L3HW + Firewall + CRS317

umbramalison · December 22, 2021, 2:52pm

Hi,

I know there have been many similar threads. I think I have read them all, along with the documentation.

I’m trying to achieve something slightly different in that I would like the CRS317 to only handle intervlan routing, with a upstream to untangle (NAT). So no NAT on the CRS317.

in the config below I have disabled my firewall rules.

but in my testing, this is what I discover:

Firewall disabled and L3HW offloading disabled. iperf: 345Mbits/sec. As expected
Firewall enabled and L3HW offloading disabled - everything works. The rules seem to be correct. iperf: 187Mbits/sec. I can access DMZ OK, but can’t access private networks from DMZ - great.
Firewall disabled and L3HW offloading enabled - everything works (but not vlan restrictions). iperf: 939Mbits/sec
Firewall enabled and L3HW offloading enabled - iperf: 939Mbits/sec, but vlan restrictions are not enabled. Seeing some strange network things not sure if related.

testing:
iperf3 server in DMZ
iperf3 client in PRIVATE
1gbit copper to netgear gs108tv2
1gbit copper to CRS328
10gbit DAC to CRS317
10gbit DAC to QEMU/KVM hypervisor
virtIO to DMZ tagged guest

enabling/disabling firewall.
i’m doing this by changing the enablement of each rule until there are no rules not toggled.

enabling/disabling l3hw
/interface/ethernet/switch set 0 l3-hw-offloading=yes||no
/interface/ethernet/switch/port set [find] l3-hw-offloading=yes||no

I’m thinking that l3hw supports bonding, and support firewall rules. but maybe not both at the same time?

config:

[admin@SW0] > export 
# dec/22/2021 13:23:08 by RouterOS 7.1.1
# software id = xxxx-xxxx
#
# model = CRS317-1G-16S+
# serial number = xxxxxxxxxxxx
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=MGMT
set [ find default-name=sfp-sfpplus1 ] comment=SW1
set [ find default-name=sfp-sfpplus2 ] comment=SW1
set [ find default-name=sfp-sfpplus5 ] comment=SW2
set [ find default-name=sfp-sfpplus6 ] comment=SW2
set [ find default-name=sfp-sfpplus9 ] comment=SW3
set [ find default-name=sfp-sfpplus10 ] comment=SW3
set [ find default-name=sfp-sfpplus13 ] comment=XEON
set [ find default-name=sfp-sfpplus14 ] comment=XEON
set [ find default-name=sfp-sfpplus16 ] auto-negotiation=no comment=WAN
/interface vlan
add disabled=yes interface=bridge name=VL1-NOLAN vlan-id=1
add interface=bridge name=VL10-PRIVATE vlan-id=10
add interface=bridge name=VL20-GUEST vlan-id=20
add interface=bridge name=VL50-DMZ vlan-id=50
add interface=bridge name=VL60-CCTV vlan-id=60
add interface=bridge name=VL100-MGMT vlan-id=100
add interface=bridge name=VL150-O1 vlan-id=150
add interface=bridge name=VL151-O2 vlan-id=151
/interface bonding
add mode=802.3ad name=SW1 slaves=sfp-sfpplus1,sfp-sfpplus2
add mode=802.3ad name=SW2 slaves=sfp-sfpplus5,sfp-sfpplus6
add mode=802.3ad name=SW3 slaves=sfp-sfpplus9,sfp-sfpplus10
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=MGMT
add name=TRUNK
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing table
add fib name=""
/interface bridge port
add bridge=bridge ingress-filtering=no interface=TRUNK
add bridge=bridge ingress-filtering=no interface=MGMT pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=10
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=20
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=50
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=60
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=100
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=150
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=151
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=MGMT
add comment=GATEWAY interface=sfp-sfpplus16 list=WAN
add interface=SW2 list=TRUNK
add interface=SW3 list=TRUNK
add comment=XEON interface=sfp-sfpplus13 list=TRUNK
add comment=XEON interface=sfp-sfpplus14 list=TRUNK
add interface=SW1 list=TRUNK
/ip address
add address=10.10.10.1/24 interface=VL10-PRIVATE network=10.10.10.0
add address=10.10.20.1/24 interface=VL20-GUEST network=10.10.20.0
add address=10.10.50.1/24 interface=VL50-DMZ network=10.10.50.0
add address=10.10.60.1/24 interface=VL60-CCTV network=10.10.60.0
add address=10.10.100.1/24 interface=VL100-MGMT network=10.10.100.0
add address=10.10.151.1/24 interface=VL151-O2 network=10.10.151.0
add address=192.168.1.1/24 interface=VL150-O1 network=192.168.1.0
add address=10.10.1.1/24 interface=bridge network=10.10.1.0
/ip dhcp-client
add interface=sfp-sfpplus16
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=Est&Related connection-state=established,related disabled=yes
add action=accept chain=forward disabled=yes in-interface=VL10-PRIVATE out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=VL10-PRIVATE out-interface=VL50-DMZ
add action=accept chain=forward disabled=yes in-interface=VL10-PRIVATE out-interface=VL60-CCTV
add action=accept chain=forward disabled=yes in-interface=VL10-PRIVATE out-interface=VL100-MGMT
add action=accept chain=forward disabled=yes in-interface=VL10-PRIVATE out-interface=VL150-O1
add action=accept chain=forward disabled=yes in-interface=VL20-GUEST out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=VL50-DMZ out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=VL100-MGMT out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=VL100-MGMT out-interface=VL10-PRIVATE
add action=accept chain=forward disabled=yes in-interface=VL100-MGMT out-interface=VL50-DMZ
add action=accept chain=forward disabled=yes in-interface=VL100-MGMT out-interface=VL60-CCTV
add action=accept chain=forward disabled=yes in-interface=VL150-O1 out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=VL151-O2 out-interface-list=WAN
add action=reject chain=forward disabled=yes reject-with=icmp-network-unreachable
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=SW0
/system logging
add disabled=yes topics=caps,debug
add disabled=yes topics=wireless,debug
/system routerboard settings
set boot-os=router-os

