Community discussions

MikroTik App
 
pkag77
just joined
Topic Author
Posts: 3
Joined: Fri Aug 05, 2022 5:15 pm

l3hw offload and firewall filter

Fri Aug 05, 2022 5:31 pm

Hi Everyone, I'm scratching my head around this configuration for over 1 week, but couldn't find a solution yet :-(

I've got a CRS328-24P and configured it for L3 routing! The throughput was pretty low with Fast Forward enabled and was mixing the CPU as well, so I've disabled Fast Forward and enabled L3HW offloading!
EVERYTHING is working great, except I'm no longer able to block traffic across my vlans! Everything in IP Firewall Filter is getting ignored
# aug/05/2022 09:48:10 by RouterOS 7.4
# software id = CUJ0-HQ10
#
# model = CRS328-24P-4S+
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=CC:2D:E0:8F:65:B4 auto-mac=no comment=defconf fast-forward=no \
    name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] speed=10Gbps
/interface vlan
add interface=bridge name=admin vlan-id=6
add interface=bridge name=clients vlan-id=2
add interface=bridge name=guests vlan-id=5
add interface=bridge name=iot vlan-id=7
add interface=bridge name=kids vlan-id=4
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ipv6 dhcp-server option
add code=23 name=dns value=0x2804030c1317ec020c9d6d6611581309
/ipv6 pool
add name=lan prefix=xxxx:xxx:xxxx:ec01::/64 prefix-length=64
add name=clients prefix=xxxx:xxx:xxxx:ec02::/64 prefix-length=64
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether6
add bridge=bridge ingress-filtering=no interface=ether7 pvid=6
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=\
    ether9
add bridge=bridge ingress-filtering=no interface=ether10
add bridge=bridge ingress-filtering=no interface=ether11
add bridge=bridge ingress-filtering=no interface=ether12
add bridge=bridge ingress-filtering=no interface=ether13
add bridge=bridge ingress-filtering=no interface=ether14
add bridge=bridge ingress-filtering=no interface=ether15
add bridge=bridge ingress-filtering=no interface=ether16
add bridge=bridge ingress-filtering=no interface=ether17
add bridge=bridge ingress-filtering=no interface=ether18
add bridge=bridge ingress-filtering=no interface=ether19
add bridge=bridge ingress-filtering=no interface=ether20
add bridge=bridge ingress-filtering=no interface=ether21
add bridge=bridge ingress-filtering=no interface=ether22
add bridge=bridge ingress-filtering=no interface=ether23
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge ingress-filtering=no interface=\
    sfp-sfpplus2
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus3
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus4
add bridge=bridge ingress-filtering=no interface=ether24
add bridge=bridge ingress-filtering=no interface=ether2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no
/interface bridge vlan
add bridge=bridge tagged="bridge,ether2,ether4,ether6,ether8,ether9,ether10,et\
    her12,ether14,ether16,ether18,ether20,ether22,sfp-sfpplus2,sfp-sfpplus4" \
    vlan-ids=2
add bridge=bridge tagged="ether2,ether4,ether6,ether8,ether9,ether10,ether12,e\
    ther14,ether16,ether18,ether20,ether22,sfp-sfpplus2,sfp-sfpplus4,bridge" \
    vlan-ids=4
add bridge=bridge tagged="ether2,ether4,ether6,ether8,ether9,ether10,ether12,e\
    ther14,ether16,ether18,ether20,ether22,sfp-sfpplus2,sfp-sfpplus4,bridge" \
    vlan-ids=5
add bridge=bridge tagged="ether2,ether4,ether6,ether8,ether9,ether10,ether12,e\
    ther14,ether16,ether18,ether20,ether22,sfp-sfpplus2,sfp-sfpplus4,bridge" \
    untagged=ether7 vlan-ids=6
add bridge=bridge tagged="ether2,ether4,ether6,ether8,ether9,ether10,ether12,e\
    ther14,ether16,ether18,ether20,ether22,sfp-sfpplus2,sfp-sfpplus4,bridge" \
    vlan-ids=7
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.249/24 comment=defconf interface=ether2 network=\
    192.168.1.0
add address=192.168.2.249/24 interface=clients network=192.168.2.0
add address=192.168.4.249/24 interface=kids network=192.168.4.0
add address=192.168.5.249/24 interface=guests network=192.168.5.0
add address=192.168.6.249/24 interface=admin network=192.168.6.0
add address=192.168.7.249/24 interface=iot network=192.168.7.0
/ip dhcp-client
add disabled=yes interface=bridge
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.7.0/24 list=iot
add address=192.168.5.0/24 list=guests
add address=192.168.1.0/24 list=lan
add address=192.168.4.0/24 list=kids
add address=192.168.2.0/24 list=clients
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related,untracked hw-offload=yes
add action=drop chain=forward comment="Drop Forw invalid" connection-state="" \
    disabled=yes
add action=accept chain=forward
add action=drop chain=forward comment="clients to iot allow" dst-address=\
    192.168.7.0/24 src-address=192.168.2.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/ipv6 route
add disabled=no dst-address=::/0 gateway=xxxx:xxx:xxxx:ec01::1 routing-table=\
    main
add disabled=no distance=1 dst-address=xxxx:xxx:xxxx:ec01::/64 gateway=\
    clients routing-table=main scope=30 target-scope=10
/ipv6 address
add address=::2 from-pool=lan interface=bridge
add address=::1 from-pool=clients interface=clients
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-dns=no hop-limit=64 \
    interface=clients ra-delay=5s ra-interval=5s-30s
add advertise-dns=no hop-limit=64 interface=bridge ra-delay=5s ra-interval=\
    5s-30s
/system clock
set time-zone-name=America/Sao_Paulo
/system routerboard settings
set boot-os=router-os
Here is my full configuration, please help me to understand what's wrong :-)

Thanks
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: l3hw offload and firewall filter

Fri Aug 05, 2022 10:31 pm

you must use SWITCH ACL to filter traffic

https://help.mikrotik.com/docs/display/ ... Rules(ACL)

do not enable this
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
 
pkag77
just joined
Topic Author
Posts: 3
Joined: Fri Aug 05, 2022 5:15 pm

Re: l3hw offload and firewall filter

Fri Aug 05, 2022 11:23 pm

Yeah, I've looked at it, from another thread, but with switch ACLs I can filter based on port and all my vlans are on the bridge.

It looks like the choice is between performance and security here :-(
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: l3hw offload and firewall filter

Fri Aug 05, 2022 11:40 pm

you can match traffic using multiple parameters including VLAN id

the physical port is necessary because is ingress filtering
 
pkag77
just joined
Topic Author
Posts: 3
Joined: Fri Aug 05, 2022 5:15 pm

Re: l3hw offload and firewall filter

Sat Aug 06, 2022 2:05 am

I can give it a try for sure, I see I can even use src and dst subnets.
Just not sure which port should I add....all the ethernets?

Who is online

Users browsing this forum: No registered users and 59 guests