While I believe other devices will obviously eventually get basic L3 hardware offload (which is not all that interesting and unique since there’s plenty of L3 switches out there) - most of them feature super weak sauce MIPS CPUs. However few switches (in particular CRS317 and CRS309 with dual core ARMs and few others with single core ones) feature beefier CPUs which I believe will perform quite well with L3 offload in FW mode and fasttrack enabled. Making them wire-speed stateful firewalls. Which is kinda insane if you think about it.
I mean I don’t think I’ve ever seen such thing in the wild. Performance of this monstrosity is yet to be benchmarked but I believe it really does have potential to become something like 160 gbps stateful L4 firewall. Which is incredibly impressive like holy crap…
I wouldn’t be so critical regarding ARM vs. MIPS CPU in terms of packet processing. Comparing CPUs relatively to HW (ASIC) performance is similar to comparing 10,000 RPM HDD vs. 7,500 RMP HDD relatively to SSD. Yes, 10K RPM HDD is faster. However, the benefit is negligible in comparison with SSD. Same here. The ARM CPU on CRS317 or CRS309 is faster than MIPS CPU on CRS312 or CRS326q. But it is not even remotely as fast as HW in terms of packet processing.
Nonetheless, you are right that CRS317 or CRS309 is a better choice (than CRS312/326) for hardware-accelerated stateful firewall, but for a different reason: CRS317 and CRS309 have twice larger hardware memory. CRS317/CRS309 can offload up to 4.5K connections to the hardware (4K in case of NAT) while CRS312/CRS326q - only 2.25K. Add here an ability to move connections back and forth between CPU and HW based on the actual data rate, and CRS317 can keep up with up to 10K L4 connections where CRS312 would give up on 4K.
I agree that HW accelerated security devices at a low price point is a huge gap in the market. One feature that would really push the adoption of this is a stateful failover feature between two CRS switches so that it doesn’t have to be a customized script + vrrp.
RouterOS v7 supports connection tracking syncing between two Mikrotik routers (or CRS switches). Here is more info: VRRP sync-connection-tracking setup
Hello
that should be linked with the issue of single tcp connection speed?
Also on 1072 and 1036 in plain fasttrack with no filter rule, a single download reach about 200mbps,
when combined connections, I can go over 1.5gig…
Hi,
no sorry I don´t agree. It´s important to have HW offloading on routers as well. Even some cheap TP Links have HW Offloading for NAT & Routing. Big routers from well known vendors upwards 50k $ are also doing the forwarding, queuing, ACLs, etc. in hardware. That saves resources and energy. So using the switch chips functionality for as much offloading as possible is a very good idea even on smaller routers.
To my knowledge, making that happen = writing code for offloading is a very hard task, so that will probably not happen over night.
Actually, I have bought an Archer C7 which has NAT and forwarding offloading, for 45EUR. So the price is not everything here.
What I wanted to say: regardless of price range and device type (switch vs. router), HW offloading is an important and exciting feature.
It makes small form factor and low power consumption combined with high performance possible.
Those would make an even stronger argument for purchasing a Mikrotik.
I think Mikrotik devices are already great, but more HW offloading makes them even significanly better.
So you’re saying that Archer C7 can do wirespeed routing between any of its gigabit interfaces? Well, it can’t, it only routes between WAN port and LAN port group (which includes wireless interfaces). If it can do it at wire speed, it doesn’t mean it is actually HW offloading routing and NAT to hardware, it can do it using CPU. And guess what? hAP ac3 can do it as well (wirespeed routing between WAN port and LAN port group). The difference is that with hAP ac3 you can actually use all interfaces (5x RJ45 and 2x wireless) independently and route between them. Only in this case the CPU will proove too weak to perform routing between all interfaces simultaneously at wire speed.
To the actual question by @capy2008: switch chip, used in hAP ac3, is a basic one which doesn’t offer any of L3 functionalities. So it’s not possible to HW offload of those tasks. The cheapest mikrotik device with potential of L3 HW offload is RB5009, its switch chip supports some of L3 functionality (much less than those in CRS3xx devices). MT did not (yet) commit to implementing it though.
[edit] Found this page … if the infornation is correct, then Archer c7 features AR8327 switch chip (same as used in venerable RB951G) for driving ethernet ports. Seems to be statically configured so that one switch chip ↔ CPU interconnect is used for WAN traffic and the other interconnect for LAN traffic. Anyway, AR8327 can definitely not do any kind of L3 functions.
No, I did not say anything about the performance of a C7. To be honest I could have never cared less, as I have only used that as an AP, bridged and with Openwrt installed. (HW NAT support was not even available for this device in the open source modules, it worked only with the stock firmware.)
Still HW NAT and netfilter flow offloading is available for a few chipsets used in home routers, but this is a Mikrotik forum.
Yes I know HAP AC3 is performing nicely, I have installed one 2 days ago. I happen to have a CRS309 and a will hopefully receive a new RB5009 this week. So my point is exactly: HW offload is something very interesting for me and probably for a bunch of other users as well. It doesn’t matter if that’s just HW support for bridge vlan filtering or even offloading for L4 flows. The more offloading, the better, because that’s efficient!
… an Archer C7 which has NAT and forwarding offloading …
And that was the statement I was debunking. Because HW offload doesn’t work even with stock firmware due to lack of needed hardware … even though it might have had better performance figures due to highly optimized code as compared to xWRT.
I agree that HW offload is nice but there’s only so much that can be offloaded. Generally the more expensive chip, the more functionality it’s got. But also the higher device cost … and that’s what’s been discussed before you (unjustifiably) brought Archer c7 into discussion.
A feature can be offloaded to hardware only if the hardware (switch chip) supports the feature. Switch chips that provide a broad L3 feature set (routing, connection tracking, NAT) are not cheap. I wouldn’t expect a three-digit-priced switch chip in a two-digit-priced router.
The RB5009 is a example of a device with three-digit-price and with a switch (in the current state) that is almost the same functionallyty as a 10 USD cheap switch, even that this router have the switch capability for some if not all l3hw features, nothing is implemented… several months after the release… still not able to break the 1gig barrier when having the basic funcions enables
