Community discussions

MikroTik App
 
syadnom
Forum Veteran
Forum Veteran
Topic Author
Posts: 794
Joined: Thu Jan 27, 2011 7:29 am

hardware routing and firewall

Wed Aug 25, 2021 7:49 pm

Before I go deploy this NP16 w/ RC1, wanted to double check something. This switch chip supports hardware routing but does NOT support fast-track or NAT in hardware. (per https://help.mikrotik.com/docs/display/ ... 2000Series)

So, if I do a firewall on "INPUT", I just want to verify that this won't touch anything being forwarded at all. I have zero "FORWARD" rules, and I'm assuming (and wanting to verify) that since I don't pull forwarded packets into the CPU, they will remain in the hardware path.

Is my assumption good?
 
User avatar
raimondsp
MikroTik Support
MikroTik Support
Posts: 267
Joined: Mon Apr 27, 2020 10:14 am

Re: hardware routing and firewall

Fri Aug 27, 2021 2:05 pm

The firewall affects only the packets processed by the CPU.

If the forwarding/routing is performed by the hardware, packets do not enter the CPU at all, and therefore do not trigger the firewall (even if you have FORWARD rules).

In addition, you can fine-tune L3 HW offloading by disabling HW routing for specific routes (suppress-hw-offload=yes at /ip/route/) or ports (l3-hw-offloading=no at /in/eth/sw/port/). For example, you have IoT devices connected to some ports. Those IoT devices do not produce much traffic and, therefore, do not benefit from hardware routing. And you want to limit their network access via the firewall. So you disable l3-hw-offloading on those ports, making packets from/to those ports go through CPU/Firewall while keeping hardware routing on other ports.

Who is online

Users browsing this forum: No registered users and 16 guests