Good morning everyone, I have to enable l3hw, I’ve tried everything…
why can’t I ping 192.168.1.1?
I want to activate L3HW between my VLANs and INTERNET…
Could some good person help me. Thank you very much
this is my setup
# 2023-12-19 16:27:48 by RouterOS 7.13
# software id = 6VRZ-I0KH
#
# model = CRS317-1G-16S+
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus6 ] name=sfp-sfpplus6-WAN
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-LAN
/interface vlan
add interface=bridge1 name=vlan50 vlan-id=50
add interface=bridge1 name=vlan100 vlan-id=100
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus6-WAN pvid=50
add bridge=bridge1 interface=sfp-sfpplus12-LAN pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus6-WAN vlan-ids=50
add bridge=bridge1 tagged=bridge1,sfp-sfpplus12-LAN vlan-ids=100
/ip address
add address=192.168.234.1/24 interface=vlan100 network=192.168.234.0
add address=192.168.1.34/24 interface=vlan50 network=192.168.1.0
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan50
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main suppress-hw-offload=no
Hi, full hardware routing (a.k.a. L3 switching) does not work in this case since there is NAT in between. Disable l3-hw-offloading on the “internet” port(-s) to initially redirect the traffic to the CPU/Firewall, then offload FastTrack connections (which also support hardware NAT).
Here is an example:Inter-VLAN Routing with Upstream Port Behind Firewall/NAT
I also tried this configuration, but it still doesn’t work!
# 2023-12-22 16:04:50 by RouterOS 7.13
#
# model = CRS317-1G-16S+
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus6 ] name=sfp-sfpplus6-wan
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-lan
/interface vlan
add interface=bridge1 name=vlan50 vlan-id=50
add interface=bridge1 name=vlan100 vlan-id=100
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus6-wan pvid=50
add bridge=bridge1 interface=sfp-sfpplus12-lan pvid=100
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=sfp-sfpplus6-wan vlan-ids=50
add bridge=bridge1 tagged=bridge1 untagged=sfp-sfpplus12-lan vlan-ids=100
/ip pool
add name=dhcp_pool0 ranges=192.168.234.2-192.168.234.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan100 name=dhcp1
/ip address
add address=192.168.234.1/24 interface=vlan100 network=192.168.234.0
/ip dhcp-client
add interface=vlan50
/ip dhcp-server network
add address=192.168.234.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.234.1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan50
Hi, full hardware routing (a.k.a. L3 switching) does not work in this case since there is NAT in between. Disable l3-hw-offloading on the “internet” port(-s) to initially redirect the traffic to the CPU/Firewall, then offload FastTrack connections (which also support hardware NAT).
Here is an example:Inter-VLAN Routing with Upstream Port Behind Firewall/NAT
Thanks raimondsp,
Do you mean I have to add these two instructions?
Today I tried to install the router with VLANs. I have a very strange problem. The internet works at times! What could it be? Could it be a router problem? since I followed the online guide?
