Hello,
I am using a CRS109 that faces the internet as a switch, running RouterOS. It took me a little bit to figure out that I needed to remove the Hardware offloading to force packets through the CPU to firewall properly... as the switch chip bypasses any firewalling opportunities. Yes, the input chain will firewall, as the packet has to travel to the CPU, but I would like to also protect machines behind this switch that are using the forward chain.
To whomever drew the packet flow maps, thank you for pointing that out!
I can firewall using IP -> Firewall -> Filter Rules, but can also firewall using Bridge -> Filters.
Has anyone run CPU performance checks against which method is more efficient? The CRS109 is able to keep up with a CPU @ 40-60% when maximum packets are flowing from the internet (100 Mbs service).
Thank you for any feedback.
Christian