Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Hardware offload in 7.3.1 on Hex S

Post Reply
 
Hathor
just joined
Topic Author
Posts: 7
Joined: Mon May 18, 2020 9:58 pm

Hardware offload in 7.3.1 on Hex S

Fri Jul 15, 2022 1:19 pm

Hi.

First time poster and a network novice here. I will do my best. I hope I am posting in the right section.

I have a Hex S router that I have updated to 7.3.1 and L3 hardware offload should be available according to this https://help.mikrotik.com/docs/display/ ... p+Features

If I can get hardware offload running I don't have a need to change my equipment. This is all running in my home as a lab so it's very basic.
Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions. The switch does not support other ether-type 0x88a8 or 0x9100 (only 0x8100 is supported) and no tag-stacking. Using these features will disable HW offload.
However, when I try to enable L3 offload, I get this:
Code: Select all
/interface/ethernet/switch set 0 l3-hw-offloading=yes
failure: L3 HW Offload not supported
Can anyone tell me why I am unable to use L3 hardware offload?

Below is my config.
Code: Select all
# jul/15/2022 12:16:29 by RouterOS 7.3.1
# software id = 6EGA-GY7S
#
# model = RB760iGS
# serial number = A36A0BF2D178
/interface bridge
add admin-mac=C4:AD:34:E4:DB:3F auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged ingress-filtering=no name=bridge vlan-filtering=\
    yes
/interface vlan
add interface=bridge name=vlan1-mgmt vlan-id=1
add interface=bridge name=vlan2-HomeVLAN vlan-id=2
add interface=bridge name=vlan10-ServerVLAN vlan-id=10
add interface=bridge name=vlan20-OfficeVLAN vlan-id=20
add interface=bridge name=vlan30-LabVLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-mgmt ranges=10.0.0.10-10.0.0.50
add name=pool-HomeVLAN ranges=192.168.1.10-192.168.1.254
add name=pool-ServerVLAN ranges=192.168.0.10-192.168.0.254
add name=pool-OfficeVLAN ranges=192.168.2.10-192.168.2.254
add name=pool-LabVLAN ranges=172.132.1.10-172.132.1.254
/ip dhcp-server
add address-pool=pool-HomeVLAN interface=vlan2-HomeVLAN lease-time=1m name=\
    dhcp-HomeVLAN
add address-pool=pool-ServerVLAN interface=vlan10-ServerVLAN lease-time=1m \
    name=dhcp-ServerVLAN
add address-pool=pool-OfficeVLAN interface=vlan20-OfficeVLAN lease-time=1m \
    name=dhcp-OfficeVLAN
add address-pool=pool-LabVLAN interface=vlan30-LabVLAN lease-time=1m name=\
    dhcp-LabVLAN
add address-pool=pool-mgmt interface=vlan1-mgmt lease-time=1m name=dhcp-mgmt
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment="Ubiquity US-8-150" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    ether2 pvid=2
add bridge=bridge comment="Mirror port af WAN til loft" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=no interface=\
    ether3 pvid=10
add bridge=bridge comment="CRS 112 PoE Switch " frame-types=\
    admit-only-vlan-tagged ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 pvid=\
    2
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=vlan1-mgmt,bridge,ether4,ether2 untagged=ether5 \
    vlan-ids=1
add bridge=bridge tagged=bridge,vlan2-HomeVLAN,ether4 untagged=ether5,ether3 \
    vlan-ids=2
add bridge=bridge tagged=bridge,vlan10-ServerVLAN,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,vlan20-OfficeVLAN,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,vlan30-LabVLAN,ether4 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=MGMT interface=vlan1-mgmt list=LAN
add comment=HomeVLAN interface=vlan2-HomeVLAN list=LAN
add comment=ServerVLAN interface=vlan10-ServerVLAN list=LAN
add comment=OfficeVLAN interface=vlan20-OfficeVLAN list=LAN
add comment=LabVLAN interface=vlan30-LabVLAN list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.0.1/24 comment=mgmtVLAN interface=vlan1-mgmt network=\
    10.0.0.0
add address=192.168.1.1/24 comment=HomeVLAN interface=vlan2-HomeVLAN network=\
    192.168.1.0
add address=192.168.0.1/24 comment=ServerVLAN interface=vlan10-ServerVLAN \
    network=192.168.0.0
add address=192.168.2.1/24 comment=OfficeVLAN interface=vlan20-OfficeVLAN \
    network=192.168.2.0
add address=172.132.1.1/24 comment=LabVLAN interface=vlan30-LabVLAN network=\
    172.132.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.3 client-id=1:74:83:c2:7d:f4:13 comment=\
    "Unifi switch US-8-150" mac-address=74:83:C2:7D:F4:13 server=\
    dhcp-HomeVLAN
add address=192.168.1.4 client-id=1:18:e8:29:e6:87:c6 comment=\
    "Unifi UAP AC PRO" mac-address=18:E8:29:E6:87:C6 server=dhcp-HomeVLAN
add address=10.0.0.10 client-id=1:8:55:31:e:cf:e6 comment="CRS112 POE" \
    mac-address=08:55:31:0E:CF:E6 server=dhcp-mgmt
add address=192.168.1.187 client-id=1:dc:a6:32:18:a1:4a comment=\
    "LibreElec KODI sovev\E6relse, RPI 4" mac-address=DC:A6:32:18:A1:4A \
    server=dhcp-HomeVLAN
add address=192.168.0.12 client-id=1:52:54:0:81:70:35 comment=\
    "Ubuntu VM Unifi controller" mac-address=52:54:00:81:70:35 server=\
    dhcp-ServerVLAN
/ip dhcp-server network
add address=10.0.0.0/24 comment=mgmtVLAN dns-server=192.168.1.1 gateway=\
    10.0.0.1 netmask=24
add address=172.132.1.0/24 comment=LabVLAN dns-server=192.168.1.1 gateway=\
    172.132.1.1 netmask=24
add address=192.168.0.0/24 comment=ServerVLAN dns-server=192.168.1.1 gateway=\
    192.168.0.1 netmask=24
add address=192.168.1.0/24 comment=HomeVLAN dns-server=\
    208.67.222.222,8.8.8.8,8.8.4.4 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 comment=OfficeVLAN dns-server=192.168.1.1 gateway=\
    192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,208.67.222.222,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=172.20.30.1-172.20.30.50 list=LOCAL
add address=192.168.0.0/24 list=LOCAL
add address=192.168.1.0/24 list=LOCAL
add address=192.168.100.0/24 list=LOCAL
add address=172.132.1.0/24 list=LOCAL
add address=192.168.2.0/24 list=LOCAL
add address=10.0.0.0/8 list=LOCAL
add address=172.132.1.0/24 list=Servers-LAB
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROPPED INPUT INVALID:"
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    log-prefix="ICMP INPUT: " protocol=icmp
add action=accept chain=forward comment="defconf: accept ICMP" \
    in-interface-list=LAN log=yes log-prefix="ICMP FORWARD: " \
    out-interface-list=LAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward in-interface-list=LAN log=yes log-prefix=\
    ACCEPT: out-interface-list=LAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="DROPPED NOT FROM LAN: "
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="DROPPED FORWARD INVALID: "
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROPPED NOT DSTNAT: "
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Copenhagen
/system script
add dont-require-permissions=no name=wol-workstation owner=HathorADM policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "tool wol interface=vlan2-HomeVLAN mac=70:85:C2:D0:E5:94"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Hardware offload in 7.3.1 on Hex S

