You helped me a few years back during a device selection and design process. Well, priorities quickly changed three years back and the planned solution was never implemented.
Now, things have changed again and I am wondering if my CRS326-24G-2S+RM (still unused in the package) would be powerful enough to serve as a L3 switch with an uplink to a provider router (ISP bandwidth is between 300 and 1000 Mbit; not yet determined).
It would also need to serve
3 x WAP ac with approx. 8 clients
3 x PCs (simultaneously used)
2 x NAS
1 x Printer
There would be 3 x VLANs (LAN, Guest WiFi, Office) on the switch. Mainly no inter-VLAN communication intended, although the L3 switch would be set up to route in between the VLANs if required.
It’s a good switch why not you can turn on hardware off loading for inter-vlan routing, but put a router in-front like RB5009 as a start to handle your upstream traffic going to internet
well, you can’t have your cake and eat it too. there’s no hardware accelerated NAT on 326 compare to 317, your 326 is a switch with limited routing capability rule of thumb in MT world if it’s a router don’t make it a switch if it’s a switch don’t make it a router
No, it can’t. Basically the ISP router is a simple Fritzbox (FB).
The thought was to have the CRS326 connected to the FB and have the inter-VLAN routing and the routing in direction to the internet done by the CRS326. Firewalling is not question for the CRS326 since the FB will do that for me. NATting is also not a requirement for the CRS326.
If you have a FB as a gateway firewall router, you may be able to use the CRS326 without any additional routers.
You will need to add static routes in the FB so it knows that you have additional IP address ranges inside your LAN.
And it should then NAT traffic from these additional IP ranges ok.
I am not sure if you can do port forwards from the FB to these additional IP address ranges inbound.
That exactly was the plan. The proof-of-concept configuration as outlined below is working accordingly. I can’t give any statements yet about throughput to the FB or between the various vlans. This will take me a couple of days since I need to get the required test machines.
I shall be most grateful if the forum gurus could have a quick look at the configuration and let me know if I missed something important. Notes:
ether23 is the temp uplink to the Fritzbox and will be replaced with one of the SFP+ interfaces
ether24 is the last resort access to the switch and will be removed at a later stage
ether7,8,9 will be used as trunk ports to the 3 x WAPac’s; not yet connected
Issues:
if I put the access ports ether1-6 as “untagged” under Bridge → Vlans like this: /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether7,ether8,ether9untagged=ether1 vlan-ids=10
then DHCP stops working and no IP addresses are handed out to the clients. Not sure why this is…
I need to figure out a way to restrict access to the switch from the mgmt vlan only without losing the L3HW offloading functionality.
Working L3 switch config:
[admin@MikroTik] > export terse
# 2025-04-02 09:22:13 by RouterOS 7.18.2
# software id = QM25-I49S
#
# model = CRS326-24G-2S+
# serial number = xxxxxxxxxxxx
/interface bridge add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet set [ find default-name=ether10 ] disabled=yes
/interface ethernet set [ find default-name=ether11 ] disabled=yes
/interface ethernet set [ find default-name=ether12 ] disabled=yes
/interface ethernet set [ find default-name=ether13 ] disabled=yes
/interface ethernet set [ find default-name=ether14 ] disabled=yes
/interface ethernet set [ find default-name=ether15 ] disabled=yes
/interface ethernet set [ find default-name=ether16 ] disabled=yes
/interface ethernet set [ find default-name=ether17 ] disabled=yes
/interface ethernet set [ find default-name=ether18 ] disabled=yes
/interface ethernet set [ find default-name=ether19 ] disabled=yes
/interface ethernet set [ find default-name=ether20 ] disabled=yes
/interface ethernet set [ find default-name=ether21 ] disabled=yes
/interface ethernet set [ find default-name=ether22 ] disabled=yes
/interface vlan add comment=internal interface=bridge1 name=vlan10 vlan-id=10
