I am building my lab with a full Mikrotik stack. Your videos have been instrumental in my training and understanding the ins and outs of the Mikrotik world. I do wish to give you a very big THANK YOU fo your help an dclear presintation of methods and configurations.
Thank you so much for your kind words! I'm glad the videos have been helpful in your Mikrotik training. Best of luck with your lab, and feel free to reach out if you need any further help! 😊
Great Tutorial!!! Do you always need a bridge created? if the CRS309 is acting as a router, Can I simply use L3HW-offload with IPs on the physical interfaces without using VLANs and without a bridge? Will L3HW-offload work that way?
@@TheNetworkTrip Thanks for the quick reply, with this setup(no bridge) I see all routes with H flag for HW-Offload but the CPU is actually very high. I guess I'll have to change the config to bridge/vlan like you showed on the video.
Hi, Nice example. Can this be enabled on a CCR2216 as a border router against the ISP? Taking into account that this router has active BPG that is published to the internet
I have a crs326. Configured hw offload with single bridge only. I see the "H" in the route list. But when I pass traffic, cpu stay very high (93%). It doesn't seem like HW offload is working. When I look at the vlan under bridge on the interface screen, I see traffic on the vlan instead of physical interface. Any suggestion?
Hello! There are some features that can disable hardware offloading, such as having more than one bridge on the device or broadcast traffic to VLANs that have access to the CPU. Make sure that only the management VLAN has access to the CPU. (In this video, I explained how to use these devices as a router; in your case, it would be a switch. You can check my video about VLANs on the CRS3XX here on my channel.)
Hello! If we want to have pure routing and hardware offloading (without NAT), we need bridge and VLAN interfaces as explained in this video. If you have WAN and LAN interfaces, you can keep the WAN interface outside the bridge, create NAT rules, and add a rule in the forward chain to FastTrack and enable L3 hardware offloading for that traffic. The initial connection will be managed by the CPU, and then the NAT entries will be copied to the switch chip.
@@TheNetworkTrip oh wow ok I didn't expect that and also possibly explains alot about my performance issues. I don't have any Firewall/Nat rules and connection tracking is disabled just pure L3 Routing from Interface A to Interface B but I'm not using any bridge, I have enabled HW offloading and attempted to offload some of the routes to hardware and they do show the H in routes and the /interface/ethernet/swich/l3hw-settings/monitor shows that HW offloading is enabled with about 5000 out of 1m routes is offloaded (i don't have CPU issues) but I feel performance is shaped somehow where once traffic reaches around 4-5Gbps It seems to struggle.
Would be great to have a step by step NAT - using Fasttrack and firewall using Fasttrack guide.. with these, it almost seems inconceivable but, might one completely eliminate CCR's for CRS devices for doing most deployments? BGP?
Just began exploring Mikrotik. Useful Vid! Heroic dose! Can you elaborate on HW offload for inter-vlan routing security? What performance penalty (CPU) on Switch ACLs vs IP firewall + Fastrack? I'm accustomed to L3 switch ACLs stateful TCP and stateless UDP. Can Mikrotik bridge / vlan int routing be full L4 stateful within the bridge / vlan interfaces. Or must go CPU? I have the packet flow documentation which I need to dive into more but the GNS3 routeros image lacks the switch chip / ACLs. Likely I need to buy switch to really demo Mikrotik L3 switching. Eyeing CRS326-24S+2Q+ vs CRS317-1G-16S+. CRS326-24S+2Q+ appears more designed toward L2 raw forwarding. CRS317-1G-16S+ appears more designed toward L3/4 given it has much more CPU.
Thanks for the feedback! I'll soon upload a video on ACLs and security in Mikrotik, covering HW offload, performance, and the difference between Switch ACLs and IP firewall + FastTrack. For L4 stateful routing, Mikrotik needs the CPU, as the switch chip handles only L2/L3.
Hi, buddy, excellent explanation, thanks for your content. I have a question. If I want to have several source interfaces, how could I manage to pass the traffic through l3-hw having multiple broadcast domains as source? For example, if I have several switches connected to different ports, how could I achieve the same, taking into account what you say that we can only have a single bridge. As an additional fact, I am using a CCR2216 and I have several broadcast domains on it, and I do not want to mix them. uplink
Hello! Vlan filtering helps to keep the broadcast domain separate. If thew VLAN 20 is mapped to ports 1,2,3 and VLAN 21 is mapped to ports 4,5,6, then, you have 2 separate broadcast domain and still have one bridge.
As always very thanksful Mr.Wilmer..! it was very informative..! But Question to ask: why you use VLAN in your LAB..? i mean why you didn't just use the physical interface and assigning IP to it without creating any VLAN..?
You mention that we can only have a single bridge, but you are using ospf here as well. You recommend using a loopback bridge in OSPF. So don't we end up with two bridges here?
Hi! Before enabling l3 hardware offloading, you must build the Vlan table and enable Vlan filtering as I explained in the video. Vlans should work without any problem.
@@AlejandroMartinezHernandez-f8u Removing the ports from the bridge will disable L3 hardware offloading in those interfaces. The ports should remain in the bridge, and manage all the IPs using vlan interfaces as I have shown in the video.
@@TheNetworkTrip I noticed the introduction of lo interface somewhere in the last couple of releases, it seems any IP configured on this interface is not offloaded. and if that is the IP your traffic hits to go through the router, CPU baby! I by default install a loopback address and advertise it passively as broadcast on ospf.
I have a question, in a scenario where you have multiple CRS310's and at the end of it a client device, assigning a /30 address on a vlan on the bridge in the last CRS310, tagging the vlan on the bridge and on the interface connected to a client mikrotik, and assigning a /31 IP address on the vlan and another on the customer mikrotik seems to break offload. Im getting 20% cpu on 65mbps. :-( am I missing something? ) all routes have the flag H in them.
Very good video, everything explained clearly, I have been using several CRS305 with Hardware Offloading for a couple of months now, they are installed in micro pops, they have a WAN interface (where there is BGP to announce our prefixes) and a LAN interface where simply with a DHCP delivers the service, but I have problems limiting the speed, I used the "rate" function in Switch>Rule and it worked well but until certain traffic, I have noticed that after 1.5Gbps it starts to cause problems, for example on the WAN port It reaches 1.5Gbps and only 1.2Gbps is coming out of the LAN port, I deactivate the rule and at that moment both interfaces start to have 1.5. Could you help me with an idea of how I could effectively limit the service? taking into account that it was done in switch>rule since, being hierarchical, it first had a rule allowing ICMP not to be affected by saturation and avoid high times and packet losses (at least in that protocol). Thank you so much.
your teaching is absolutely amazing. please don't stop creating great content like this one.
Thanks so much for the great feedback! I’m really happy you find the content helpful. I’ll keep making more-your support means a lot!
@@TheNetworkTrip I have question can we also include the WAN interface for the hardware offloading, or this is pure LAN intervlans?
I am building my lab with a full Mikrotik stack. Your videos have been instrumental in my training and understanding the ins and outs of the Mikrotik world. I do wish to give you a very big THANK YOU fo your help an dclear presintation of methods and configurations.
Thank you so much for your kind words! I'm glad the videos have been helpful in your Mikrotik training. Best of luck with your lab, and feel free to reach out if you need any further help! 😊
Do you think a video on connections of a CCR with fiber switches in a full rack be helpful to the users that enjoy your videos?
I have a fiber CCR
You are simply the best Mikrotik trainer I have seen.
Thank you so much! I really appreciate the compliment. I'm glad to hear that my training is helping you!
Thank you. Really happy to see this today. You are the best!!!!
You are so welcome!
Network trip . Did really well in ospf . He did extremely well on ospf . Respect to him on ospf as aswell as other lecture
Thank you!
You are doing a great job on these videos, thank you.
Easy pace that I can follow and your points are memorable, meaning I can use them later!
Glad you like them!
Thanks! this was exactly the fix I was looking for. CPU stays under 35% most of the time now and I learned how to VLAN better!
Great to hear!
Great Tutorial!!! Do you always need a bridge created? if the CRS309 is acting as a router, Can I simply use L3HW-offload with IPs on the physical interfaces without using VLANs and without a bridge? Will L3HW-offload work that way?
Hello!
That approach won’t offer full L3 hardware offloading. You will need to use fast track to have some of the traffic with hardware acceleration
@@TheNetworkTrip Thanks for the quick reply, with this setup(no bridge) I see all routes with H flag for HW-Offload but the CPU is actually very high. I guess I'll have to change the config to bridge/vlan like you showed on the video.
Hi, Nice example. Can this be enabled on a CCR2216 as a border router against the ISP? Taking into account that this router has active BPG that is published to the internet
Hi! That works as long as you are receiving the default route only (because of the BGP's routing table size)
Great tutorial !
Thanks Wilmer
Thank you!
Your videos are awesome. Thanks!
Glad you like them!
Really good video
Glad you enjoyed it
I have a crs326. Configured hw offload with single bridge only. I see the "H" in the route list. But when I pass traffic, cpu stay very high (93%). It doesn't seem like HW offload is working. When I look at the vlan under bridge on the interface screen, I see traffic on the vlan instead of physical interface. Any suggestion?