Fri Jul 15, 2022 2:07 pm

No, the page you linked to and quoted says Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions - this only provides layer 2 / ethernet hardware offloading on a VLAN-aware bridge (previous RouterOS on these models only supported hardware offloading on a non-VLAN-aware bridge).

See https://help.mikrotik.com/docs/display/ ... iceSupport for the devices which support layer 3 / IP hardware offloading.
Top
 
Hathor
just joined
Topic Author
Posts: 7
Joined: Mon May 18, 2020 9:58 pm

Re: Hardware offload in 7.3.1 on Hex S

Fri Jul 15, 2022 4:15 pm

No, the page you linked to and quoted says Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions - this only provides layer 2 / ethernet hardware offloading on a VLAN-aware bridge (previous RouterOS on these models only supported hardware offloading on a non-VLAN-aware bridge).

See https://help.mikrotik.com/docs/display/ ... iceSupport for the devices which support layer 3 / IP hardware offloading.
Thank you very much for clearing that up.

What router would be the smallest (cheapest) but still with hardware offload and support for ROS 7? As I see it RB3011 would be the best option then (because the 2nd generation switch/router is too complex for me with the ingress and egress settings in /interface/switch).

The RB3011 is not on the list that you linked but it seems to be only switches on that list.
Top
 
tdw
Forum Guru
Forum Guru
Posts: 1847
Joined: Sat May 05, 2018 11:55 am

Re: Hardware offload in 7.3.1 on Hex S

Fri Jul 15, 2022 6:31 pm

What is your use case, do you really need layer 3 hardware offload?

CRS devices have low performance CPUs as they were intended as wire-speed layer 2 switches with minor use of the layer 3 services provided by the CPU. With RouterOS 7 some CRS3xx/CRS5xx devices can now use the switch chip layer 3 hardware offloading to make up for lack of CPU performance. Devices such as RB4011 & RB5009 can handle >1Gbps routing & NAT in software.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Hardware offload in 7.3.1 on Hex S

Fri Jul 15, 2022 8:28 pm

Here you can see the devices that support L3 Hardware Offload
https://help.mikrotik.com/docs/display/ ... iceSupport
Top
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3005
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:
Contact chechito

Re: Hardware offload in 7.3.1 on Hex S

Fri Jul 15, 2022 10:10 pm

No, the page you linked to and quoted says Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions - this only provides layer 2 / ethernet hardware offloading on a VLAN-aware bridge (previous RouterOS on these models only supported hardware offloading on a non-VLAN-aware bridge).

