First time poster and a network novice here. I will do my best. I hope I am posting in the right section.
I have a Hex S router that I have updated to 7.3.1 and L3 hardware offload should be available according to this https://help.mikrotik.com/docs/display/ ... p+Features
If I can get hardware offload running I don't have a need to change my equipment. This is all running in my home as a lab so it's very basic.
However, when I try to enable L3 offload, I get this:Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions. The switch does not support other ether-type 0x88a8 or 0x9100 (only 0x8100 is supported) and no tag-stacking. Using these features will disable HW offload.
Code: Select all
/interface/ethernet/switch set 0 l3-hw-offloading=yes
failure: L3 HW Offload not supported
Below is my config.
Code: Select all
# jul/15/2022 12:16:29 by RouterOS 7.3.1
# software id = 6EGA-GY7S
#
# model = RB760iGS
# serial number = A36A0BF2D178
/interface bridge
add admin-mac=C4:AD:34:E4:DB:3F auto-mac=no comment=defconf frame-types=\
admit-only-vlan-tagged ingress-filtering=no name=bridge vlan-filtering=\
yes
/interface vlan
add interface=bridge name=vlan1-mgmt vlan-id=1
add interface=bridge name=vlan2-HomeVLAN vlan-id=2
add interface=bridge name=vlan10-ServerVLAN vlan-id=10
add interface=bridge name=vlan20-OfficeVLAN vlan-id=20
add interface=bridge name=vlan30-LabVLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-mgmt ranges=10.0.0.10-10.0.0.50
add name=pool-HomeVLAN ranges=192.168.1.10-192.168.1.254
add name=pool-ServerVLAN ranges=192.168.0.10-192.168.0.254
add name=pool-OfficeVLAN ranges=192.168.2.10-192.168.2.254
add name=pool-LabVLAN ranges=172.132.1.10-172.132.1.254
/ip dhcp-server
add address-pool=pool-HomeVLAN interface=vlan2-HomeVLAN lease-time=1m name=\
dhcp-HomeVLAN
add address-pool=pool-ServerVLAN interface=vlan10-ServerVLAN lease-time=1m \
name=dhcp-ServerVLAN
add address-pool=pool-OfficeVLAN interface=vlan20-OfficeVLAN lease-time=1m \
name=dhcp-OfficeVLAN
add address-pool=pool-LabVLAN interface=vlan30-LabVLAN lease-time=1m name=\
dhcp-LabVLAN
add address-pool=pool-mgmt interface=vlan1-mgmt lease-time=1m name=dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment="Ubiquity US-8-150" frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
ether2 pvid=2
add bridge=bridge comment="Mirror port af WAN til loft" frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
ether3 pvid=10
add bridge=bridge comment="CRS 112 PoE Switch " frame-types=\
admit-only-vlan-tagged ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 pvid=\
2
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=vlan1-mgmt,bridge,ether4,ether2 untagged=ether5 \
vlan-ids=1
add bridge=bridge tagged=bridge,vlan2-HomeVLAN,ether4 untagged=ether5,ether3 \
vlan-ids=2
add bridge=bridge tagged=bridge,vlan10-ServerVLAN,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,vlan20-OfficeVLAN,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,vlan30-LabVLAN,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=MGMT interface=vlan1-mgmt list=LAN
add comment=HomeVLAN interface=vlan2-HomeVLAN list=LAN
add comment=ServerVLAN interface=vlan10-ServerVLAN list=LAN
add comment=OfficeVLAN interface=vlan20-OfficeVLAN list=LAN
add comment=LabVLAN interface=vlan30-LabVLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.1/24 comment=mgmtVLAN interface=vlan1-mgmt network=\
10.0.0.0
add address=192.168.1.1/24 comment=HomeVLAN interface=vlan2-HomeVLAN network=\
192.168.1.0
add address=192.168.0.1/24 comment=ServerVLAN interface=vlan10-ServerVLAN \
network=192.168.0.0
add address=192.168.2.1/24 comment=OfficeVLAN interface=vlan20-OfficeVLAN \
network=192.168.2.0
add address=172.132.1.1/24 comment=LabVLAN interface=vlan30-LabVLAN network=\
172.132.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.3 client-id=1:74:83:c2:7d:f4:13 comment=\
"Unifi switch US-8-150" mac-address=74:83:C2:7D:F4:13 server=\
dhcp-HomeVLAN
add address=192.168.1.4 client-id=1:18:e8:29:e6:87:c6 comment=\
"Unifi UAP AC PRO" mac-address=18:E8:29:E6:87:C6 server=dhcp-HomeVLAN
add address=10.0.0.10 client-id=1:8:55:31:e:cf:e6 comment="CRS112 POE" \
mac-address=08:55:31:0E:CF:E6 server=dhcp-mgmt
add address=192.168.1.187 client-id=1:dc:a6:32:18:a1:4a comment=\
"LibreElec KODI sovev\E6relse, RPI 4" mac-address=DC:A6:32:18:A1:4A \
server=dhcp-HomeVLAN
add address=192.168.0.12 client-id=1:52:54:0:81:70:35 comment=\
"Ubuntu VM Unifi controller" mac-address=52:54:00:81:70:35 server=\
dhcp-ServerVLAN
/ip dhcp-server network
add address=10.0.0.0/24 comment=mgmtVLAN dns-server=192.168.1.1 gateway=\
10.0.0.1 netmask=24
add address=172.132.1.0/24 comment=LabVLAN dns-server=192.168.1.1 gateway=\
172.132.1.1 netmask=24
add address=192.168.0.0/24 comment=ServerVLAN dns-server=192.168.1.1 gateway=\
192.168.0.1 netmask=24
add address=192.168.1.0/24 comment=HomeVLAN dns-server=\
208.67.222.222,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=OfficeVLAN dns-server=192.168.1.1 gateway=\
192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.20.30.1-172.20.30.50 list=LOCAL
add address=192.168.0.0/24 list=LOCAL
add address=192.168.1.0/24 list=LOCAL
add address=192.168.100.0/24 list=LOCAL
add address=172.132.1.0/24 list=LOCAL
add address=192.168.2.0/24 list=LOCAL
add address=10.0.0.0/8 list=LOCAL
add address=172.132.1.0/24 list=Servers-LAB
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes log-prefix="DROPPED INPUT INVALID:"
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
log-prefix="ICMP INPUT: " protocol=icmp
add action=accept chain=forward comment="defconf: accept ICMP" \
in-interface-list=LAN log=yes log-prefix="ICMP FORWARD: " \
out-interface-list=LAN protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward in-interface-list=LAN log=yes log-prefix=\
ACCEPT: out-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix="DROPPED NOT FROM LAN: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix="DROPPED FORWARD INVALID: "
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=\
"DROPPED NOT DSTNAT: "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Copenhagen
/system script
add dont-require-permissions=no name=wol-workstation owner=HathorADM policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"tool wol interface=vlan2-HomeVLAN mac=70:85:C2:D0:E5:94"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN