Environment
CRS354-48G-4S+2Q+RM with RouterOS v7.13.5 (current stable) with the below configuration (result from /export compact):
The above environment works well in offloading TCP 1-way/2-way transmissions via NAT. The result has been confirmed with /ip/firewall/connection/print, /interface/ethernet/switch/l3hw-settings/advanced/monitor and /tool/profile.
How to Test
1. Add these rules.
2. Do Netperf/Neper/etc. test for UDP_STREAM, between a host within NAT and another outside.
3. On the connection tracking, the UDP stream connections will never be marked as "H" for H/W-offloaded - left in "Cs"/"Cd" for SRCNAT/DSTNAT cases, or "CFs"/"CFd" if you put above rules. Also, it will never be marked as UDP stream anyway since it keeps left in the default UDP timeout (default: 10s). The timeout will remain same as the initial constant value while communicating.
Contrast to #3, UDP_RR (Request-Response) connections are actually offloaded - marked as "SACFsH"/"SACFdH" ("S": seen-reply, "A": assured, "C": confirmed). The timeout for these will decrease from 00:01:00 but reset to it time-to-time so not expired. I have verified both UDP_STREAM and UDP_RR results with /interface/ethernet/switch/l3hw-settings/advanced/monitor and /tool/profile.
Possible Cause
viewtopic.php?t=178364#p904758: UDP Stream cannot be properly detected, so even the connection tracking itself for UDP stream is not working.
CRS354-48G-4S+2Q+RM with RouterOS v7.13.5 (current stable) with the below configuration (result from /export compact):
Code:
/interface bridgeadd admin-mac=DC:2C:6E:7E:50:AA auto-mac=no name=bridge pvid=10 vlan-filtering=yes/interface ethernetset [ find default-name=sfp-sfpplus1 ] rx-flow-control=auto tx-flow-control=auto/interface vlanadd interface=bridge name=vlan-LAN vlan-id=20add interface=bridge name=vlan-MGMT vlan-id=10/interface ethernet switchset 0 l3-hw-offloading=yes/interface ethernet switch portset 9 l3-hw-offloading=no/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=pool-LAN ranges=192.168.254.1-192.168.254.253add name=pool-MGMT ranges=192.168.255.1-192.168.255.253/ip dhcp-serveradd address-pool=pool-LAN interface=vlan-LAN name=dhcp-LANadd address-pool=pool-MGMT interface=vlan-MGMT name=dhcp-MGMT/portset 0 name=serial0/interface bridge portadd bridge=bridge interface=ether1 pvid=10add bridge=bridge interface=ether2 pvid=10add bridge=bridge interface=ether3 pvid=10add bridge=bridge interface=ether4 pvid=10add bridge=bridge interface=ether5 pvid=10add bridge=bridge interface=ether6 pvid=10add bridge=bridge interface=ether7 pvid=10add bridge=bridge interface=ether8 pvid=10add bridge=bridge interface=ether9 pvid=10add bridge=bridge interface=ether10 pvid=10add bridge=bridge interface=ether11 pvid=10add bridge=bridge interface=ether12 pvid=10add bridge=bridge interface=ether13 pvid=10add bridge=bridge interface=ether14 pvid=10add bridge=bridge interface=ether15 pvid=10add bridge=bridge interface=ether16 pvid=10add bridge=bridge interface=ether17 pvid=10add bridge=bridge interface=ether18 pvid=10add bridge=bridge interface=ether19 pvid=10add bridge=bridge interface=ether20 pvid=10add bridge=bridge interface=ether21 pvid=10add bridge=bridge interface=ether22 pvid=10add bridge=bridge interface=ether23 pvid=10add bridge=bridge interface=ether24 pvid=10add bridge=bridge interface=ether25 pvid=20add bridge=bridge interface=ether26 pvid=20add bridge=bridge interface=ether27 pvid=20add bridge=bridge interface=ether28 pvid=20add bridge=bridge interface=ether29 pvid=20add bridge=bridge interface=ether30 pvid=20add bridge=bridge interface=ether31 pvid=20add bridge=bridge interface=ether32 pvid=20add bridge=bridge interface=ether33 pvid=20add bridge=bridge interface=ether34 pvid=20add bridge=bridge interface=ether35 pvid=20add bridge=bridge interface=ether36 pvid=20add bridge=bridge interface=ether37 pvid=20add bridge=bridge interface=ether38 pvid=20add bridge=bridge interface=ether39 pvid=20add bridge=bridge interface=ether40 pvid=20add bridge=bridge interface=ether41 pvid=20add