Community discussions

MikroTik App
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

[7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Wed May 11, 2022 12:42 pm

Hi

Currently, with L3HW enabled on my CRS309-1G-8S+, it seems that Mange Rules are not applied to traffic. Is there a way to make mangle rules work selectively or would I have to disable L3HW all together?

The goal of my mangle rules is, that I route my LAN traffic to the internet through an L7 firewall as default route which THEN goes to the NAT firewall but if the L7 firewall fails, I have a backup route (distance 10) to just leave out the L7 firewall and route directly to the NAT firewall. Port forwardings from the internet come in through the NAT firewall and therefore the return path of the packets should always go through the NAT firewall directly and not through the L7 firewall. The config below worked on a RB5009, which of course does not have L3HW offloading.

I have three default routes on my CRS309-1G-8S+ like this:
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.31.52 pref-src=192.168.31.49 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=10.200.25.1 pref-src=192.168.25.252 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.200.25.1 pref-src=192.168.25.252 routing-table=\
    public-service-return-path scope=30 suppress-hw-offload=no target-scope=10
- The first one is the real default route where 99,9% traffic should go out.
- The second one is a backup route if the gateway of the first route isn't available (hence distance=10)
- The third route should ALWAYS route packets via 10.200.25.1, if the packet has "public-service-return-path" set as routing mark. This is because on 10.200.25.1 there are port forwardings from the internet to the internal network and the return path should not go over 192.168.31.52 from the first route but always over 10.200.25.1.

Additionaly, i have these mangle rules of course, to mark the routing:
add action=mark-connection chain=prerouting connection-mark=no-mark connection-state=new dst-address-list=\
    PUBLISHED-SERVERS in-interface=ether1 log=yes log-prefix=mark new-connection-mark=out-fgt passthrough=yes \
    src-address-list=!LAN-NETWORKS
add action=mark-routing chain=prerouting connection-mark=out-fgt connection-state=established,related dst-address-list=\
    !LAN-NETWORKS in-interface=bridge log=yes log-prefix=route new-routing-mark=public-service-return-path passthrough=yes \
    src-address-list=PUBLISHED-SERVERS
These are my address lists, where PUBLISHED-SERVERS contains the IPs which I have port forwardings for on 10.200.25.1.
add address=192.168.0.0/16 list=LAN-NETWORKS
add address=172.16.0.0/12 list=LAN-NETWORKS
add address=10.0.0.0/8 list=LAN-NETWORKS
add address=192.168.25.11 disabled=yes list=PUBLISHED-SERVERS
add address=192.168.25.6 list=PUBLISHED-SERVERS
add address=192.168.31.70 list=PUBLISHED-SERVERS
add address=192.168.31.21 list=PUBLISHED-SERVERS
General topology:
Servers and Clients (LAN-NETWORKS) <-> 192.168.25.252 (CRS309) 10.200.25.2 <-> [10.200.25.1 (NAT Firewall)] OR [192.168.31.52 (L7 Transparent Firewall)] <-> Internet Modem

Thanks for any advice
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Wed May 11, 2022 5:36 pm

got anyone an idea? or am I completely on the wrong track and mangle should work with L3HW enabled? I am not even sure about that.

thanks!
 
kraal
Member Candidate
Member Candidate
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Wed May 11, 2022 5:41 pm

From what I read on https://help.mikrotik.com/docs/display/ ... Offloading

Users must choose either HW-accelerated routing or firewall.

And as mangle rules are part of firewall I interpret it as mangle and L3HW offloading being mutually exclusive.
Can't help you more though and it's only my interpretation.
 
User avatar
sirbryan
Member Candidate
Member Candidate
Posts: 298
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Wed May 11, 2022 6:51 pm

From what I read on https://help.mikrotik.com/docs/display/ ... Offloading

Users must choose either HW-accelerated routing or firewall.

And as mangle rules are part of firewall I interpret it as mangle and L3HW offloading being mutually exclusive.
Can't help you more though and it's only my interpretation.
Correct. If you choose L3 HW Offloading on a port, none of that traffic will hit the CPU, and therefore none of it will hit the filter/nat/mangle/raw tables. If you want traffic from a port to be manipulated, disable offloading on that port. Enable fasttrack rules with hwoffload=yes to match already classified traffic and take advantage of some acceleration.
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Thu May 12, 2022 2:39 am

Thanks, makes absolutely sense. Is there a way to direct certain traffic through the CPU or the other way round to only offload traffic between certain networks or interfaces? basically any traffic that goes to the internet, doesn't really need to be offloaded, because of limited internet speed. L3HW I basically only need for routing between LAN networks to reach 10G wire speed there...
 
User avatar
sirbryan
Member Candidate
Member Candidate
Posts: 298
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading  [SOLVED]

Fri May 13, 2022 8:39 pm

Is there a way to direct certain traffic through the CPU or the other way round to only offload traffic between certain networks or interfaces? basically any traffic that goes to the internet, doesn't really need to be offloaded, because of limited internet speed. L3HW I basically only need for routing between LAN networks to reach 10G wire speed there...

See https://help.mikrotik.com/docs/display/ ... Offloading.

  • Enable hardware offloading on the switch (Interface/Ethernet/Switch)
  • Disable offloading on the Internet-facing port(s) (Interface/Ethernet/Switch/Port)
  • Enable offloading on LAN-facing ports (Interface/Ethernet/Switch/Port)

You can also disable hardware offloading on a per-route basis.
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Fri May 13, 2022 10:45 pm

See https://help.mikrotik.com/docs/display/ ... Offloading.

  • Enable hardware offloading on the switch (Interface/Ethernet/Switch)
  • Disable offloading on the Internet-facing port(s) (Interface/Ethernet/Switch/Port)
  • Enable offloading on LAN-facing ports (Interface/Ethernet/Switch/Port)

You can also disable hardware offloading on a per-route basis.
Thanks! Quite obvious but still it didn't come to my mind. Works perfectly!
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Sun Dec 10, 2023 3:03 am

If you want traffic from a port to be manipulated, disable offloading on that port. Enable fasttrack rules with hwoffload=yes to match already classified traffic and take advantage of some acceleration.
Little followup to this topic.
Until now, just not offloading anything that exits ether1 worked for me. But since my main firewall lives there, where I also have some DMZ networks with servers in place, I today hit the CPU limit of my switch @ 200 Mbit/s throughput.
I'd now like to dig into the quoted sentence a bit more. Does that mean, that I can have HW offloading disabled on ether1, but using fasttrack rules and hwoffload=yes, I can still have already classified traffic accelerated?

Another solution would be to have a separate wire from the switch to the firewall, where I route my DMZ networks and where I'd have L3HW enabled. But that would make routing more complicated overall.

edit: I have this rule in place (and it sees tons of hits, while my file transfer is running @ 200 MBit/s):
chain=forward action=fasttrack-connection hw-offload=yes dst-address=192.168.31.0/24 out-interface=ether1
but unfortunately, CPU usage is still @ 95% and speed didn't increase to when I had the rule disabled

Thanks!
 
azzurro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Mon Dec 11, 2023 12:07 am

update: i was on 7.11.2, which had a bug where fasttrack wouldn't work anymore properly, with L3 HW.
updated to 7.12.1 and now fasttrack is working and cpu load has dropped significantly.
 
User avatar
sirbryan
Member Candidate
Member Candidate
Posts: 298
Joined: Fri May 29, 2020 6:40 pm
Location: Utah
Contact:

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading

Mon Dec 11, 2023 4:29 pm

I don't know how many filter rules you have on that firewall, but that's probably why your CPU is higher. I know I can get about 800Mbps on the CRS300's I've tested without any firewall rules (maybe one or two), so you could try testing to see which rule (or set of rules) is causing the CPU load.

Or better yet, get something like a hAP AC/AX 2/3 to act as your firewall and NAT router and have the switch simply switch. Any of those hAPs has plenty of CPU horsepower to handle 1Gbps or so with simple firewall and NAT rules.

Who is online

Users browsing this forum: mkx, peterda and 101 guests