Possible Bug: UDP Stream (1-way transmission) cannot be L3HW(NAT)-offloaded.

hurryman2212 · February 22, 2024, 10:32am

Environment

CRS354-48G-4S+2Q+RM with RouterOS v7.13.5 (current stable) with the below configuration (result from /export compact):

/interface bridge
add admin-mac=DC:2C:6E:7E:50:AA auto-mac=no name=bridge pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan
add interface=bridge name=vlan-LAN vlan-id=20
add interface=bridge name=vlan-MGMT vlan-id=10
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 9 l3-hw-offloading=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=pool-LAN ranges=192.168.254.1-192.168.254.253
add name=pool-MGMT ranges=192.168.255.1-192.168.255.253
/ip dhcp-server
add address-pool=pool-LAN interface=vlan-LAN name=dhcp-LAN
add address-pool=pool-MGMT interface=vlan-MGMT name=dhcp-MGMT
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge interface=ether1 pvid=10
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=10
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=ether11 pvid=10
add bridge=bridge interface=ether12 pvid=10
add bridge=bridge interface=ether13 pvid=10
add bridge=bridge interface=ether14 pvid=10
add bridge=bridge interface=ether15 pvid=10
add bridge=bridge interface=ether16 pvid=10
add bridge=bridge interface=ether17 pvid=10
add bridge=bridge interface=ether18 pvid=10
add bridge=bridge interface=ether19 pvid=10
add bridge=bridge interface=ether20 pvid=10
add bridge=bridge interface=ether21 pvid=10
add bridge=bridge interface=ether22 pvid=10
add bridge=bridge interface=ether23 pvid=10
add bridge=bridge interface=ether24 pvid=10
add bridge=bridge interface=ether25 pvid=20
add bridge=bridge interface=ether26 pvid=20
add bridge=bridge interface=ether27 pvid=20
add bridge=bridge interface=ether28 pvid=20
add bridge=bridge interface=ether29 pvid=20
add bridge=bridge interface=ether30 pvid=20
add bridge=bridge interface=ether31 pvid=20
add bridge=bridge interface=ether32 pvid=20
add bridge=bridge interface=ether33 pvid=20
add bridge=bridge interface=ether34 pvid=20
add bridge=bridge interface=ether35 pvid=20
add bridge=bridge interface=ether36 pvid=20
add bridge=bridge interface=ether37 pvid=20
add bridge=bridge interface=ether38 pvid=20
add bridge=bridge interface=ether39 pvid=20
add bridge=bridge interface=ether40 pvid=20
add bridge=bridge interface=ether41 pvid=20
add bridge=bridge interface=ether42 pvid=20
add bridge=bridge interface=ether43 pvid=20
add bridge=bridge interface=ether44 pvid=20
add bridge=bridge interface=ether45 pvid=20
add bridge=bridge interface=ether46 pvid=20
add bridge=bridge interface=ether47 pvid=20
add bridge=bridge interface=ether48 pvid=20
add bridge=bridge interface=qsfpplus1-1 pvid=20
add bridge=bridge interface=qsfpplus1-2 pvid=20
add bridge=bridge interface=qsfpplus1-3 pvid=20
add bridge=bridge interface=qsfpplus1-4 pvid=20
add bridge=bridge interface=qsfpplus2-1 pvid=20
add bridge=bridge interface=qsfpplus2-2 pvid=20
add bridge=bridge interface=qsfpplus2-3 pvid=20
add bridge=bridge interface=qsfpplus2-4 pvid=20
add bridge=bridge interface=sfp-sfpplus2 pvid=20
add bridge=bridge interface=sfp-sfpplus3 pvid=20
add bridge=bridge interface=sfp-sfpplus4 pvid=20
/ip firewall connection tracking
set udp-timeout=20s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
add bridge=bridge tagged=bridge vlan-ids=20
/ip address
add address=192.168.88.1/24 interface=ether49 network=192.168.88.0
add address=[CENSORED] interface=sfp-sfpplus1 network=[CENSORED]
add address=192.168.254.254/24 interface=vlan-LAN network=192.168.254.0
add address=192.168.255.254/24 interface=vlan-MGMT network=192.168.255.0
/ip dhcp-relay
add dhcp-server=192.168.254.10 disabled=no interface=vlan-LAN name=dhcp-MAAS
/ip dhcp-server lease
add address=192.168.255.1 mac-address=D0:50:99:E2:C4:7D
add address=192.168.255.2 mac-address=FF:FF:FF:00:00:02
add address=192.168.255.3 mac-address=FF:FF:FF:00:00:03
add address=192.168.255.4 mac-address=0C:C4:7A:67:7C:9E
add address=192.168.255.5 mac-address=18:FB:7B:AA:93:AB
add address=192.168.255.6 mac-address=3C:EC:EF:07:3E:C3
add address=192.168.255.7 mac-address=3C:EC:EF:07:3F:D6
add address=192.168.255.8 mac-address=FF:FF:FF:00:00:08
add address=192.168.255.9 mac-address=FF:FF:FF:00:00:09
add address=192.168.255.10 mac-address=00:25:90:80:57:59
add address=192.168.255.11 mac-address=00:25:90:5B:AB:63
add address=192.168.255.12 mac-address=18:66:DA:70:78:67
add address=192.168.255.13 mac-address=D0:94:66:00:EB:D1
add address=192.168.255.14 mac-address=D0:94:66:97:BD:9F
add address=192.168.255.15 mac-address=D0:94:66:96:33:5A
add address=192.168.255.16 mac-address=4C:D9:8F:53:4B:BB
add address=192.168.255.17 mac-address=4C:D9:8F:53:62:DB
add address=192.168.255.18 mac-address=FF:FF:FF:00:00:12
add address=192.168.254.1 mac-address=D0:50:99:D1:5B:30
add address=192.168.254.2 mac-address=FF:FF:FF:00:01:02
add address=192.168.254.3 mac-address=FF:FF:FF:00:01:03
add address=192.168.254.4 mac-address=0C:C4:7A:A3:1C:B8
add address=192.168.254.5 mac-address=18:66:DA:F7:19:F4
add address=192.168.254.6 mac-address=0C:42:A1:54:7B:EE
add address=192.168.254.7 mac-address=0C:42:A1:54:71:12
add address=192.168.254.8 mac-address=FF:FF:FF:00:01:08
add address=192.168.254.9 mac-address=FF:FF:FF:00:01:09
add address=192.168.254.10 mac-address=00:25:90:80:3C:9E
add address=192.168.254.11 mac-address=00:25:90:5B:AA:D0
add address=192.168.254.12 mac-address=18:66:DA:70:78:63
add address=192.168.254.13 mac-address=D0:94:66:00:EB:CD
add address=192.168.254.14 mac-address=D0:94:66:97:BD:A5
add address=192.168.254.15 mac-address=D0:94:66:96:33:60
add address=192.168.254.16 mac-address=4C:D9:8F:53:4B:C1
add address=192.168.254.17 mac-address=4C:D9:8F:53:62:E1
add address=192.168.254.18 mac-address=FF:FF:FF:00:01:12
add address=192.168.254.101 mac-address=1C:1B:0D:0D:CB:8E
add address=192.168.254.102 mac-address=1C:1B:0D:0D:CB:78
add address=192.168.254.103 mac-address=1C:1B:0D:0D:CB:7C
add address=192.168.254.104 mac-address=1C:1B:0D:0D:CB:8C
/ip dhcp-server network
add address=192.168.254.0/24 dns-server=192.168.254.10,[CENSORED],[CENSORED] gateway=192.168.254.254
add address=192.168.255.0/24 dns-server=192.168.255.10,[CENSORED],[CENSORED] gateway=192.168.255.254
/ip dns
set servers=192.168.255.10,[CENSORED],[CENSORED]
/ip firewall filter
add action=fasttrack-connection chain=forward connection-nat-state=srcnat,dstnat hw-offload=yes protocol=udp
add action=accept chain=forward connection-nat-state=srcnat,dstnat protocol=udp
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
add action=dst-nat chain=dstnat dst-port=0-49151 in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.10
add action=dst-nat chain=dstnat dst-port=0-49151 in-interface=sfp-sfpplus1 protocol=udp to-addresses=192.168.254.10
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.1 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.2 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.3 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.4 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.5 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.6 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.7 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.8 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.9 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.10 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.11 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.12 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.13 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.14 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.15 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.16 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.17 \
	to-ports=22
add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.18 \
	to-ports=22
/ip nat-pmp
set enabled=yes
/ip nat-pmp interfaces
add interface=sfp-sfpplus1 type=external
add interface=vlan-LAN type=internal
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=[CENSORED] routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=[CENSORED] 
set www-ssl certificate=https disabled=no port=[CENSORED] 
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=[CENSORED]
/system identity
set name=[CENSORED]
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key

The above environment works well in offloading TCP 1-way/2-way transmissions via NAT. The result has been confirmed with /ip/firewall/connection/print, /interface/ethernet/switch/l3hw-settings/advanced/monitor and /tool/profile.

How to Test

Add these rules.

add action=fasttrack-connection chain=forward connection-nat-state=srcnat,dstnat hw-offload=yes protocol=udp
add action=accept chain=forward connection-nat-state=srcnat,dstnat protocol=udp
# Without the above two lines, UDP stream connection will not be marked as "F" for FastTrack. But still, no H/W offload.
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related

Do Netperf/Neper/etc. test for UDP_STREAM, between a host within NAT and another outside.
On the connection tracking, the UDP stream connections will never be marked as “H” for H/W-offloaded - left in “Cs”/“Cd” for SRCNAT/DSTNAT cases, or “CFs”/“CFd” if you put above rules. Also, it will never be marked as UDP stream anyway since it keeps left in the default UDP timeout (default: 10s). The timeout will remain same as the initial constant value while communicating.

Contrast to #3, UDP_RR (Request-Response) connections are actually offloaded - marked as “SACFsH”/“SACFdH” (“S”: seen-reply, “A”: assured, “C”: confirmed). The timeout for these will decrease from 00:01:00 but reset to it time-to-time so not expired. I have verified both UDP_STREAM and UDP_RR results with /interface/ethernet/switch/l3hw-settings/advanced/monitor and /tool/profile.

Possible Cause

http://forum.mikrotik.com/t/rdp-connection-dying/151731/1 UDP Stream cannot be properly detected, so even the connection tracking itself for UDP stream is not working.

hurryman2212 · February 22, 2024, 10:46am

The above result is slightly different from http://forum.mikrotik.com/t/rdp-connection-dying/151731/1 as the timeout in my environment does not expire even for UDP stream (but never marked as UDP stream, rather remained as generic? UDP of which timeout is the default one - 10s as default value) but rather remains as constant value same with the initial.

In the above link:

To get the tracking into the UDP assured state needs 3 packets, the initial one from the client, a return packet from the server, and then a 3rd packet from either the server or client. If it doesn’t get the 2nd or 3rd packets before each udp timeout interval (10S, 20S) the connection will disappear, and the server will not be able to send any more udp packets to the client. (each udp packet restarts the udp timeout)
If all 3 packets happen, the udp stream timeout is enabled. (3 min or as configured)

I think it would not meet the requirement for offloading some/many of UDP-based streaming applications/benchmarks.