All Vlans have an IP address
# 2024-01-08 13:34:13 by RouterOS 7.13
# model = CRS317-1G-16S+
/interface bridge
add name=bridge-Inter-VLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus-12-VLAN \
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus5 ] name=sfp-sfpplus5-WAN
/interface vlan
add interface=bridge-Inter-VLAN name=VLAN-ATA vlan-id=130
add interface=bridge-Inter-VLAN name=VLAN-AULA-MAGNA vlan-id=140
add interface=bridge-Inter-VLAN name=VLAN-AULA09 vlan-id=120
add interface=bridge-Inter-VLAN name=VLAN-AULA10 vlan-id=110
add interface=bridge-Inter-VLAN name=VLAN-AULA11 vlan-id=100
add interface=bridge-Inter-VLAN name=VLAN-CLASSI vlan-id=30
add interface=bridge-Inter-VLAN name=VLAN-DIRIGENZA vlan-id=150
add interface=bridge-Inter-VLAN name=VLAN-ELETTRO vlan-id=70
add interface=bridge-Inter-VLAN name=VLAN-INFO vlan-id=50
add interface=bridge-Inter-VLAN name=VLAN-INFO2 vlan-id=90
add interface=bridge-Inter-VLAN name=VLAN-LAB-EL-SISTEMI vlan-id=80
add interface=bridge-Inter-VLAN name=VLAN-MGNT vlan-id=5
add interface=bridge-Inter-VLAN name=VLAN-PALESTRA vlan-id=190
add interface=bridge-Inter-VLAN name=VLAN-SALA-INSEGNANTI vlan-id=180
add interface=bridge-Inter-VLAN name=VLAN-SEGRETERIA vlan-id=170
add interface=bridge-Inter-VLAN name=VLAN-SERVER vlan-id=10
add interface=bridge-Inter-VLAN name=VLAN-SISTEMI vlan-id=40
add interface=bridge-Inter-VLAN name=VLAN-SMART vlan-id=240
add interface=bridge-Inter-VLAN name=VLAN-STAMPANTI vlan-id=20
add interface=bridge-Inter-VLAN name=VLAN-TECNICI vlan-id=160
add interface=bridge-Inter-VLAN name=VLAN-TPSEE vlan-id=60
add interface=bridge-Inter-VLAN name=WIFI-DOCENTI vlan-id=220
add interface=bridge-Inter-VLAN name=WIFI-STUDENTI vlan-id=230
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 0 l3-hw-offloading=no
set 1 l3-hw-offloading=no
set 2 l3-hw-offloading=no
set 3 l3-hw-offloading=no
set 4 l3-hw-offloading=no
set 5 l3-hw-offloading=no
set 6 l3-hw-offloading=no
set 7 l3-hw-offloading=no
set 8 l3-hw-offloading=no
set 9 l3-hw-offloading=no
set 10 l3-hw-offloading=no
set 13 l3-hw-offloading=no
set 14 l3-hw-offloading=no
set 15 l3-hw-offloading=no
set 16 l3-hw-offloading=no
/interface bridge port
add bridge=bridge-Inter-VLAN interface=sfp-sfpplus-12-VLAN
/interface bridge vlan
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=130
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=140
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=120
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=110
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=100
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=30
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=150
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=70
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=50
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=90
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=80
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=5
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=190
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=180
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=170
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=10
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=40
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=240
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=20
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=160
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=60
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=220
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus-12-VLAN \
vlan-ids=230
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=213.144.71.214 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus5-WAN
My problem could be, that I activated l3hw switches and ports from the GUI? and not with command
/interface/ethernet/switch set 0 l3-hw-offloading=yes
mkx
January 8, 2024, 8:15pm
7
Any offload (either L2 or L3) only works between ports of same bridge … and in most cases it has to be only bridge defined on device. So if you want L3HW offload performed on WAN interface, WAN port has to be member of bridge. As you want to isolate WAN from local subnets, you have to use VLANs (if ISP provides WAN untagged, make WAN port access port of VLAN with otherwise unused ID).
Any offload (either L2 or L3) only works between ports of same bridge … and in most cases it has to be only bridge defined on device. So if you want L3HW offload performed on WAN interface, WAN port has to be member of bridge. As you want to isolate WAN from local subnets, you have to use VLANs (if ISP provides WAN untagged, make WAN port access port of VLAN with otherwise unused ID).
Do you think the loss of internet connection is caused by that?
in the mikrotik guide the WAN is not in the bridge!
https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT
mkx
January 8, 2024, 8:56pm
9
There are many ways to deal with WAN, the most straight forward way is to use WAN port as stand-alone interface. But this way it doesn’t work for L3HW of WAN traffic. I’m just saying.
Do you think this could be the reason he loses connection?
