On the CCR2116 with firewall compatible L3HW offload, should L3hw offloading be enabled on the LAN port?

ajgnet · December 26, 2022, 4:28pm

Hello, I am configuring a CCR2116 with firewall compatible layer 3 hardware offloading (via fast track rules). I have L3 hardware offloading disabled on the WAN port, but enabled on the switch, on the CPU, and enabled on all other ports including the LAN ports. I am using a bridge, and the LAN port is a member of the bridge. There are also a few VLANs split off the bridge interface.

Is that the right way to set this up? Or should L3 hardware offloading be disabled on the LAN port? Checking and unchecking the L3 offload box on the LAN port does not seem to have any impact.

raimondsp · December 27, 2022, 3:15pm

It depends on whether you need the Firewall for inter-VLAN routing or not.

For full hardware Inter-VLAN routing, leave l3hw enabled for LAN ports. All packets between VLANs will get processed by the hardware in this case.
For firewall-compatible Inter-VLAN routing, disable l3hw for LAN ports too.

In any case, initial packets to/from WAN port will enter the CPU/Firewall since l3hw is disabled on the WAN port.

ajgnet · December 27, 2022, 6:45pm

Thanks for that clarification - makes total sense to me now.

And what does enabling L3 Hw Offloading on the switch1 cpu do?