traffic. The next example offloads only TCP connections while UDP packets are routed via the CPU and do not occupy HW memory:
/ip/firewall/filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
This is the configuration that would apply in the CCR2216, please tell me if something else is missing
It seems fine. As I don’t have CRS2216, I can’t test if the above indeed does the trick.
I have a CCR2116 here with 7.14.3 and whenever I use action=src-nat or netmap, traffic comes to a halt… It worked fine with masquerade only. I’m wondering what I’m doing wrong of if it’s normal? Disabling L3HW and everything works fine with action=src-nat and netmap.
to do HW accelerated NAT you must configure Fasttrack HW Offloading, this is similar to plain L3 Hardware Offloading but have some differences
Sorry for resurrection
I have solved adding a SWITCH RULE where I set the class (for example) 192.168.0.0/24 (that needs to be Natted) to “rediect to CPU”
it works flawlessy. It is natted correctly and with the above rule (fasttrack hardware=yes) it is hardware offload correctly.
Without the rule “redirect to cpu” the traffic was immediately routed, not natted and stopped as it was not natted and it could go out to the internet.