Hi all,
I’m looking into the L3HW and FW offload features on this switch and it does seem to be working for a while and then stops routing traffic on the WAN link.
The set up is quite basic. A PC connected to P21, which is L2 to a Firewall on P23, the firewall routes the packet back in a different VLAN on P23 and then it is routed to the Internet via SRC-NAT on P24.
Local LAN traffic seems to be unaffected, and it is quite possible that I’ve done something wrong in the config.
Any ideas please?
PC (P21) → trunked to FW on Vl100 (P23) → FW allows it and routes to CRS326 Vl99 (P23) → CRS326 source NAT’s and routes via the gateway address.
I know it looks messy … I’m trying to prove the performance whilst also supporting another project as being solely L2.
/interface bridge
add admin-mac=18:FD:74:4A:0A:12 auto-mac=no comment=defconf name=bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus23 ] name="To Fortinet"
set [ find default-name=sfp-sfpplus21 ] name="Tools PC"
set [ find default-name=sfp-sfpplus24 ] name=WAN
/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99
add interface=bridge1 name=vlan100 vlan-id=100
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 24 l3-hw-offloading=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge1 comment="Switch to Firewall Trunks" interface="To Fortinet"
add bridge=bridge1 comment="OAM Connectivity" ingress-filtering=no interface="Tools PC" \
pvid=100
add bridge=bridge1 interface=WAN
add bridge=bridge1 interface=vlan99 pvid=99
/interface bridge vlan
add bridge=bridge1 tagged="To Fortinet" untagged="Tools PC" vlan-ids=100
add bridge=bridge1 tagged="To Fortinet,bridge1" vlan-ids=99
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.99.1/30 interface=vlan99 network=192.168.99.0
add address=192.168.1.1/24 interface=WAN network=192.168.1.0
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall nat
add action=src-nat chain=srcnat log=yes log-prefix=!SRC-NAT to-addresses=192.168.1.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-table=main \
suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=192.168.100.0/24 gateway=\
192.168.99.2 pref-src="" routing-table=main suppress-hw-offload=no
/system clock
set time-zone-name=Europe/London
/system routerboard settings
set boot-os=router-os