I am trying to understand if it would make sense to use a CRS as L3 switch such that my router / firewall does not need to be VLAN aware.
I would setup let say 4 VLANs with a DHCP Server managed by the CRS.
There is one WAN port that goes to the firewall / switch that would be an access port.
This means all inter vlan routing including to the wan gateway would be handled by the CRS, including the routing to WAN.
Is this possible without CPU involvement, it should rout 10G.
Yes, it is possible. You would set up CRS with as many VLANs as necessary for LAN side, set IP address on corresponding vlan interfaces, set up L3HW offloading … and configure all devices to use CRS’ IP addresses as their default gateway (e.g. make appropriate changes to DHCP server settings).
Then you’d add another VLAN on CRS with port, connecting firewall/router, set as access port of that VLAN. Set up IP address on CRS and router from same (can be small, /30 would do) IP subnet. Set up CRS to use router as default gateway. This way CRS would wirespeed route also towards firewall/router.
On router, in addition to the “LAN” IP address from same (/30) subnet as CRS, you will have to add static routes towards your other LAN subnets via CRS’ /30 IP address. Then make sure that NAT on firewall/router covers all the LAN subnets, firewall rules as well.
As to running firewall on CRS: I’d try to avoid doing it. Some CRS models can offload fasttrack traffic to switch chip, some can not. And even if they support offload, CPU will still have to process a few packets of each connection. Depending on device model and average “longevity” of connections this can pose a significant burden on switch’s CPU. OTOH without firewall you can only affect traffic between different VLANs by using routing rules / ACLs. So whether you have to run firewall on CRS or not really depends on what kind of inter-VLAN traffic control you absolutely need.
Thanks a lot for the explanation, thus if I need to restrict routing between vlans, wire speed could be impacted.
I got a CRS317 and a CRS326-24S.
Just wonder how does it run in practice?
At the moment I have all VLANS managed including Firewall and DHCP and inter VLAN routing settings on an OPNsense.
Would there be an advantage switching the setup over?
I have a set of VLANs that should be completely separated from the others and should just be able to reach the internet.
Or is using the two switches in MLAG setup a more beneficial improvement?
CRS317 is an absolute beast for L3 HW offloading, it would do offloaded firewall as well. The CRS326-24S is a very decent device as well, but not a beast.
You may want to read about L3 HW offload and its limitations (device dependent): https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading
I’d definitely consider doing L3 HW offload routing. One benefit is wirespeed (i.e. 10Gbps) routing … you’d need a serious device to do it in software. What does the OPNsense device offer in this department?
I am using an AMD Ryzen 5 5600G with a Chelsio T520-CR on a MSI MAG B550 TOMAHAWK in a SuperMicro CSE-846 case.
This setup allows me to do 10G inter vlan routing.
Will check the documentation an prepare my setup for this. I did already some L3 experimentation before: