Community discussions

MikroTik App
 
aglabs
just joined
Topic Author
Posts: 22
Joined: Mon Dec 28, 2020 1:05 am

CRS317 l3hw + firewall question

Sat Jul 24, 2021 7:42 pm

I finally got some time to play with l3hw offloading on my CRS317 today. When I enable offload on every switch port (straight offload no firewall) everything works as expected, traffic is routed line rate on two 10gbit ports.

However when I follow the L3HW User Manual that was recently updated the switch appears to be routing in cpu 100% of the time, even though the connection is fast tracked. I suspect I am missing something.

Anyone else get l3hw working with firewall on 7.1 beta6 ?

Also I made a similar attempt on a CRS 328 and could not get any scenario of l3hw offload to work. Everything stayed in cpu.

I can see from connection tracking, (connection #5, the actual connection is fast tracked) and the fast track rule increments on data transfered/packet count, but im only getting 150mbps at 100% cpu utilization. If I set the ports back to hw accelerated = yes, within 2-3seconds speeds go up to linerate and cpu down to 2%

Edit: working with ports 7 and 8 here for my testing:
/interface vlan
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan16 vlan-id=16
add interface=bridge name=vlan96 vlan-id=96
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 6 l3-hw-offloading=no
set 7 l3-hw-offloading=no



/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=201
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge comment=defconf interface=sfp-sfpplus5
add bridge=bridge comment=defconf interface=sfp-sfpplus6
add bridge=bridge comment=defconf interface=sfp-sfpplus7 pvid=11
add bridge=bridge comment=defconf interface=sfp-sfpplus8 pvid=16
add bridge=bridge comment=defconf interface=sfp-sfpplus9
add bridge=bridge comment=defconf interface=sfp-sfpplus10
add bridge=bridge comment=defconf interface=sfp-sfpplus11
add bridge=bridge comment=defconf interface=sfp-sfpplus12
add bridge=bridge comment=defconf interface=sfp-sfpplus13
add bridge=bridge comment=defconf interface=sfp-sfpplus14
add bridge=bridge comment=defconf interface=sfp-sfpplus15
add bridge=bridge comment=defconf interface=sfp-sfpplus16



/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=90
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,bridge,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=96
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=201
add bridge=bridge tagged=bridge,sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 untagged=sfp-sfpplus7 vlan-ids=11
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=12
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=13
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4 vlan-ids=14
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=15
add bridge=bridge tagged=bridge,sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 untagged=sfp-sfpplus8 vlan-ids=16
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=25
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=91
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=98
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=99
add bridge=bridge tagged=sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13 vlan-ids=202
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=222
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=236
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=237
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=238
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=239
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=93
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=3
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=203
add bridge=bridge tagged=sfp-sfpplus16,sfp-sfpplus15,sfp-sfpplus14,sfp-sfpplus13,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6 vlan-ids=18




/ip address
add address=192.168.88.11/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.17.96.11/24 interface=vlan96 network=172.17.96.0
add address=172.17.16.2/24 interface=vlan16 network=172.17.16.0
add address=172.17.11.2/24 interface=vlan11 network=172.17.11.0



/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related






 > /ip/firewall/connection/print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
  #        PRO  SRC-ADDRESS           DST-ADDRESS        TCP-STATE    TIMEOUT    ORIG-RATE  REPL-RATE  ORIG-PA  REPL-P   ORIG-BYTES  REPL-BYTES
  0  SACF  tcp  172.17.16.23:49198    172.17.11.23:5201  established  23h52m53s  0bps       0bps             9       8          617         428
  1  SAC   tcp  172.16.201.134:49777  172.17.96.11:8291  established  23h59m59s  7.5kbps    279.3kbps   18 792  21 042    1 161 429  43 538 839
  2  SAC   tcp  172.16.201.134:64443  172.17.96.11:22    established  23h59m59s  2.6kbps    21.9kbps       459     689       26 473     131 176
  3  SAC   udp  172.16.16.12:57500    172.17.96.11:161                2m39s      0bps       0bps           227     227       34 197      78 513
  4  SACF  tcp  172.17.16.23:49312    172.17.11.23:5201  established  23h59m48s  0bps       0bps             9       8          617         428
  5  SACF  tcp  172.17.16.23:49314    172.17.11.23:5201  established  5m         142.7Mbps  4.2Mbps    126 960  93 826  190 435 701   5 792 076
 
mkx
Forum Guru
Forum Guru
Posts: 7110
Joined: Thu Mar 03, 2016 10:23 pm

Re: CRS317 l3hw + firewall question

Sat Jul 24, 2021 8:57 pm

If I set the ports back to hw accelerated = yes, within 2-3seconds speeds go up to linerate and cpu down to 2%

So where exactly is the problem? HW offload of fasttracked connectiobs also require l3-hw-offloading=yes.
BR,
Metod
 
aglabs
just joined
Topic Author
Posts: 22
Joined: Mon Dec 28, 2020 1:05 am

Re: CRS317 l3hw + firewall question

Sat Jul 24, 2021 11:12 pm

If I set l3-hw-offloading=yes on every port, traffic never hits firewall evaluation.

according to the documentation l3-hw-offloading is supposed to be set to no on individual ports you wish to take through firewall evaluation, fastrack is supposed to return the flow back to hardware, non fastrack is on cpu as how I understood the guide:
To make all packets go through the CPU first, and offload only the Fasttrack connections, disable l3hw on all ports but keep it enabled on the switch chip itself:

/interface/ethernet/switch set 0 l3-hw-offloading=yes
/interface/ethernet/switch/port set [find] l3-hw-offloading=no
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question

Mon Aug 02, 2021 8:57 am

CRS328 does not support FastTrack offloading (L3HWDeviceSupport).

As for CRS317, I believe that you have encountered an issue that prevents FastTrack offloading. The issue has been already fixed and waiting for the 7.1beta7 release. Here is a quote from the upcoming changelog:
- L3HW: Fixed an issue when, in some cases, Inter-VLAN routing still could go via the CPU
- L3HW: Fixed a rare issue that could prevent Fasttrack HW offloading
 
aglabs
just joined
Topic Author
Posts: 22
Joined: Mon Dec 28, 2020 1:05 am

Re: CRS317 l3hw + firewall question

Tue Aug 31, 2021 7:42 pm

I've tested 7.1rc1 and 7.1rc2

Neither of them address the behavior on the CRS317. Are these fixes still on the roadmap?
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question

Wed Sep 01, 2021 2:59 pm

All L3HW fixes are present in rc1+. At the moment of writing, there are no known issues regarding L3HW in terms of inter-VLAN routing or FastTrack offloading.

We will try to reproduce your case. Please verify if our assumptions are correct:
  1. You want to set up firewall-controlled inter-VLAN routing between VLAN ID 11 and 16.
  2. The device with IP 172.17.11.23 (VID 11) is connected to CRS317's port sfp-sfpplus7 (either directly or via a switch).
  3. The device with IP 172.17.16.23 (VID 16) is connected to CRS317's port sfp-sfpplus8 (either directly or via a switch).
  4. Both devices are sending/receiving untagged traffic.
  5. Everything is fine when the Full hardware routing is enabled (l3-hw-offloading=yes on both the switch and ports).
  6. In the Firewall-compatible mode (l3-hw-offloading=yes on the switch but no on the respective ports), the connections get FastTracked, but not hw-offloaded.
 
aglabs
just joined
Topic Author
Posts: 22
Joined: Mon Dec 28, 2020 1:05 am

Re: CRS317 l3hw + firewall question

Thu Sep 02, 2021 5:34 pm

Sorry for the delay, I wanted to be sure of the answers to your questions before wasting time :)
1. You want to set up firewall-controlled inter-VLAN routing between VLAN ID 11 and 16.
Yes

2. The device with IP 172.17.11.23 (VID 11) is connected to CRS317's port sfp-sfpplus7 (either directly or via a switch).
Yes, its connected directly. endpoint can ping the switch l3 address on both vlan11 and vlan16 as well as the endpoint on vlan16

3. The device with IP 172.17.16.23 (VID 16) is connected to CRS317's port sfp-sfpplus8 (either directly or via a switch).
Yes, its connected directly. same thing as above

4. Both devices are sending/receiving untagged traffic.
Correct, its interesting you mention untagged traffic which made me test both untagged and tagged, Without firewall offloading linerate routing is still achieved when using tagged interfaces and always works, firewall offloaidng (l3-hw-offloading=no on port and yes on switch) With pure untagged interfaces non firewall offloading scenario sometimes doesnt work I have not found a cause, I end up having to set l3-hw-offloading=no and back to yes wait a minute or two and it starts working(i get stuck at 140mbps 100% cpu on the switch)

5. Everything is fine when the Full hardware routing is enabled (l3-hw-offloading=yes on both the switch and ports).
Aside form the previous statement, yes when l3-hw-offloading = yes on both switch and ports things just work as expected aside from untagged scenario sometimes does not work

6. In the Firewall-compatible mode (l3-hw-offloading=yes on the switch but no on the respective ports), the connections get FastTracked, but not hw-offloaded.
Yes, I verified in each tests in connections list the connection is showing fastracked. The fastrack rule increments on packets and bytes, but the dynamic passthrough rule never comes off 0 on its counters.


All my answers are derived from testing 7.1rc2
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question

Fri Sep 03, 2021 10:07 am

Thank you for the answers! We will try to reproduce your issue.

When changing hardware routing settings, the existing connections might be unaffected. For example, if you have an active FastTrack connection while enabling l3-hw-offloading=yes on the respective ports, the traffic may continue through the CPU/Firewall. You can force the offloading by flushing the ARP table:
/ip/arp/remove [find]
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question

Mon Sep 06, 2021 5:17 pm

@aglabs

Can you do us a favor and try moving the ports outside of the bridge?
/interface/bridge/port disable [find where interface=sfp-sfpplus7 or interface=sfp-sfpplus8]
/interface/vlan/ disable vlan11,vlan16
/ip/address/set [find interface=vlan11] interface=sfp-sfpplus7
/ip/address/set [find interface=vlan16] interface=sfp-sfpplus8
Perform the test and check if connections get offloaded (H flag in the connection list).

To restore the previous settings:
/interface/bridge/port enable [find where interface=sfp-sfpplus7 or interface=sfp-sfpplus8]
/interface/vlan/ enable vlan11,vlan16
/ip/address/set [find interface=sfp-sfpplus7] interface=vlan11
/ip/address/set [find interface=sfp-sfpplus8] interface=vlan16
 
aglabs
just joined
Topic Author
Posts: 22
Joined: Mon Dec 28, 2020 1:05 am

Re: CRS317 l3hw + firewall question

Tue Sep 07, 2021 7:12 pm

@raimondsp

In this test I am still using ports 7 and 8

I applied the configuration as mentioned, once config was applied firewall scenario now properly offloads with switch hw offload yes and port hw offload no, passthrough rule now actually reports traffic stats:
[admin@HARDIN-DS-L-01] > /ip/firewall/connection/print
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED; F - FASTTRACK; H - HW-OFFLOAD
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES
#       PRO  SRC-ADDRESS           DST-ADDRESS        TCP-STATE    TIMEOUT    ORIG-RATE   REPL-RAT  ORIG-PACKE  REPL-PA      ORIG-BYTES
0 SAC   tcp  172.16.201.190:38468  172.17.96.11:22    established  23h59m59s  6.2kbps     7.2kbps          205      193          16 061
1 SAC   tcp  172.16.201.190:58286  172.17.96.11:8291  established  23h59m59s  3.6kbps     40.2kbps       2 474    1 532         235 947
2 SACFH tcp  172.17.11.23:57304    172.17.16.23:5201  established  23h59m43s  1674.7Mbps  7.6Mbps   13 478 371  215 939  20 460 075 959
3 SACF  tcp  172.17.11.23:57302    172.17.16.23:5201  established  23h59m43s  0bps        0bps               9        8             739

Switch ports (truncated):
[admin@HARDIN-DS-L-01] > /interface/ethernet/switch/port/print
Columns: NAME, SWITCH, L3-HW-OFFLOADING, STORM-RATE
 # NAME           SWITCH   L3-HW-OFFLOADING  STORM-RATE
 0 sfp-sfpplus1   switch1  yes                      100
 1 sfp-sfpplus2   switch1  yes                      100
 2 sfp-sfpplus3   switch1  yes                      100
 3 sfp-sfpplus4   switch1  yes                      100
 4 sfp-sfpplus5   switch1  no                       100
 5 sfp-sfpplus6   switch1  no                       100
 6 sfp-sfpplus7   switch1  no                       100
 7 sfp-sfpplus8   switch1  no                       100
switch:
[admin@HARDIN-DS-L-01] > /interface/ethernet/switch/print
Columns: NAME, TYPE, L3-HW-OFFLOADING
# NAME     TYPE              L3-HW-OFFLOADING
0 switch1  Marvell-98DX8216  yes   

edit, add iperf results:
root@HARDIN-KV-L-01:~# iperf3 -c 172.17.16.23
Connecting to host 172.17.16.23, port 5201
[  5] local 172.17.11.23 port 57432 connected to 172.17.16.23 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  1.09 GBytes  9.33 Gbits/sec   71   1.39 MBytes       
[  5]   1.00-2.00   sec  1.10 GBytes  9.42 Gbits/sec   13   1.39 MBytes       
[  5]   2.00-3.00   sec  1.10 GBytes  9.42 Gbits/sec    2   1.39 MBytes       
[  5]   3.00-4.00   sec  1.10 GBytes  9.41 Gbits/sec    4   1.39 MBytes       
[  5]   4.00-5.00   sec  1.09 GBytes  9.38 Gbits/sec    2   1.39 MBytes       
[  5]   5.00-6.00   sec  1.09 GBytes  9.40 Gbits/sec  514   1.14 MBytes       
[  5]   6.00-7.00   sec  1.10 GBytes  9.42 Gbits/sec    0   1.31 MBytes       
[  5]   7.00-8.00   sec  1.10 GBytes  9.42 Gbits/sec    0   1.37 MBytes       
[  5]   8.00-9.00   sec  1.09 GBytes  9.38 Gbits/sec    0   1.39 MBytes       
[  5]   9.00-10.00  sec  1.09 GBytes  9.41 Gbits/sec    0   1.40 MBytes       
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  10.9 GBytes  9.40 Gbits/sec  606             sender
[  5]   0.00-10.00  sec  10.9 GBytes  9.40 Gbits/sec                  receiver

 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question  [SOLVED]

Wed Sep 08, 2021 9:05 am

Thank you for the feedback!

We have reproduced your issue in the lab. It turns out that this is not a bug but rather an unimplemented (yet) feature. Currently, RouterOS cannot perform VLAN filtering on the L3 fast path. Therefore, all packets that are routed through a bridge with vlan-filtering=yes get sent via the slow path. Since those packets never go through the fast path, they do not get hw-offloaded. There is confusion due to connections having the "F - FASTTRACK" flag. Although the related packets are a subject for FastTrack, those are redirected via the slow path due to VLAN filtering. This applies not only to CRS3xx but all devices, including RouterOS v6.

We are investigating possible solutions. Meanwhile, if possible, keep those ports outside of the bridge.

P.S. The above information applies to Layer 3 only (Inter-VLAN routing). Layer 2 fast path and HW offloading work as intended.
 
aglabs
just joined
Topic Author
Posts: 22
Joined: Mon Dec 28, 2020 1:05 am

Re: CRS317 l3hw + firewall question

Thu Sep 09, 2021 6:18 am

Thanks for the update. I'll keep watching/hoping for if/when this is possible with bridging in the picture. I appreciate your effort hunting down a answer!
 
mazza
just joined
Posts: 13
Joined: Wed Feb 21, 2018 10:28 am

Re: CRS317 l3hw + firewall question

Sat Oct 02, 2021 7:46 pm

... Currently, RouterOS cannot perform VLAN filtering on the L3 fast path. ...
Does this mean that Router OS never, not at any device, performs any fasttracking, if all IPs of a device are on an `/interface/vlan` where the `interface` of the vlan is a ` /interface/bridge`?

e.g.:
/interface bridge
add name=bridge vlan-filtering=yes
 
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
 
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=20

/interface vlan
add interface=bridge name=br-vlan10 vlan-id=20
add interface=bridge name=br-vlan20 vlan-id=20
 
/ip address
add address=192.168.10.1/24 interface=br-vlan10
add address=192.168.20.1/24 interface=br-vlan20
In such a configuration the traffic routed form 192.168.10.0/24 to 192.168.20.0/24 would never be fast tracked. Even if the connection has the Flag "F - FASTTRACK" under `/ip/firewall/connection/print`.
Do I understand that correctly?
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question

Mon Oct 04, 2021 8:52 am

... Currently, RouterOS cannot perform VLAN filtering on the L3 fast path. ...
Does this mean that Router OS never, not at any device, performs any fasttracking, if all IPs of a device are on an `/interface/vlan` where the `interface` of the vlan is a ` /interface/bridge`?

e.g.:
/interface bridge
add name=bridge vlan-filtering=yes
 
/interface bridge port
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
 
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus2 vlan-ids=20

/interface vlan
add interface=bridge name=br-vlan10 vlan-id=20
add interface=bridge name=br-vlan20 vlan-id=20
 
/ip address
add address=192.168.10.1/24 interface=br-vlan10
add address=192.168.20.1/24 interface=br-vlan20
In such a configuration the traffic routed form 192.168.10.0/24 to 192.168.20.0/24 would never be fast tracked. Even if the connection has the Flag "F - FASTTRACK" under `/ip/firewall/connection/print`.
Do I understand that correctly?
Yes, you are correct. The good news is that this feature received a priority boost, and it is already in development.
 
onnoossendrijver
Member
Member
Posts: 457
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: CRS317 l3hw + firewall question

Mon Oct 04, 2021 12:23 pm

Very nice!!
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
gtj0
just joined
Posts: 15
Joined: Wed Sep 23, 2020 8:08 pm

Re: CRS317 l3hw + firewall question

Tue Oct 05, 2021 8:27 pm

+1
I've been holding off on setting this up on my 317 because of this issue.
 
mazza
just joined
Posts: 13
Joined: Wed Feb 21, 2018 10:28 am

Re: CRS317 l3hw + firewall question

Wed Oct 06, 2021 2:27 pm

@raimondsp , thank you very much for you quick answer. That explains quite some setups that did not perform as expected.

The good news is that this feature received a priority boost, and it is already in development.
Thats great! This should give many inter VLAN routers a good performance boost.
 
umbramalison
just joined
Posts: 7
Joined: Wed Dec 22, 2021 2:03 am

Re: CRS317 l3hw + firewall question

Wed Dec 22, 2021 11:19 pm

@raimondsp - did this make it into 7.1.1 or earlier? if not, would you happen to know if it would be imminent? (I appreciate beyond imminent is a black hole).

I'm on 7.1.1, but this sounds like my issue.

I'm getting Fast-tracked connections for my est&related traffic. but not seeing an HW offloading.

I have trunked vlans on a CRS317, and i'm trying to manage some intervlan restrictions like @aglabs.
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 144
Joined: Mon Apr 27, 2020 10:14 am

Re: CRS317 l3hw + firewall question

Thu Dec 23, 2021 7:51 am

Unfortunately, FastTracking of VLAN-filtered bridged traffic is not finished yet, and I cannot tell the exact completion date or version number. The development is almost completed, though. However, a long testing phase is pending since this feature affects all MikroTik routers. The good news is that the HW offloading part is already done, so as soon as FastTrack is ready, you will be able to offload it to your CRS317 hardware.
 
umbramalison
just joined
Posts: 7
Joined: Wed Dec 22, 2021 2:03 am

Re: CRS317 l3hw + firewall question

Thu Dec 23, 2021 8:40 pm

Thank you. Will keep a keen eye out for this. Happy holidays

Who is online

Users browsing this forum: Google [Bot] and 8 guests