Community discussions

MikroTik App
 
User avatar
lapsio
Long time Member
Long time Member
Topic Author
Posts: 501
Joined: Wed Feb 24, 2016 5:19 pm

L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Sep 25, 2020 5:48 pm

While I believe other devices will obviously eventually get basic L3 hardware offload (which is not all that interesting and unique since there's plenty of L3 switches out there) - most of them feature super weak sauce MIPS CPUs. However few switches (in particular CRS317 and CRS309 with dual core ARMs and few others with single core ones) feature beefier CPUs which I believe will perform quite well with L3 offload in FW mode and fasttrack enabled. Making them wire-speed stateful firewalls. Which is kinda insane if you think about it.

I mean I don't think I've ever seen such thing in the wild. Performance of this monstrosity is yet to be benchmarked but I believe it really does have potential to become something like 160 gbps stateful L4 firewall. Which is incredibly impressive like holy crap...
MTCNA, MTCRE, MTCINE
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 110
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 1:30 pm

I wouldn't be so critical regarding ARM vs. MIPS CPU in terms of packet processing. Comparing CPUs relatively to HW (ASIC) performance is similar to comparing 10,000 RPM HDD vs. 7,500 RMP HDD relatively to SSD. Yes, 10K RPM HDD is faster. However, the benefit is negligible in comparison with SSD. Same here. The ARM CPU on CRS317 or CRS309 is faster than MIPS CPU on CRS312 or CRS326q. But it is not even remotely as fast as HW in terms of packet processing.

Nonetheless, you are right that CRS317 or CRS309 is a better choice (than CRS312/326) for hardware-accelerated stateful firewall, but for a different reason: CRS317 and CRS309 have twice larger hardware memory. CRS317/CRS309 can offload up to 4.5K connections to the hardware (4K in case of NAT) while CRS312/CRS326q - only 2.25K. Add here an ability to move connections back and forth between CPU and HW based on the actual data rate, and CRS317 can keep up with up to 10K L4 connections where CRS312 would give up on 4K.
 
mbovenka
Member Candidate
Member Candidate
Posts: 243
Joined: Mon Oct 14, 2019 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 2:14 pm

Nonetheless, you are right that CRS317 or CRS309 is a better choice (than CRS312/326) for hardware-accelerated stateful firewall, but for a different reason: CRS317 and CRS309 have twice larger hardware memory. CRS317/CRS309 can offload up to 4.5K connections to the hardware (4K in case of NAT) while CRS312/CRS326q - only 2.25K. Add here an ability to move connections back and forth between CPU and HW based on the actual data rate, and CRS317 can keep up with up to 10K L4 connections where CRS312 would give up on 4K.

I'd love for the CRS305 to get L3 offload, but that's probably not going to happen, is it? (What with the 98DX3236 being an 'L2+' ASIC)
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 110
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 4:08 pm

Investigation of 98DX3236 switch ship's L3 capabilities is on the roadmap. Please do not misread: it is investigation not development.
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 1469
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 4:36 pm

I agree that HW accelerated security devices at a low price point is a *huge* gap in the market. One feature that would really push the adoption of this is a stateful failover feature between two CRS switches so that it doesn't have to be a customized script + vrrp.
Global - MikroTik Support & Consulting - English | Español | Serbian | Danish +1 855-645-7684
https://iparchitechs.com/ecosystem/mikr ... consulting mikrotiksupport@iparchitechs.com
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 110
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Oct 05, 2020 1:42 pm

I agree that HW accelerated security devices at a low price point is a *huge* gap in the market. One feature that would really push the adoption of this is a stateful failover feature between two CRS switches so that it doesn't have to be a customized script + vrrp.
RouterOS v7 supports connection tracking syncing between two Mikrotik routers (or CRS switches). Here is more info:
VRRP sync-connection-tracking setup
 
mbovenka
Member Candidate
Member Candidate
Posts: 243
Joined: Mon Oct 14, 2019 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Oct 05, 2020 4:19 pm

Investigation of 98DX3236 switch ship's L3 capabilities is on the roadmap. Please do not misread: it is investigation not development.

Interesting nonetheless. I await with bated breath ;-)
 
User avatar
Maggiore81
Member
Member
Posts: 399
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Wed Feb 24, 2021 5:48 pm

Hello
that should be linked with the issue of single tcp connection speed?
Also on 1072 and 1036 in plain fasttrack with no filter rule, a single download reach about 200mbps,
when combined connections, I can go over 1.5gig...
Dott. Elia Spadoni
---
Network Administrator
MTCNA, MTCRE, MTCTCE, MTCINE, MTCWE, MTCSE
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 110
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Wed May 19, 2021 2:07 pm

v7.1beta6 introduced L3 Hardware Offloading for ALL CRS3xx devices.

https://help.mikrotik.com/docs/display/ ... Offloading

Who is online

Users browsing this forum: dragmar and 9 guests