Community discussions

MikroTik App
 
User avatar
lapsio
Long time Member
Long time Member
Topic Author
Posts: 514
Joined: Wed Feb 24, 2016 5:19 pm

L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Sep 25, 2020 5:48 pm

While I believe other devices will obviously eventually get basic L3 hardware offload (which is not all that interesting and unique since there's plenty of L3 switches out there) - most of them feature super weak sauce MIPS CPUs. However few switches (in particular CRS317 and CRS309 with dual core ARMs and few others with single core ones) feature beefier CPUs which I believe will perform quite well with L3 offload in FW mode and fasttrack enabled. Making them wire-speed stateful firewalls. Which is kinda insane if you think about it.

I mean I don't think I've ever seen such thing in the wild. Performance of this monstrosity is yet to be benchmarked but I believe it really does have potential to become something like 160 gbps stateful L4 firewall. Which is incredibly impressive like holy crap...
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 1:30 pm

I wouldn't be so critical regarding ARM vs. MIPS CPU in terms of packet processing. Comparing CPUs relatively to HW (ASIC) performance is similar to comparing 10,000 RPM HDD vs. 7,500 RMP HDD relatively to SSD. Yes, 10K RPM HDD is faster. However, the benefit is negligible in comparison with SSD. Same here. The ARM CPU on CRS317 or CRS309 is faster than MIPS CPU on CRS312 or CRS326q. But it is not even remotely as fast as HW in terms of packet processing.

Nonetheless, you are right that CRS317 or CRS309 is a better choice (than CRS312/326) for hardware-accelerated stateful firewall, but for a different reason: CRS317 and CRS309 have twice larger hardware memory. CRS317/CRS309 can offload up to 4.5K connections to the hardware (4K in case of NAT) while CRS312/CRS326q - only 2.25K. Add here an ability to move connections back and forth between CPU and HW based on the actual data rate, and CRS317 can keep up with up to 10K L4 connections where CRS312 would give up on 4K.
 
mbovenka
Member
Member
Posts: 337
Joined: Mon Oct 14, 2019 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 2:14 pm

Nonetheless, you are right that CRS317 or CRS309 is a better choice (than CRS312/326) for hardware-accelerated stateful firewall, but for a different reason: CRS317 and CRS309 have twice larger hardware memory. CRS317/CRS309 can offload up to 4.5K connections to the hardware (4K in case of NAT) while CRS312/CRS326q - only 2.25K. Add here an ability to move connections back and forth between CPU and HW based on the actual data rate, and CRS317 can keep up with up to 10K L4 connections where CRS312 would give up on 4K.

I'd love for the CRS305 to get L3 offload, but that's probably not going to happen, is it? (What with the 98DX3236 being an 'L2+' ASIC)
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 4:08 pm

Investigation of 98DX3236 switch ship's L3 capabilities is on the roadmap. Please do not misread: it is investigation not development.
 
User avatar
StubArea51
Trainer
Trainer
Posts: 1739
Joined: Fri Aug 10, 2012 6:46 am
Location: stubarea51.net
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Fri Oct 02, 2020 4:36 pm

I agree that HW accelerated security devices at a low price point is a *huge* gap in the market. One feature that would really push the adoption of this is a stateful failover feature between two CRS switches so that it doesn't have to be a customized script + vrrp.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Oct 05, 2020 1:42 pm

I agree that HW accelerated security devices at a low price point is a *huge* gap in the market. One feature that would really push the adoption of this is a stateful failover feature between two CRS switches so that it doesn't have to be a customized script + vrrp.
RouterOS v7 supports connection tracking syncing between two Mikrotik routers (or CRS switches). Here is more info:
VRRP sync-connection-tracking setup
 
mbovenka
Member
Member
Posts: 337
Joined: Mon Oct 14, 2019 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Oct 05, 2020 4:19 pm

Investigation of 98DX3236 switch ship's L3 capabilities is on the roadmap. Please do not misread: it is investigation not development.

Interesting nonetheless. I await with bated breath ;-)
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 558
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Wed Feb 24, 2021 5:48 pm

Hello
that should be linked with the issue of single tcp connection speed?
Also on 1072 and 1036 in plain fasttrack with no filter rule, a single download reach about 200mbps,
when combined connections, I can go over 1.5gig...
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Wed May 19, 2021 2:07 pm

v7.1beta6 introduced L3 Hardware Offloading for ALL CRS3xx devices.

https://help.mikrotik.com/docs/display/ ... Offloading
 
capy2008
just joined
Posts: 3
Joined: Sun Jun 21, 2020 8:14 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Sun Nov 28, 2021 5:14 pm

For hap ac3 l3 offload?
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 558
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Sun Nov 28, 2021 5:16 pm

What is the sense of the question
They are switches... your is a router
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Nov 29, 2021 12:37 pm

Hi,
no sorry I don´t agree. It´s important to have HW offloading on routers as well. Even some cheap TP Links have HW Offloading for NAT & Routing. Big routers from well known vendors upwards 50k $ are also doing the forwarding, queuing, ACLs, etc. in hardware. That saves resources and energy. So using the switch chips functionality for as much offloading as possible is a very good idea even on smaller routers.
To my knowledge, making that happen = writing code for offloading is a very hard task, so that will probably not happen over night.

