However when I follow the L3HW User Manual that was recently updated the switch appears to be routing in cpu 100% of the time, even though the connection is fast tracked. I suspect I am missing something.
Anyone else get l3hw working with firewall on 7.1 beta6 ?
Also I made a similar attempt on a CRS 328 and could not get any scenario of l3hw offload to work. Everything stayed in cpu.
I can see from connection tracking, (connection #5, the actual connection is fast tracked) and the fast track rule increments on data transfered/packet count, but im only getting 150mbps at 100% cpu utilization. If I set the ports back to hw accelerated = yes, within 2-3seconds speeds go up to linerate and cpu down to 2%
Edit: working with ports 7 and 8 here for my testing:
Code: Select all
/interface vlan
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan16 vlan-id=16
add interface=bridge name=vlan96 vlan-id=96
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 6 l3-hw-offloading=no
set 7 l3-hw-offloading=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=201
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7 pvid=11
add bridge=bridge comment=defconf interface=sfp-sfpplus8 pvid=16
add bridge=bridge comment=defconf interface=sfp-sfpplus9
add bridge=bridge comment=defconf interface=sfp-sfpplus10
add bridge=bridge comment=defconf interface=sfp-sfpplus11
add bridge=bridge comment=defconf interface=sfp-sfpplus12
add bridge=bridge comment=defconf interface=sfp-sfpplus13
add bridge=bridge comment=defconf interface=sfp-sfpplus14
add bridge=bridge comment=defconf interface=sfp-sfpplus15
add bridge=bridge comment=defconf interface=sfp-sfpplus16
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=90
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,bridge,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=96
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=201
add bridge=bridge tagged=bridge,sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 untagged=sfp-sfpplus7 vlan-ids=11
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=12
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=13
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=14
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=15
add bridge=bridge tagged=bridge,sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 untagged=sfp-sfpplus8 vlan-ids=16
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=25
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=91
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=98
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=99
add bridge=bridge tagged=sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13 vlan-ids=202
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=222
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=236
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=237
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=238
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=239
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=93
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=3
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=203
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=18
/ip address
add address=192.168.88.11/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.17.96.11/24 interface=vlan96 network=172.17.96.0
add address=172.17.16.2/24 interface=vlan16 network=172.17.16.0
add address=172.17.11.2/24 interface=vlan11 network=172.17.11.0
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
> /ip/firewall/connection/print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
# PRO SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PA REPL-P ORIG-BYTES REPL-BYTES
0 SACF tcp 172.17.16.23:49198 172.17.11.23:5201 established 23h52m53s 0bps 0bps 9 8 617 428
1 SAC tcp 172.16.201.134:49777 172.17.96.11:8291 established 23h59m59s 7.5kbps 279.3kbps 18 792 21 042 1 161 429 43 538 839
2 SAC tcp 172.16.201.134:64443 172.17.96.11:22 established 23h59m59s 2.6kbps 21.9kbps 459 689 26 473 131 176
3 SAC udp 172.16.16.12:57500 172.17.96.11:161 2m39s 0bps 0bps 227 227 34 197 78 513
4 SACF tcp 172.17.16.23:49312 172.17.11.23:5201 established 23h59m48s 0bps 0bps 9 8 617 428
5 SACF tcp 172.17.16.23:49314 172.17.11.23:5201 established 5m 142.7Mbps 4.2Mbps 126 960 93 826 190 435 701 5 792 076