See https://help.mikrotik.com/docs/display/ ... iceSupport for the devices which support layer 3 / IP hardware offloading.
Thank you very much for clearing that up.

What router would be the smallest (cheapest) but still with hardware offload and support for ROS 7? As I see it RB3011 would be the best option then (because the 2nd generation switch/router is too complex for me with the ingress and egress settings in /interface/switch).

Layer 3 Hardware Offload is not a "cheap" feature, only available in top models, by integrating a Switch ASIC into a powerful router, currently the only router with Layer 3 HW offload is CCR2116-12G-4S+ and the flag-ship ccr2216-1g-12xs-2xq

be aware Layer 3 HW offload is a very new feature and is still under improvement

Layer 3 HW offload has many specific aspects to take into account
Be aware of L3 limitations on each device
Be aware some devices do not support some L3 HW offload features like fast-track an NAT accelerated by HW
Be aware of limitations of fast-track an NAT accelerated by HW
Some switches support L3 HW offload, in most models is featured toward operation of Layer 3 Switching but not to replace a Router
Some switches support fast-track an NAT accelerated by HW but you will need fine tune the configuration to steer the traffic you prefer to offload in HW and the remaining traffic will be processed by the CPU, switches have very small CPU so you will easily encounter limitations
Top
 
ferrets
just joined
Posts: 16
Joined: Thu Oct 01, 2015 7:39 pm

Re: Hardware offload in 7.3.1 on Hex S

Wed Jan 11, 2023 4:16 pm

Sorry for digging up an old topic, but I found an interesting video on youtube: https://www.youtube.com/watch?v=bllvDWEKgNA
This guy had installed OpenWRT on Mikrotik RB750Gr3 (Hex, which is the same cpu/switch of Hex S), and according his speedtest (6:03 and 08:18), OpenWRT can run up to around 950Mbit/s ( WAN to LAN, NAT enabled, dhcp, no pppoe tunnel ) with 99% cpu idle, which, means that L3 hardward off-loading is definitely possible on these devices!
But the problem is..... will mikrotik add support for this?
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1958
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Hardware offload in 7.3.1 on Hex S

Wed Jan 11, 2023 4:29 pm

But the problem is..... will mikrotik add support for this?
Is it a problem if MikroTik supplies support?
Or would it be a problem if no support is supplied?

Please be honest...is your question serious?
Top
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Hardware offload in 7.3.1 on Hex S

Wed Jan 11, 2023 5:12 pm

[...]OpenWRT can run up to around 950Mbit/s ( WAN to LAN, NAT enabled, dhcp, no pppoe tunnel ) with 99% cpu idle, which, means that L3 hardward off-loading is definitely possible on these devices!
But the problem is..... will mikrotik add support for this?
It does PPPoE and even IPv6 just fine too. viewtopic.php?p=959710#p959710
Top
 
ferrets
just joined
Posts: 16
Joined: Thu Oct 01, 2015 7:39 pm

Re: Hardware offload in 7.3.1 on Hex S

Mon Jan 16, 2023 12:07 pm

But the problem is..... will mikrotik add support for this?
Is it a problem if MikroTik supplies support?
Or would it be a problem if no support is supplied?

Please be honest...is your question serious?
If new feature added, I'll be very happy with that, and maybe I don't need to replace it for quite a long time.
But, considering the price of this product, spending much effort on this is quite... unprofitable.
There won't be any problem, except my disappointment.
Top
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 3005
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:
Contact chechito

Re: Hardware offload in 7.3.1 on Hex S

Mon Jan 16, 2023 4:42 pm

is not the same game

CCR 2116 and 2216 hardware offload is using Marvell Switching ASIC's
CRS 3xx and 5xx Switch hardware offload is using Marvell Switching ASIC's too

Hex-S uses a MediaTek SoC (different vendor) so enabling hardware offload on that chip need a separate development
Top
 
ferrets
just joined
Posts: 16
Joined: Thu Oct 01, 2015 7:39 pm

Re: Hardware offload in 7.3.1 on Hex S

Tue Jan 17, 2023 6:07 am

What is the sense to quote whole preceding post? Any clue? Does it help in understanding post?
Yep, although openwrt is opensource, but it will take a LOT effort to port the codes to routeros.
Last edited by BartoszP on Tue Jan 17, 2023 10:29 am, edited 2 times in total.
Reason: removed excessive quotting of preceding post; be wise, quote smart. lines of quote, 1 line of post.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], vingjfg and 46 guests
  4. RouterOS
  5. Beginner Basics