Regards
Woland
 
User avatar
Maggiore81
Trainer
Trainer
Posts: 558
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Nov 29, 2021 3:38 pm

Big routers from well known vendors upwards 50k $ are also doing the forwarding, queuing, ACLs, etc. in hardware


You alredy answered your question.
Wich is the average price of a router from Mikrotik?
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Nov 29, 2021 4:50 pm

Actually, I have bought an Archer C7 which has NAT and forwarding offloading, for 45EUR. So the price is not everything here.
What I wanted to say: regardless of price range and device type (switch vs. router), HW offloading is an important and exciting feature.
It makes small form factor and low power consumption combined with high performance possible.
Those would make an even stronger argument for purchasing a Mikrotik.

I think Mikrotik devices are already great, but more HW offloading makes them even significanly better.

Cheers
Woland
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Mon Nov 29, 2021 9:41 pm

Actually, I have bought an Archer C7 which has NAT and forwarding offloading, for 45EUR.

So you're saying that Archer C7 can do wirespeed routing between any of its gigabit interfaces? Well, it can't, it only routes between WAN port and LAN port group (which includes wireless interfaces). If it can do it at wire speed, it doesn't mean it is actually HW offloading routing and NAT to hardware, it can do it using CPU. And guess what? hAP ac3 can do it as well (wirespeed routing between WAN port and LAN port group). The difference is that with hAP ac3 you can actually use all interfaces (5x RJ45 and 2x wireless) independently and route between them. Only in this case the CPU will proove too weak to perform routing between all interfaces simultaneously at wire speed.

To the actual question by @capy2008: switch chip, used in hAP ac3, is a basic one which doesn't offer any of L3 functionalities. So it's not possible to HW offload of those tasks. The cheapest mikrotik device with potential of L3 HW offload is RB5009, its switch chip supports some of L3 functionality (much less than those in CRS3xx devices). MT did not (yet) commit to implementing it though.

[edit] Found this page ... if the infornation is correct, then Archer c7 features AR8327 switch chip (same as used in venerable RB951G) for driving ethernet ports. Seems to be statically configured so that one switch chip <-> CPU interconnect is used for WAN traffic and the other interconnect for LAN traffic. Anyway, AR8327 can definitely not do any kind of L3 functions.
 
User avatar
woland
Member Candidate
Member Candidate
Posts: 258
Joined: Mon Aug 16, 2021 4:49 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Tue Nov 30, 2021 12:36 am

No, I did not say anything about the performance of a C7. To be honest I could have never cared less, as I have only used that as an AP, bridged and with Openwrt installed. (HW NAT support was not even available for this device in the open source modules, it worked only with the stock firmware.)
Still HW NAT and netfilter flow offloading is available for a few chipsets used in home routers, but this is a Mikrotik forum.

Yes I know HAP AC3 is performing nicely, I have installed one 2 days ago. I happen to have a CRS309 and a will hopefully receive a new RB5009 this week. So my point is exactly: HW offload is something very interesting for me and probably for a bunch of other users as well. It doesn't matter if that's just HW support for bridge vlan filtering or even offloading for L4 flows. The more offloading, the better, because that's efficient!

https://www.mind.be/openwrtsummit18/201 ... ading.html
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Tue Nov 30, 2021 7:58 am

No, I did not say anything about the performance of a C7.

No, but you said it had L3 HW offload:
... an Archer C7 which has NAT and forwarding offloading ...
And that was the statement I was debunking. Because HW offload doesn't work even with stock firmware due to lack of needed hardware ... even though it might have had better performance figures due to highly optimized code as compared to xWRT.

I agree that HW offload is nice but there's only so much that can be offloaded. Generally the more expensive chip, the more functionality it's got. But also the higher device cost ... and that's what's been discussed before you (unjustifiably) brought Archer c7 into discussion.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Thu Dec 02, 2021 12:55 pm

A feature can be offloaded to hardware only if the hardware (switch chip) supports the feature. Switch chips that provide a broad L3 feature set (routing, connection tracking, NAT) are not cheap. I wouldn't expect a three-digit-priced switch chip in a two-digit-priced router.

Meanwhile, a brand new MikroTik CCR2116-12G-4S+ supports L3HW in both full routing and FW mode.
 
jookraw
Member Candidate
Member Candidate
Posts: 142
Joined: Mon Aug 19, 2019 3:06 pm

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Thu Dec 02, 2021 1:51 pm

The RB5009 is a example of a device with three-digit-price and with a switch (in the current state) that is almost the same functionallyty as a 10 USD cheap switch, even that this router have the switch capability for some if not all l3hw features, nothing is implemented... several months after the release... still not able to break the 1gig barrier when having the basic funcions enables
 
User avatar
nz_monkey
Forum Guru
Forum Guru
Posts: 2095
Joined: Mon Jan 14, 2008 1:53 pm
Location: Over the Rainbow
Contact:

Re: L3 hardware offload in FW mode - will there be any other devices than CRS317 supporting this mode?

Thu Dec 02, 2021 2:06 pm


Meanwhile, a brand new MikroTik CCR2116-12G-4S+ supports L3HW in both full routing and FW mode.

MPLS push/pop in hardware would be pretty nice.

Who is online

Users browsing this forum: No registered users and 22 guests