bridge=bridge interface=ether42 pvid=20add bridge=bridge interface=ether43 pvid=20add bridge=bridge interface=ether44 pvid=20add bridge=bridge interface=ether45 pvid=20add bridge=bridge interface=ether46 pvid=20add bridge=bridge interface=ether47 pvid=20add bridge=bridge interface=ether48 pvid=20add bridge=bridge interface=qsfpplus1-1 pvid=20add bridge=bridge interface=qsfpplus1-2 pvid=20add bridge=bridge interface=qsfpplus1-3 pvid=20add bridge=bridge interface=qsfpplus1-4 pvid=20add bridge=bridge interface=qsfpplus2-1 pvid=20add bridge=bridge interface=qsfpplus2-2 pvid=20add bridge=bridge interface=qsfpplus2-3 pvid=20add bridge=bridge interface=qsfpplus2-4 pvid=20add bridge=bridge interface=sfp-sfpplus2 pvid=20add bridge=bridge interface=sfp-sfpplus3 pvid=20add bridge=bridge interface=sfp-sfpplus4 pvid=20/ip firewall connection trackingset udp-timeout=20s/ipv6 settingsset disable-ipv6=yes/interface bridge vlanadd bridge=bridge tagged=bridge vlan-ids=10add bridge=bridge tagged=bridge vlan-ids=20/ip addressadd address=192.168.88.1/24 interface=ether49 network=192.168.88.0add address=[CENSORED] interface=sfp-sfpplus1 network=[CENSORED]add address=192.168.254.254/24 interface=vlan-LAN network=192.168.254.0add address=192.168.255.254/24 interface=vlan-MGMT network=192.168.255.0/ip dhcp-relayadd dhcp-server=192.168.254.10 disabled=no interface=vlan-LAN name=dhcp-MAAS/ip dhcp-server leaseadd address=192.168.255.1 mac-address=D0:50:99:E2:C4:7Dadd address=192.168.255.2 mac-address=FF:FF:FF:00:00:02add address=192.168.255.3 mac-address=FF:FF:FF:00:00:03add address=192.168.255.4 mac-address=0C:C4:7A:67:7C:9Eadd address=192.168.255.5 mac-address=18:FB:7B:AA:93:ABadd address=192.168.255.6 mac-address=3C:EC:EF:07:3E:C3add address=192.168.255.7 mac-address=3C:EC:EF:07:3F:D6add address=192.168.255.8 mac-address=FF:FF:FF:00:00:08add address=192.168.255.9 mac-address=FF:FF:FF:00:00:09add address=192.168.255.10 mac-address=00:25:90:80:57:59add address=192.168.255.11 mac-address=00:25:90:5B:AB:63add address=192.168.255.12 mac-address=18:66:DA:70:78:67add address=192.168.255.13 mac-address=D0:94:66:00:EB:D1add address=192.168.255.14 mac-address=D0:94:66:97:BD:9Fadd address=192.168.255.15 mac-address=D0:94:66:96:33:5Aadd address=192.168.255.16 mac-address=4C:D9:8F:53:4B:BBadd address=192.168.255.17 mac-address=4C:D9:8F:53:62:DBadd address=192.168.255.18 mac-address=FF:FF:FF:00:00:12add address=192.168.254.1 mac-address=D0:50:99:D1:5B:30add address=192.168.254.2 mac-address=FF:FF:FF:00:01:02add address=192.168.254.3 mac-address=FF:FF:FF:00:01:03add address=192.168.254.4 mac-address=0C:C4:7A:A3:1C:B8add address=192.168.254.5 mac-address=18:66:DA:F7:19:F4add address=192.168.254.6 mac-address=0C:42:A1:54:7B:EEadd address=192.168.254.7 mac-address=0C:42:A1:54:71:12add address=192.168.254.8 mac-address=FF:FF:FF:00:01:08add address=192.168.254.9 mac-address=FF:FF:FF:00:01:09add address=192.168.254.10 mac-address=00:25:90:80:3C:9Eadd address=192.168.254.11 mac-address=00:25:90:5B:AA:D0add address=192.168.254.12 mac-address=18:66:DA:70:78:63add address=192.168.254.13 mac-address=D0:94:66:00:EB:CDadd address=192.168.254.14 mac-address=D0:94:66:97:BD:A5add address=192.168.254.15 mac-address=D0:94:66:96:33:60add address=192.168.254.16 mac-address=4C:D9:8F:53:4B:C1add address=192.168.254.17 mac-address=4C:D9:8F:53:62:E1add address=192.168.254.18 mac-address=FF:FF:FF:00:01:12add address=192.168.254.101 mac-address=1C:1B:0D:0D:CB:8Eadd address=192.168.254.102 mac-address=1C:1B:0D:0D:CB:78add address=192.168.254.103 mac-address=1C:1B:0D:0D:CB:7Cadd address=192.168.254.104 mac-address=1C:1B:0D:0D:CB:8C/ip dhcp-server networkadd address=192.168.254.0/24 dns-server=192.168.254.10,[CENSORED],[CENSORED] gateway=192.168.254.254add address=192.168.255.0/24 dns-server=192.168.255.10,[CENSORED],[CENSORED] gateway=192.168.255.254/ip dnsset servers=192.168.255.10,[CENSORED],[CENSORED]/ip firewall filteradd action=fasttrack-connection chain=forward connection-nat-state=srcnat,dstnat hw-offload=yes protocol=udpadd