/interface vlan add comment=guest-wifi interface=bridge1 name=vlan20 vlan-id=20
/interface vlan add comment=work interface=bridge1 name=vlan30 vlan-id=30
/interface vlan add comment=mgmt interface=bridge1 name=vlan99 vlan-id=99
/interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool add name=dhcp_pool10 ranges=192.168.10.11-192.168.10.99
/ip pool add name=dhcp_pool20 ranges=192.168.20.11-192.168.20.99
/ip pool add name=dhcp_pool30 ranges=192.168.30.11-192.168.30.20
/ip dhcp-server add address-pool=dhcp_pool10 interface=vlan10 name=dhcp10
/ip dhcp-server add address-pool=dhcp_pool20 interface=vlan20 name=dhcp20
/ip dhcp-server add address-pool=dhcp_pool30 interface=vlan30 name=dhcp30
/port set 0 name=serial0
/interface bridge port add bridge=bridge1 interface=ether1 pvid=10
/interface bridge port add bridge=bridge1 interface=ether2 pvid=10
/interface bridge port add bridge=bridge1 interface=ether3 pvid=10
/interface bridge port add bridge=bridge1 interface=ether5 pvid=10
/interface bridge port add bridge=bridge1 interface=ether6 pvid=10
/interface bridge port add bridge=bridge1 interface=ether7
/interface bridge port add bridge=bridge1 interface=ether8
/interface bridge port add bridge=bridge1 interface=ether9
/interface bridge port add bridge=bridge1 interface=ether4 pvid=30
/interface bridge port add bridge=bridge1 interface=ether23
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 vlan-ids=20
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 vlan-ids=30
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 vlan-ids=99
/interface ethernet switch set 0 l3-hw-offloading=yes
/ip address add address=192.168.88.1/24 interface=ether24 network=192.168.88.0
/ip address add address=192.168.1.2/24 interface=ether23 network=192.168.1.0
/ip address add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=vlan30 network=192.168.30.0
/ip address add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns set servers=192.168.1.1
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
/system clock set time-zone-name=Europe/Berlin
/system note set show-at-login=no
[admin@MikroTik] >
Credits:
Configuration is based on some tutorials dedicated to CRS3XX by Wilmer Almazan (https://www.youtube.com/@TheNetworkTrip) dealing with L3HW offloading
I think in very recent versions, a pvid=10 sets the untagged vlan to 10, and you don’t need or want anything else.
You can’t add an ip address to ether23 when it is part of the bridge.
(In this case with no other vlan membership you would add the address to the bridge)
All ports with the default vlan (vlan 1), eg. ether23,7,8,9 will all be on the same vlan and allow untagged traffic in and out. (This may or may not be what you want) There are the frame-types=admit-only-vlan-tagged and frame-types=admit-only-untagged-and-priority-tagged options.
If you want eth23 sort of isolated you can remove ether23 from the bridge, and it should still be hardware offloaded.
(You can’t then put vlans on ether23 and have them hardware offloaded)
Alternatively you could create another vlan and make ether23 an untagged member of that vlan, and assign addresses to the vlan.
The FB is unlikely to know (or care) that ether23 is on another VLAN.
Traffic for managing the Switch will hit the CPU, and you should be able to use a normal router firewall input rule set to block and allow them.
You could maybe use switch rules for basic hardware prefiltering if you think someone is going to hit it very hard.
I think you can use a single
/interface bridge vlan add bridge=bridge1 tagged=bridge1,ether7,ether8,ether9 vlan-ids=10,20,30,99
You can’t add an ip address to ether23 when it is part of the bridge.
(In this case with no other vlan membership you would add the address to the bridge)
ether23 removed from the bridge. I’ll test the different behaviour when I am doing the speed/throughput test.
All ports with the default vlan (vlan 1), eg. ether23,7,8,9 will all be on the same vlan and allow untagged traffic in and out. (This may or may not be what you want) There are the frame-types=admit-only-vlan-tagged and frame-types=admit-only-untagged-and-priority-tagged options.
All ports updated, which also fixed my DHCP issue.
