Community discussions

MikroTik App
 
ccanto
just joined
Topic Author
Posts: 10
Joined: Mon Apr 22, 2019 11:36 am

Selective hardware offload in CRS3xx

Wed Sep 08, 2021 5:33 am

Hi folks,

Does anyone know if it is possible to enable both Hardware Offload forwarding and software forwarding (bridge) in a CRS3xx switch?

Here's what I'm trying to do:
Hardware offload every packets on a interface, except for some with special characteristics, say every TCP packets, just for simple testing.

For that, I tried to:
- Bridge with vlan filtering and ingress filtering enabled
- Bridge port with hardware offload enabled
- Switch rule to "Redirect to CPU" packets that match MAC protocol IP, protocol tcp
/interface bridge add ingress-filtering=yes name=bridge vlan-filtering=yes
/interface bridge port add bridge=bridge ingress-filtering=yes interface=ether13 pvid=1
/interface ethernet switch rule add mac-protocol=ip ports=ether13 protocol=tcp redirect-to-cpu=yes switch=switch1

The thing is, after I do this, tcp traffic on that interface gets black-holed.. I created a forward accept+log bridge filter rule and nothing gets there.
I also created a nat log bridge rule in order to see what gets there:
/interface bridge filter add action=accept chain=forward in-interface=ether13 log=yes
/interface bridge filter add action=accept chain=forward log=yes out-interface=ether13
/interface bridge filter add action=accept chain=input in-interface=ether13 log=yes
/interface bridge nat add action=log chain=srcnat out-interface=ether13
/interface bridge nat add action=log chain=dstnat in-interface=ether13

And I can only see traffic in the dstnat chain: Return traffic that just does not knows where to go:
dstnat: in:ether13 out:(unknown 0), src-mac 00:xx:xx:xx:xx:xx, dst-mac c4:xx:xx:xx:xx:xx, eth-proto 0800, TCP (SYN,ACK), 10.0.0.20:80->10.0.0.2:10275, len 52

If I remove the hardware offload from the bridge port, the bridge rule counters increment, logs and traffic starts to flow (via CPU).

So, maybe I'm doing something wrong with the switch rule, or maybe hardware offloading is disabling software forwarding on that interface. Does anyone knows this?

I'm running v6.47.10 (long term) on a CRS328
I apologize if this was already answered elsewhere. I searched for in the forum, but couldn't find any similar question/answer.

Thank you
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1788
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Selective hardware offload in CRS3xx

Wed Sep 08, 2021 8:27 pm

i don't think that's a good idea

if you need a software processing please add a separate router you will avoid a lot of headaches

a very common problem is buying the switch without extensively reading manuals to know what is capable the switch chip of, its limtations and most important what is not capable of

is not a exclusive situation with MikroTik, almost any vendor of entry level smart switches incurr several limitations, is at the taste of vendor what and what not to include

you can only expect with full and very versatile functions at wire speed in very expensive switches costing 10 times of MikroTik

developing switches is not an easy task, MikroTik has improved a lot in switching department in just a few years, i am confident in some years MikroTik reaching high in switching, just not today
 
ccanto
just joined
Topic Author
Posts: 10
Joined: Mon Apr 22, 2019 11:36 am

Re: Selective hardware offload in CRS3xx

Thu Sep 09, 2021 4:40 am

Hi,

Don't get me wrong, I'm using Mikrotik devices for at least 8 years and I don't expect to quit. The major thing I love about mikrotik devices is the versatility they provide and the freedom to combine settings if we so wish.. all for the reasonable cost. Not trying to compare with other vendors.

I'm also not really trying to do heavy software forwarding with the switch, I was just exploring if it would be possible to intercept or even mangle some very specific packets like broadcasts or arp requests (the things we can do with bridge filter/nat) while having the interface in hw-offloading by redirecting them to the cpu and forward them (or not) from there.

I appreciate your clarification. In that regard, aside from dhcp-snooping (that creates a dynamic switch rule and is bridge/software forwarded), since the bridge does not seem to forward any other packets as they do not reach the forward chain for a interface with hardware offload enabled, what is a good/common use of redirecting traffic to the CPU (redirect-to-cpu=yes)?
 
ccanto
just joined
Topic Author
Posts: 10
Joined: Mon Apr 22, 2019 11:36 am

Re: Selective hardware offload in CRS3xx

Mon Oct 11, 2021 3:13 am

Hello again,

Sorry for insisting, but I am still not being able to see any other use for the "redirect to cpu" unless the built-in dhcp snooping or for some "sniff-and-drop" rule.

Out of curiosity, can somebody give me a hint as how "redirect to cpu" option in the Switch Rule can be used?

Does someone knows if Mikrotik is planning in the near future to implement bridge-forwading with packets that are "redirected to cpu" ?

Thank you
Best regards

Who is online

Users browsing this forum: Ahrefs [Bot], smithjohnson250 and 37 guests