I'm almost done with my setup but I still have on issue. Here are some infos about my gear:
- RB5009 to access Internet (router)
- CRS317 to route inter-VLANs (switch/router)
- CRS328 to tag VLAN ports (switch)
I'm trying to keep 10G inter-VLAN capability while blocking some inter VLAN traffic. For instance, I don't want devices from VLAN 110 (servers) to access VLAN 130 (clients) but the other way around should work.
Following this guide (https://help.mikrotik.com/docs/display/ ... Offloading), I tried first to use switch ACL rules but it is stateless and it does not seem to work (traffic is completely blocked between the VLANs).
I then started playing with disabling hardware offloading for a given and use HW offloaded fast-track to keep near wirespeed. It does work well among the local VLANs (110, 120, 130, 199), I can set some firewall rules while keeping 10G with iperf3 in between VLANs.
But the moment hardware routing is removed in the routing table (because one of the port does not HW offload anymore), the Internet traffic is using the CPU and is capped at 400Mbits. I don't understand what is the differences in this scenario between VLAN 188 and the "local" ones from a routing perspective.
I'm using OSPF for exchanging the routing configurations between RB5009 and CRS317 but I haven't seen anything specific about HW offloading.
Code: Select all
# 2024-04-15 17:14:51 by RouterOS 7.14.2
# software id = IZBV-VVB6
#
# model = CRS317-1G-16S+
# serial number = X
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan110 vlan-id=110
add interface=bridge1 name=vlan120 vlan-id=120
add interface=bridge1 name=vlan130 vlan-id=130
add interface=bridge1 name=vlan188 vlan-id=188
add interface=bridge1 name=vlan199 vlan-id=199
/interface bonding
add lacp-rate=1sec mode=802.3ad name=bond1 slaves=sfp-sfpplus15,sfp-sfpplus16 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface ethernet switch port
set 14 l3-hw-offloading=no
set 15 l3-hw-offloading=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=ospf-area-1
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus4 pvid=110
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus9 pvid=130
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=bond1
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus13
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,bond1 untagged=sfp-sfpplus4 vlan-ids=110
add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=120
add bridge=bridge1 tagged=bridge1,bond1 untagged=sfp-sfpplus9 vlan-ids=130
add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=199
add bridge=bridge1 tagged=bridge1,sfp-sfpplus13 vlan-ids=188
/ip address
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0
add address=192.168.130.1/24 interface=vlan130 network=192.168.130.0
add address=192.168.199.1/24 interface=vlan199 network=192.168.199.0
add address=192.168.188.2/24 interface=vlan188 network=192.168.188.0
/ip dns
set allow-remote-requests=yes servers=192.168.188.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward in-interface=vlan110 out-interface=vlan130
/ip route
add gateway=192.168.188.1
/routing ospf interface-template
add area=ospf-area-1 disabled=no interfaces=vlan188
add area=ospf-area-1 disabled=no interfaces=vlan130 passive
add area=ospf-area-1 disabled=no interfaces=vlan110 passive
add area=ospf-area-1 disabled=no interfaces=vlan120 passive
add area=ospf-area-1 disabled=no interfaces=vlan199 passive
/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
Route list which does not show "H" anywhere but on the trunk port to the Internet router.
Any idea of why routing packets from any "local" VLANs would go through the CPU when going out to VLAN 188?
Thanks,
D.
Disabling HW offload on all ports allowed me to use FW with hardware acceleration even for the trunk link going to WAN. Thank you!