tdw · December 22, 2021, 3:51pm

From https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT it appears you should have the switch l3-hw-offloading=yes, but set l3-hw-offloading=no for any switch ports you wish to have firewall rules applied to - the initial packet for a connection gets handled by the CPU but any subsequent packets using fasttrack are handled by the hardware offloading.

umbramalison · December 22, 2021, 4:00pm

Yes. I think I even knew that, just didn’t think it through implementation-ally.
Thank you tdw - i’m sure this is exactly my issue. thanks

umbramalison · December 22, 2021, 4:20pm

my iperf3 client in PRIVATE is getting 220Mbits/sec to server in DMZ.
Seems like my established traffic isn’t being fast-tracked?

/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=MGMT
set [ find default-name=sfp-sfpplus1 ] comment=SW1
set [ find default-name=sfp-sfpplus2 ] comment=SW1
set [ find default-name=sfp-sfpplus5 ] comment=SW2
set [ find default-name=sfp-sfpplus6 ] comment=SW2
set [ find default-name=sfp-sfpplus9 ] comment=SW3
set [ find default-name=sfp-sfpplus10 ] comment=SW3
set [ find default-name=sfp-sfpplus13 ] comment=XEON
set [ find default-name=sfp-sfpplus14 ] comment=XEON
set [ find default-name=sfp-sfpplus16 ] auto-negotiation=no comment=WAN
/interface vlan
add disabled=yes interface=bridge name=VL1-NOLAN vlan-id=1
add interface=bridge name=VL10-PRIVATE vlan-id=10
add interface=bridge name=VL20-GUEST vlan-id=20
add interface=bridge name=VL50-DMZ vlan-id=50
add interface=bridge name=VL60-CCTV vlan-id=60
add interface=bridge name=VL100-MGMT vlan-id=100
add interface=bridge name=VL150-O1 vlan-id=150
add interface=bridge name=VL151-O2 vlan-id=151
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 0 l3-hw-offloading=no
set 1 l3-hw-offloading=no
set 2 l3-hw-offloading=no
set 3 l3-hw-offloading=no
set 4 l3-hw-offloading=no
set 5 l3-hw-offloading=no
set 6 l3-hw-offloading=no
set 7 l3-hw-offloading=no
set 8 l3-hw-offloading=no
set 9 l3-hw-offloading=no
set 10 l3-hw-offloading=no
set 11 l3-hw-offloading=no
set 12 l3-hw-offloading=no
set 13 l3-hw-offloading=no
set 14 l3-hw-offloading=no
set 15 l3-hw-offloading=no
set 16 l3-hw-offloading=no
/interface list
add name=MGMT
add name=TRUNK
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/routing table
add fib name=""
/interface bridge port
add bridge=bridge ingress-filtering=no interface=TRUNK
add bridge=bridge ingress-filtering=no interface=MGMT pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=10
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=20
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=50
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=60
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=100
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=150