Hello! There are some features that can disable hardware offloading, such as having more than one bridge on the device or broadcast traffic to VLANs that have access to the CPU. Make sure that only the management VLAN has access to the CPU. (In this video, I explained how to use these devices as a router; in your case, it would be a switch. You can check my video about VLANs on the CRS3XX here on my channel.)
Ok maybe I missed something but L3HW can only work if done through bridge with vlan?
Just router port to router port it can't work?
Hello!
If we want to have pure routing and hardware offloading (without NAT), we need bridge and VLAN interfaces as explained in this video.
If you have WAN and LAN interfaces, you can keep the WAN interface outside the bridge, create NAT rules, and add a rule in the forward chain to FastTrack and enable L3 hardware offloading for that traffic. The initial connection will be managed by the CPU, and then the NAT entries will be copied to the switch chip.
@@TheNetworkTrip oh wow ok I didn't expect that and also possibly explains alot about my performance issues. I don't have any Firewall/Nat rules and connection tracking is disabled just pure L3 Routing from Interface A to Interface B but I'm not using any bridge, I have enabled HW offloading and attempted to offload some of the routes to hardware and they do show the H in routes and the /interface/ethernet/swich/l3hw-settings/monitor shows that HW offloading is enabled with about 5000 out of 1m routes is offloaded (i don't have CPU issues) but I feel performance is shaped somehow where once traffic reaches around 4-5Gbps It seems to struggle.
@@TheNetworkTrip Thanks for the key info, will play around and see if it helps me with my issues.
Very well structured and well explained video.
Thank you!
Would be great to have a step by step NAT - using Fasttrack and firewall using Fasttrack guide.. with these, it almost seems inconceivable but, might one completely eliminate CCR's for CRS devices for doing most deployments? BGP?
Hello! Thank you. A video about that is coming soon!
amazing. if im going to use my ccr2216 to bgp peer with my upstream provider, do i need follow exactly the same procedure?
Hello! If you are receiving the default route only, yes, it works!
Great content as always. Thanks!
Much appreciated!
Just began exploring Mikrotik. Useful Vid! Heroic dose!
Can you elaborate on HW offload for inter-vlan routing security? What performance penalty (CPU) on Switch ACLs vs IP firewall + Fastrack?
I'm accustomed to L3 switch ACLs stateful TCP and stateless UDP. Can Mikrotik bridge / vlan int routing be full L4 stateful within the bridge / vlan interfaces. Or must go CPU?
I have the packet flow documentation which I need to dive into more but the GNS3 routeros image lacks the switch chip / ACLs. Likely I need to buy switch to really demo Mikrotik L3 switching. Eyeing CRS326-24S+2Q+ vs CRS317-1G-16S+. CRS326-24S+2Q+ appears more designed toward L2 raw forwarding. CRS317-1G-16S+ appears more designed toward L3/4 given it has much more CPU.
Thanks for the feedback! I'll soon upload a video on ACLs and security in Mikrotik, covering HW offload, performance, and the difference between Switch ACLs and IP firewall + FastTrack. For L4 stateful routing, Mikrotik needs the CPU, as the switch chip handles only L2/L3.
Hi , I checked with version 7.16.1 on switch option the hardware offloading option not available
Hello!
What is your device model?
all of your videoes are great and easy to understand ♥♥♥
Happy to hear that!
Hi, buddy, excellent explanation, thanks for your content. I have a question. If I want to have several source interfaces, how could I manage to pass the traffic through l3-hw having multiple broadcast domains as source? For example, if I have several switches connected to different ports, how could I achieve the same, taking into account what you say that we can only have a single bridge. As an additional fact, I am using a CCR2216 and I have several broadcast domains on it, and I do not want to mix them.
uplink
Hello!
Vlan filtering helps to keep the broadcast domain separate. If thew VLAN 20 is mapped to ports 1,2,3 and VLAN 21 is mapped to ports 4,5,6, then, you have 2 separate broadcast domain and still have one bridge.
Hi and great video! Is it possible to use L3HW Offloading without OSPF? (i know, the routing must then be done manually)..
Hello!
Yes, you can use static routing
As always very thanksful Mr.Wilmer..! it was very informative..!
But Question to ask: why you use VLAN in your LAB..? i mean why you didn't just use the physical interface and assigning IP to it without creating any VLAN..?
Hello Ali!
That will force to use the CPU, if we want to take advantage of L3 hardware offloading we must use a bridge and Vlan interfaces.
Great! Is L3HW work on BGP routes?
Hello!
Yeah, it does, it will offload up to 240k entries (CCR2216).
Hi sir! Great tutorial.
Will it work if I have only one interface for both up and downstream traffic?
Correct! That works
Sir can explore more regarding mpls hardware offloading on mikrotik. I believe it only works on lates ccr 22xxx or 21xxx series
Thanks for the suggestion! I’ll create a class about it.
You mention that we can only have a single bridge, but you are using ospf here as well. You recommend using a loopback bridge in OSPF. So don't we end up with two bridges here?
Hello!
Only one bridge will be using hardware offloading. You can add a loopback interface without any problems.
Many thanks sir
It’s a pleasure
How would you add a Management VLAN as well as romon and MAC telnet to this setup?
Does this work with the rb750gr3?
Hello!
That model is not supported, just the ones shown on the video.
Hi, i enable L3 Hw Offloading but this block navigation to internet on the vlans
Hi!
Before enabling l3 hardware offloading, you must build the Vlan table and enable Vlan filtering as I explained in the video.
Vlans should work without any problem.
Thanks!@@TheNetworkTrip in my case, get out ports with my "wans" of the bridge has the solved
@@AlejandroMartinezHernandez-f8u Removing the ports from the bridge will disable L3 hardware offloading in those interfaces. The ports should remain in the bridge, and manage all the IPs using vlan interfaces as I have shown in the video.
Thanks, yes! it was my mistake. Regarding this configuration, it is recommended to use ServerOpenVPN
excellent tutorial ! thanks
Glad you enjoyed it!
Is this applicable for Mpls/Vpls with Ospf case?
Would be interesting to see how those CPU counts look like when running tcp tests. UDP is very forgiving...
It should not impact the CPU because it does not it.
@@TheNetworkTrip I noticed the introduction of lo interface somewhere in the last couple of releases, it seems any IP configured on this interface is not offloaded. and if that is the IP your traffic hits to go through the router, CPU baby! I by default install a loopback address and advertise it passively as broadcast on ospf.
@@arebacollins All traffic going to the router will hit the CPU!! The traffic going to remote hosts will be offloaded
@@TheNetworkTrip then something must be amiss. I dont seem to be getting offloaded even with all the routes set up and marked as H
I have a question, in a scenario where you have multiple CRS310's and at the end of it a client device, assigning a /30 address on a vlan on the bridge in the last CRS310, tagging the vlan on the bridge and on the interface connected to a client mikrotik, and assigning a /31 IP address on the vlan and another on the customer mikrotik seems to break offload. Im getting 20% cpu on 65mbps. :-( am I missing something? ) all routes have the flag H in them.
It is worth activating it in a CCR 2116 acting as DHCP Server + CGNAT?
Hello! If you have high traffic and don't require mangle or VRFs, using it would be a great idea.
Very good video, everything explained clearly, I have been using several CRS305 with Hardware Offloading for a couple of months now, they are installed in micro pops, they have a WAN interface (where there is BGP to announce our prefixes) and a LAN interface where simply with a DHCP delivers the service, but I have problems limiting the speed, I used the "rate" function in Switch>Rule and it worked well but until certain traffic, I have noticed that after 1.5Gbps it starts to cause problems, for example on the WAN port It reaches 1.5Gbps and only 1.2Gbps is coming out of the LAN port, I deactivate the rule and at that moment both interfaces start to have 1.5. Could you help me with an idea of how I could effectively limit the service? taking into account that it was done in switch>rule since, being hierarchical, it first had a rule allowing ICMP not to be affected by saturation and avoid high times and packet losses (at least in that protocol). Thank you so much.
Hello!
I'll create some videos about rate limiting on CRSXXX devices.
Would MPLS/VPLS work this way too?
what happen with your blog - thenetworktrip ???
Coming soon!
ccr2004 -16G-2S+ ? does it have l3hw like the 2116 ? cant see anything in the literature
Hello, no,it doesn’t. At the moment, the CCR2116 and CCR2216 are the only CCRs that support it (plus CRS 3xx and 5xx)
is it possible to hardware offload MPLS on those devices? P PE function? if so, are you planning to make video about it?
I’ll complete some additional testing with MPLS VPNs and I’ll add a video about it
@@TheNetworkTrip while you're at it, could you check if it's possible to hardware offload macsec on these chips ?
In the case of having two operators and only receiving default routes, would it work well for the BGP border?
without a public IP on this BGP border
Hello!
If all the routes are in the main table, yes. If not, only the main table will be hardware offloaded.
mano esto mismo pero en español por favor!