Community discussions

 
User avatar
MarHazK
just joined
Topic Author
Posts: 22
Joined: Wed Mar 29, 2017 8:31 pm

Traffic Forwarding

Sat Jan 26, 2019 7:27 pm

Assuming that my PC (10.30.11.50/24) is connected to the Mikrotik at bridge-lan1 (10.30.11.1/24), but there's another bridge that my PC unable to connect to, known bridge-lan2 (192.168.0.1/24) where only servers are able to connect to that internal network (where it is bridge-lan2) via hub.

So I have this 2 servers (Server-A 192.168.0.2/24 & Server-B 192.168.0.3/24) is connected to the internal network (bridge-lan2)

So, I want to create new IP Address 10.30.11.2/24 & 10.30.11.3/24, under bridge-lan1. The purpose of these, I want my external 10.30.11.2/24 traffic forward to internal 192.168.0.2/24 however my external 10.30.11.3/24 traffic forward to internal 192.168.0.3/24

Is that possible? if so, any basic steps that able to do so? thank you.
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Traffic Forwarding

Sat Jan 26, 2019 7:40 pm

Well your explanation is a bit fuzzy. A diagram would have helped.
Also helpful at a certain point to post config
/export hide=sensitive file=mylatestconfig

However you want to know if the MT router can route traffic internally between vlans.
The answer is YES just need the appropriate firewall filter forward rules.

You didnt mention which MT router you have but I have similar situation
You only need one bridge by the way.........
Create a Bridge LAN 10.30.11.1 for normal PC traffic
Create a VLAN68 192.168.0.1 for segregated servers

in firewall forward rules
allow LAN to WAN
allow VLAN to WAN
allow LANIP(.2) to VLANIP(.2) in-interface=bridge
allow LANIP(.3) to VLANIP(.3) in-interface=bridge
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
MarHazK
just joined
Topic Author
Posts: 22
Joined: Wed Mar 29, 2017 8:31 pm

Re: Traffic Forwarding

Sun Jan 27, 2019 5:21 am

Well your explanation is a bit fuzzy. A diagram would have helped.
Also helpful at a certain point to post config
/export hide=sensitive file=mylatestconfig

However you want to know if the MT router can route traffic internally between vlans.
The answer is YES just need the appropriate firewall filter forward rules.

You didnt mention which MT router you have but I have similar situation
You only need one bridge by the way.........
Create a Bridge LAN 10.30.11.1 for normal PC traffic
Create a VLAN68 192.168.0.1 for segregated servers

in firewall forward rules
allow LAN to WAN
allow VLAN to WAN
allow LANIP(.2) to VLANIP(.2) in-interface=bridge
allow LANIP(.3) to VLANIP(.3) in-interface=bridge

thanks.. actually, its similar to what you picture/understand is.. im using RB2011UiAS-RM.... ether1 is WAN, ether2-ether5 is LAN1 that ported to bridge-lan1, ether8-ether10 is LAN2 that ported to bridge-lan2 btw. Both bridge-lan1 & bridge-lan2 are unable to communicate to each other, only specific servers are able to.

anyway, the only thing is, one more step which is, how to do this in "/ip firewall" command?
allow LANIP(.2) to VLANIP(.2) in-interface=bridge
allow LANIP(.3) to VLANIP(.3) in-interface=bridge
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Traffic Forwarding

Sun Jan 27, 2019 4:07 pm

Well Mark,
You have many choices but typically people here recommend one bridge as that supports HW offloading for many devices (not sure if yours).
So you can
a. LAN1 bridge
b. Lan 2 no bridge just a separate LAN

Preferred option
a. LAN1 bridge
b. VLAN10 on same bridge (for servers)

The least favourable option is
a. bridge for lan1
b. bridge for lan2
+++++++++++++++++++++++++++++++++++
Now for internal traffic rules which you are looking for......

So the basic premise is
forward chain accept,
Define destination address(es): subnet or IP or destination address list etc.
Define in-interface (where the traffic is coming from (ie the bridge, a VLAN, or a LAN (not on a bridge)
Define source address(es): subnet or OP or source address list etc.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3214
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic Forwarding

Sun Jan 27, 2019 6:52 pm

Preferred option
a. LAN1 bridge
b. VLAN10 on same bridge (for servers)

The least favourable option is
a. bridge for lan1
b. bridge for lan2
@anav, keep in mind that vast majority of RB devices loose HW offload when vlan-filtering gets enabled on bridge. On RB2011, with its twin switch chips, the version with two bridges might perform better if one keeps ports of different switch chips on different bridges.

@MarHazK... post your complete setup (paste output of /export hide-sensitive) and we can check if there's something weird in it.

Out of curiosity, post output of /interface bridge port print as well, I wonder if HW offload is currently working or not.
BR,
Metod
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Traffic Forwarding

Sun Jan 27, 2019 11:14 pm

I believe (no proof yet) the ability to hardware offload, with one bridge, will be coming to more models via a firmware upgrade in the future. So, it is good to understand it and learn it. Just FYI. However, as others have stated, performance is degraded today for all but the CR3x series.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1437
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Traffic Forwarding

Sun Jan 27, 2019 11:59 pm

IIRC, I tested this on my 2011 a while back, with a single bridge, HW offload was active / enabled
MTCNA, MTCTCE, MTCRE & MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Traffic Forwarding

Mon Jan 28, 2019 3:37 am

Hi mkx, my rb450gx4 has the atheros 8327 chip and I have selected HW offloading but I dont think its actually implemented (no H by the etherport interfaces).
I seem to recall there were certain settings that would ensure HW offloading was not utilized but cannot find this guidance documentation.
Was it perhaps having RP filter loose (or am I getting confused with fast forward....sigh)?

