Hello,
I have two CRS317-1G-16S+ and I’ve got them connected via L3 links (on each interface I’ve got an IP address). I’m routing the traffic from one side to the other with L3 HW Offload but I ran into an issue when trying to set firewall rules: forward rules seem to be ignored. If I disable L3 HW Offload, the firewall rules are taken into account. Anyone got any idea why?
Thank you!
https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading
Feature: IPv4 Firewall
Support: FW
Comments: Users must choose either HW-accelerated routing or firewall. Firewall rules get processed by the CPU. Fasttrack connections get offloaded to HW.
Release: 7.1Feature: IPv4 NAT
Support: FW
Comments: NAT rules applied to the offloaded Fasttrack connections get processed by HW too.
Release: 7.1
So unfortunately you will have to choose if you want firewalling OR L3HW offloading - you cant have both with Mikrotik.
There are however switch filtering I think you can apply but they are limited to max 128 rules or so.
But you can do both. You just have to make sure fasttrack is active and in use. And don’t forget that fasttrack isn’t available for IPv6.
I’m only using IPv4. What am I missing then? Fasttrack is configured but no packets seem to hit that rule.
Oh, I think I get it. I’d have to actually disable L3 HW offloading and use IP firewall rules in order to Fasttrack, which in turn will use HW offloading? Did I get that right? Also, since some stuff is done in the CPU, is it worth it? Will it be slower/faster than simple L3 HW offload - I know I’m getting the ability to filter via the firewall, I’m just referring to performance right now.
Im not 100% into Mikrotik lingo yet but when speaking about fastpath/fasttrack and firewall (iptables/nftables) thats more about not having to evaluate as many rules as you normally need to.
For example having allow estalished/related as the first rule is a “fastpath” setting - but the packets will still route through your mgmt-cpu which depending on device will be a bit under 1Gbps in performance compared to L3HW offloading who can do Tbps in forwarding.
With properly firewall filter setup, vast majority of packets will be fasttracked. Only packets, not belonging to established connections, will hit other firewall rules (so mostly new, some invalid). There’s s bit of a mystery about how exactly fasttrack works, my feeling (based on a few loose remarks by MT staffers) is that when everything is done in software connection tracking machinery is run for every packet, but subsequent processing is either bypassed (e.g. filter rules) or simplified (e.g. NAT) for fasttracked packets. Which allows to increase firewalling capacity of a device by factor of around 3-5. When fasttracked traffic gets offloaded to HW, also connection tracking machinery is bypassed, so none of processing of those packets is actually done by CPU (but perhsps a bit lesser share of packets get fasttracked because resulting switch rules have to be very precise not to pass wrong packets via fasttrack).
So, if we return to the begining of this post: with properly configured firewall, vast majority of packets will be hanfked entirely by switch chip and thus wirespeed. Only a minority of packets willl be handled by (slow) CPU. The only thing to keep in mind are limits of offload capacity (number of connections or number of destination subnets in case of HW offloaded routing), if limits are reached, then part of traffic gets handled by CPU.
CRS317-1G-16S+ Supports 1024 Switch ACL rules
Amount of ACL rules vary by model