Before I go deploy this NP16 w/ RC1, wanted to double check something. This switch chip supports hardware routing but does NOT support fast-track or NAT in hardware. (per https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-CRS300:SwitchDX3000andDX2000Series)
So, if I do a firewall on “INPUT”, I just want to verify that this won’t touch anything being forwarded at all. I have zero “FORWARD” rules, and I’m assuming (and wanting to verify) that since I don’t pull forwarded packets into the CPU, they will remain in the hardware path.
Is my assumption good?
The firewall affects only the packets processed by the CPU.
If the forwarding/routing is performed by the hardware, packets do not enter the CPU at all, and therefore do not trigger the firewall (even if you have FORWARD rules).
In addition, you can fine-tune L3 HW offloading by disabling HW routing for specific routes (suppress-hw-offload=yes at /ip/route/) or ports (l3-hw-offloading=no at /in/eth/sw/port/). For example, you have IoT devices connected to some ports. Those IoT devices do not produce much traffic and, therefore, do not benefit from hardware routing. And you want to limit their network access via the firewall. So you disable l3-hw-offloading on those ports, making packets from/to those ports go through CPU/Firewall while keeping hardware routing on other ports.