action=accept chain=forward connection-nat-state=srcnat,dstnat protocol=udpadd action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yesadd action=accept chain=forward connection-state=established,related/ip firewall natadd action=masquerade chain=srcnat out-interface=sfp-sfpplus1add action=dst-nat chain=dstnat dst-port=0-49151 in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.10add action=dst-nat chain=dstnat dst-port=0-49151 in-interface=sfp-sfpplus1 protocol=udp to-addresses=192.168.254.10add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.1 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.2 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.3 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.4 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.5 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.6 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.7 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.8 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.9 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.10 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.11 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.12 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.13 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.14 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.15 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.16 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.17 \to-ports=22add action=dst-nat chain=dstnat dst-port=[CENSORED] in-interface=sfp-sfpplus1 protocol=tcp to-addresses=192.168.254.18 \to-ports=22/ip nat-pmpset enabled=yes/ip nat-pmp interfacesadd interface=sfp-sfpplus1 type=externaladd interface=vlan-LAN type=internal/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=[CENSORED] routing-table=main suppress-hw-offload=no/ip serviceset telnet disabled=yesset ftp disabled=yesset www disabled=yesset ssh port=[CENSORED] set www-ssl certificate=https disabled=no port=[CENSORED] set api disabled=yesset winbox disabled=yesset api-ssl disabled=yes/system clockset time-zone-name=[CENSORED]/system identityset name=[CENSORED]/system noteset show-at-login=no/system routerboard settingsset boot-os=router-os enter-setup-on=delete-keyThe above environment works well in offloading TCP 1-way/2-way transmissions via NAT. The result has been confirmed with /ip/firewall/connection/print, /interface/ethernet/switch/l3hw-settings/advanced/monitor and /tool/profile.
How to Test
1. Add these rules.
Code:
add action=fasttrack-connection chain=forward connection-nat-state=srcnat,dstnat hw-offload=yes protocol=udpadd action=accept chain=forward connection-nat-state=srcnat,dstnat protocol=udp# Without the above two lines, UDP stream connection will not be marked as "F" for FastTrack. But still, no H/W offload.add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yesadd action=accept chain=forward connection-state=established,related2. Do Netperf/Neper/etc. test for UDP_STREAM, between a host within NAT and another outside.
3. On the connection tracking, the UDP stream connections will never be marked as "H" for H/W-offloaded - left in "Cs"/"Cd" for SRCNAT/DSTNAT cases, or "CFs"/"CFd" if you put above rules. Also, it will never be marked as UDP stream anyway since it keeps left in the default UDP timeout (default: 10s). The timeout will remain same as the initial constant value while communicating.
Contrast to #3, UDP_RR (Request-Response) connections are actually offloaded - marked as "SACFsH"/"SACFdH" ("S": seen-reply, "A": assured, "C": confirmed). The timeout for these will decrease from 00:01:00 but reset to it time-to-time so not expired. I have verified both UDP_STREAM and UDP_RR results with /interface/ethernet/switch/l3hw-settings/advanced/monitor and /tool/profile.
Possible Cause
viewtopic.php?t=178364#p904758: UDP Stream cannot be properly detected, so even the connection tracking itself for UDP stream is not working.
Statistics: Posted by hurryman2212 — Thu Feb 22, 2024 12:32 pm