add bridge=bridge tagged=bridge,SW1,SW2,SW3,sfp-sfpplus13,sfp-sfpplus14 vlan-ids=151
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=ether1 list=MGMT
add comment=GATEWAY interface=sfp-sfpplus16 list=WAN
add interface=SW2 list=TRUNK
add interface=SW3 list=TRUNK
add comment=XEON interface=sfp-sfpplus13 list=TRUNK
add comment=XEON interface=sfp-sfpplus14 list=TRUNK
add interface=SW1 list=TRUNK
/ip address
add address=10.10.10.1/24 interface=VL10-PRIVATE network=10.10.10.0
add address=10.10.20.1/24 interface=VL20-GUEST network=10.10.20.0
add address=10.10.50.1/24 interface=VL50-DMZ network=10.10.50.0
add address=10.10.60.1/24 interface=VL60-CCTV network=10.10.60.0
add address=10.10.100.1/24 interface=VL100-MGMT network=10.10.100.0
add address=10.10.151.1/24 interface=VL151-O2 network=10.10.151.0
add address=192.168.1.1/24 interface=VL150-O1 network=192.168.1.0
add address=10.10.1.1/24 interface=bridge network=10.10.1.0
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=Est&Related connection-state=established,related
add action=accept chain=forward in-interface=VL10-PRIVATE out-interface-list=WAN
add action=accept chain=forward in-interface=VL10-PRIVATE out-interface=VL50-DMZ
add action=accept chain=forward in-interface=VL10-PRIVATE out-interface=VL60-CCTV
add action=accept chain=forward in-interface=VL10-PRIVATE out-interface=VL100-MGMT
add action=accept chain=forward in-interface=VL10-PRIVATE out-interface=VL150-O1
add action=accept chain=forward in-interface=VL20-GUEST out-interface-list=WAN
add action=accept chain=forward in-interface=VL50-DMZ out-interface-list=WAN
add action=accept chain=forward in-interface=VL100-MGMT out-interface-list=WAN
add action=accept chain=forward in-interface=VL100-MGMT out-interface=VL10-PRIVATE
add action=accept chain=forward in-interface=VL100-MGMT out-interface=VL50-DMZ
add action=accept chain=forward in-interface=VL100-MGMT out-interface=VL60-CCTV
add action=accept chain=forward in-interface=VL150-O1 out-interface-list=WAN
add action=accept chain=forward in-interface=VL151-O2 out-interface-list=WAN
add action=reject chain=forward reject-with=icmp-network-unreachable

umbramalison · December 22, 2021, 8:46pm

Will fasttrack give me l3hw performance for all est/related traffic?

how can i verfiy if fastrack is working correctly? seem’s like it is not configured correctly yet as my through put has not improved.

any pointers?

umbramalison · December 22, 2021, 9:31pm

I think my issue is here: http://forum.mikrotik.com/t/crs317-l3hw-firewall-question/150635/18

@raimondsp believes as of october that it is an unimplemented feature, which now has priority boost.

i’m going to try 7.2rc1 - no idea if it will help.

umbramalison · February 4, 2022, 4:07pm

Exciting times, 7.2rc3 - “bridge - added fast-path and inter-VLAN routing FastTrack support when vlan-filtering is enabled;”