PBR for CGNAT + L3HW offload

ricardowz · October 23, 2025, 1:18pm

On this (simplified) topology, I want to redirect traffic just from PPPoE CLIENT with CGNAT address 100.64.0.1 to CGNAT SERVER, but traffic from PPPoE CLIENT with public address flowing directly to internet, keeping L3HW offload working on ROUTER 1.

I thought it would be possible using PBR, but how? Is It possible?

The way I made, creating a routing table, I need to redirect traffic to CPU and loose the L3HW offload.

/routing table
add disabled=no fib name=routing-table-cgnat

/routing rule
add action=lookup disabled=no src-address=100.64.0.0/22 table=routing-table-cgnat

akakua · October 23, 2025, 1:42pm

Switch rule if src. address 100.64.0.0/22 action redirect to port some sfp+ port

ricardowz · October 23, 2025, 2:46pm

/interface ethernet switch rule
add dst-address=0.0.0.0/0.0.0.0 mac-protocol=ip new-dst-ports=\
    sfp-sfpplus8-cgnat ports=sfp-sfpplus2-router2 src-address=100.65.0.0/255.255.0.0 switch=switch1


/interface ethernet switch rule
add mac-protocol=ip new-dst-ports=sfp-sfpplus8-cgnat ports=sfp-sfpplus2-router2 src-address=100.65.0.0/255.255.0.0 switch=switch1

Thanks for your reply.

I tried both rules above, applied on the ROUTER 1, but none worked. Are they right or I did something wrong on the rules?

lurker888 · October 23, 2025, 3:02pm

Currently PBR (and VRFs) are not available for L3HW. Apparently the hw would have support for it, but it’s currently not implemented. (There are several hurdles, so when and how much will be implemented is unclear.)

The simplest solution would be to avoid routing the PPPoE termination to CGNAT traffic, instead keeping them connected by a separate vlan. (Or if routing is s must, you may also attempt offloaded vxlan.)