Should I still use Fasttrack?
mkx
January 8, 2024, 9:06pm
11
Hard to tell, the last config you posted doesn’t make much sense, I strongly believe it’s not what you actually have (part with bridge ports and bridge vlan is included twice, only single IP address is shown so device can’t route anything, etc.).
Hard to tell, the last config you posted doesn’t make much sense, I strongly believe it’s not what you actually have (part with bridge ports and bridge vlan is included twice, only single IP address is shown so device can’t route anything, etc.).
You are right!!! Tomorrow I will export the complete configuration
Hi, this is my latest configuration, Do you think I made some mistakes?
Thanks
# 2024-01-10 20:41:15 by RouterOS 7.13
# model = CRS317-1G-16S+
/interface bridge
add name=bridge-Inter-VLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus5 ] name=sfp-sfpplus5-WAN
set [ find default-name=sfp-sfpplus12 ] name=sfp-sfpplus12-LAN
/interface vlan
add interface=bridge-Inter-VLAN name=VLAN-ATA vlan-id=130
add interface=bridge-Inter-VLAN name=VLAN-AULA-MAGNA vlan-id=140
add interface=bridge-Inter-VLAN name=VLAN-AULA09 vlan-id=120
add interface=bridge-Inter-VLAN name=VLAN-AULA10 vlan-id=110
add interface=bridge-Inter-VLAN name=VLAN-AULA11 vlan-id=100
add interface=bridge-Inter-VLAN name=VLAN-INTERNET vlan-id=35
add interface=bridge-Inter-VLAN name=VLAN-TEST vlan-id=33
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 4 l3-hw-offloading=no
/interface bridge port
add bridge=bridge-Inter-VLAN interface=sfp-sfpplus12-LAN pvid=33
add bridge=bridge-Inter-VLAN interface=sfp-sfpplus5-WAN pvid=35
/interface bridge vlan
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus12-LAN \
vlan-ids=33
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN untagged=\
sfp-sfpplus5-WAN vlan-ids=35
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus12-LAN \
vlan-ids=100
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus12-LAN \
vlan-ids=110
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus12-LAN \
vlan-ids=120
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus12-LAN \
vlan-ids=130
add bridge=bridge-Inter-VLAN tagged=bridge-Inter-VLAN,sfp-sfpplus12-LAN \
vlan-ids=140
/ip address
add address=192.168.234.1/24 interface=VLAN-TEST network=192.168.234.0
add address=192.168.100.1/24 interface=VLAN-AULA11 network=192.168.100.0
add address=192.168.110.1/24 interface=VLAN-AULA10 network=192.168.110.0
add address=192.168.120.1/24 interface=VLAN-AULA09 network=192.168.120.0
add address=192.168.130.1/24 interface=VLAN-ATA network=192.168.130.0
add address=192.168.140.1/24 interface=VLAN-AULA-MAGNA network=192.168.140.0
add address=192.168.1.10/24 interface=VLAN-INTERNET network=192.168.1.0
/ip dhcp-relay
add dhcp-server=192.168.10.250 disabled=no interface=VLAN-ATA name=ATA
add dhcp-server=192.168.10.250 disabled=no interface=VLAN-AULA09 name=\
"AULA 9"
add dhcp-server=192.168.10.250 disabled=no interface=VLAN-AULA10 name=\
"AULA 10"
add dhcp-server=192.168.10.250 disabled=no interface=VLAN-AULA11 name=\
"AULA 11"
add dhcp-server=192.168.10.250 disabled=no interface=VLAN-AULA-MAGNA name=\
"AULA MAGNA"
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface=l2tp-out-SEDE
add action=accept chain=input dst-port=1701 in-interface=VLAN-INTERNET \
protocol=udp
add action=drop chain=input connection-state=invalid
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VLAN-INTERNET
add action=masquerade chain=srcnat out-interface=l2tp-out-SEDE
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=10.77.77.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=yes \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=yes \
target-scope=10
/radius
add address=192.168.10.250 service=hotspot
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os