(Also same chip on capac, but again no HW offloading seems to be taking place???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3214
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic Forwarding

Mon Jan 28, 2019 8:47 am

IIRC, I tested this on my 2011 a while back, with a single bridge, HW offload was active / enabled

It was probably pre-6.41 version of ROS.

It is still possible to configure VLANs on switch chip (using /interface ethernet switch vlan) and it's obviously fully HW-offloaded. One just must not enable vlan-filtering on bridge (bridge in this case acts as dumb switch, VLAN interfaces configured in /interface vlan work as desired anyway).

Anyway, OP wants to have two separate LANs with some routing between them, he wants to dedicate more than single ethernet port to each of LANs (hence use of two bridges). I still think that having two bridges would allow HW offload if neither bridge would have member ports from two switch chips. I.e. one bridge should only have member ports from ether1-ether5 range and the other one member ports from ether6-ether10 range.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Traffic Forwarding

Mon Jan 28, 2019 2:38 pm

So I have been setting up vlans wrong all this time? Or is HW offloading not really worth it compared to the flexibility of the 'new vlan configurations???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3214
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic Forwarding

Mon Jan 28, 2019 2:53 pm

So I have been setting up vlans wrong all this time? Or is HW offloading not really worth it compared to the flexibility of the 'new vlan configurations???

It's not wrong. I believe that the bridge vlan-filtering is the way forward and that Mikrotik will improve HW offloading. It is, after all, the way to unify this part of ROS as well ... up to now the way to configure VLANs was largely dependent on the underlying hardware.

However, there are a few drawbacks of this new unified approach as currently implemented: the big one is loss of HW offload, which many times means drop in "switching" performance. Either due to weak RB CPU (this is the case with older devices, such as RB951G) or due to slow interconnect between switch-chip and RB CPU (this is the case with most modern devices, such as RB962UiGS aka hAP ac) or both (think CRS125).

Whether performance in HW offload scenarios vs. SW only is worth the trouble it's up to everybody to decide. I've done my part of testing RB951G and RBD52G and have decided that RB951G will currently remain on old-school setup while RBD52G will get the new-school config. (In addition to that there are a few bugs in RBD52G's switch chip which makes device almost unusable with HW-offload setup but it's quite OK to use SW-only approach).

YMMV.


Again: HW offload works just fine if VLANs are not used at all, which is the case for most SOHO users. It works just fine even if bridge is used as dumb switch without vlan-filtering enabled (i.e. VLANs are configured on switch chip), in this case bridge ports show HW offload active.
BR,
Metod
 
anav
Forum Guru
Forum Guru
Posts: 3130
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Traffic Forwarding

Mon Jan 28, 2019 3:40 pm

Haha, okay, I guess I will have to live with vlan filtering and no hw offload unless MT improves the HW offload accessibility, I am up to my eyeballs in vlans LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3214
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic Forwarding

Mon Jan 28, 2019 4:35 pm

... I am up to my eyeballs in vlans

This is hard not to notice :lol:
BR,
Metod
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1437
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Traffic Forwarding

Mon Jan 28, 2019 10:29 pm

I suspect there is no difference between Switch Chip Vlan config and Bridge Vlan config (Have not tested it though).

My reason for thinking this is:

When you have 2 ports in the same vlan on bridge vlan config, you will have HW Offload active and full port based (switched) speed between these ports, the same goes for switch vlan config.

In bridge vlan config, when you have 2 ports in different vlans, then it needs to route (not switch) between these vlans (ports) which will go via the CPU hence performance will be limited based on CPU speed. I suspect the same will go even for switch vlan config
MTCNA, MTCTCE, MTCRE & MTCINE
 
mkx
Forum Guru
Forum Guru
Posts: 3214
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic Forwarding

Mon Jan 28, 2019 10:46 pm

HW offload comes into play when there are more than one ether port carrying same VLAN and devices in same VLAN connected to different port communicate with each other. Which is quite usual with switches (i.e. CRS125).

If HW offload is active, that traffic flows from one ethernet port through switch chip to another ethernet port.
If HW offload is not active, traffic flows from one ethernet port, through switch chip, via switch-CPU interconnect, through CPU, via switch-CPU interconnect (again), through switch chip to another ethernet port.

The above is not a routing case, it's pure intra-VLAN switching.

And no, on most Routerboard devices when configuring bridge vlan-filtering, HW offload is not active. I've tested it, I'm running it. So the above is not my thinking, it's a fact.
BR,
Metod
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1437
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Traffic Forwarding

Mon Jan 28, 2019 11:43 pm

Intra-Vlan is 2 hosts communicating on same Vlan (layer 2)
Inter-Vlan is 2 hosts communication on different Vlans (Layer 3)

Apologies, I just recalled sindy's post re vlan filtering disables HW Offload, hence you need to use switch vlan config in this case

The point I was trying to make is that irrelevant if you use switching or Bridge config for vlans, between different vlans is routing and will always go via CPU so you will always be limited by the CPU
MTCNA, MTCTCE, MTCRE & MTCINE
 
mkx
Forum Guru
Forum Guru
Posts: 3214
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic Forwarding

Tue Jan 29, 2019 1:27 pm

You're correct that from functionality point of view, both approaches are the same, VLANs work either switched or routed. From performance point of view they are not (specially switching part) and we have to keep that in mind when next newcomer will pass by complaining that his VLAN-configured switch doesn't perform wirespeed switching.
For router-on-a-stick type of application one doesn't have to use bridge actually (can use vlan interfaces directly on top of single physical trunk interface), so the dilemma is void.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 19 guests