Community discussions

MikroTik App
 
mrab
just joined
Topic Author
Posts: 1
Joined: Wed Mar 08, 2023 5:13 am

bridge filtering without hardware offload disabled

Sat Mar 11, 2023 9:27 pm

Hello,

Just wondering of I can use bridge filtering functionality (or IP firewall filtering on the bridge) without disabling HW offload on LAN interface.
Scenario:
1. Mangle rules created to mark packets between 2 LAN devices connected to eth2 and eth4
Bridge is configured to use IPfirewall rules
Simple queue created to manage traffic marked as per mangle rule
with this scenario, there is no traffic flow between interfaces
2. With above scenario, port4 configured with disabled HW offload. The traffic flow starts to show in mangle rules and in the queue
The consequence of the HW offload disabled on one port:
a. the traffic throughput decreases by like 3 times including the interfaces the should not be affected. So instead 1Gb speeds, I get 300-350mbps on average between other bridged LAN devices.
b. CPU usage usage spikes and holds at 100%

At the moment I'm using HAP AC as my main router. Wifi is disabled as I'm using other wifi6 solution, so Mikrotik acts as a pure router.
I also have HAP AC2 and WAP AC which I haven't tried in this scenario
So the question is if I can have bridge filtering working somehow without tremendous decrease of the router performance (hw offload stays enabled)
 
un9edsda
Frequent Visitor
Frequent Visitor
Posts: 76
Joined: Sun Mar 15, 2020 11:11 pm

Re: bridge filtering without hardware offload disabled

Tue Mar 14, 2023 1:17 pm

Just wondering of I can use bridge filtering functionality (or IP firewall filtering on the bridge) without disabling HW offload on LAN interface.
...
At the moment I'm using HAP AC as my main router. Wifi is disabled as I'm using other wifi6 solution, so Mikrotik acts as a pure router.
The hAP AC has QCA8337 switch chip. The Switch Chip Features section of the documentation describes the capabilities of the QCA8337 switch chip too.

Mind the warning:
Currently, CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and RTL8367, 88E6393X, 88E6191X, MT7621 and MT7531 switch chips (since RouterOS v7) are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the Basic VLAN switching guide. If an improper configuration method is used, your device can cause throughput issues in your network.

Also heed the followings there:
On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will determine which ports are access ports by using the default-vlan-id property. The default-vlan-id should only be used on access/hybrid ports to specify which VLAN the untagged ingress traffic is assigned to.
and
By default, the bridge interface is configured with protocol-mode set to rstp. For some devices, this can disable hardware offloading because specific switch chips do not support this feature. See the Bridge Hardware Offloading section with supported features.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: bridge filtering without hardware offload disabled

Tue Mar 14, 2023 8:07 pm

To use bridge filtering you have to disable hardware offload. When offloading is active the packets are processed within the switch, so are never seen by the CPU.

There is some limited hardware packet handling available using switch rules https://help.mikrotik.com/docs/display/ ... -RuleTable, if these are not suitable you could try using the hAP ac2 as it has a significantly more capable CPU then the original hAP ac.

Who is online

Users browsing this forum: No registered users and 42 guests