directly within the switch chip - this is the "bridging with hardware offload".A frame between them can take one of the following three paths, from the shortest/fastest one down to the longest/slowest one: Imagine you have two ports of the switch chip. This setting is a global one, so it will affect all bridges. regardless whether you disable hardware offloading for one or more switch ports or whether you use /interface ethernet switch rule to redirect matching frames to the CPU: if you want the IP firewall to handle bridged frames, you have to issue /interface bridge settings set use-ip-firewall=yes if you don't do that, the frames redirected using the switch rule will get to the CPU but will be processed there only by the software bridge and sent back to the switch chip without being seen by the IP firewall. TCP ones) which can benefit from connection tracking, as it may not be easy to force both directions through the CPU. This may be especially important if we talk about stateful bi-directional connections (i.e. So what you describe (using switch rules to redirect frames to CPU port) only makes sense if such handling would affect only a small subset of all frames, i.e. I don't know how relevant may be, but i have also a "fasttrack connection" rule for established and related connections on top of the firewall rules.īypassing the CPU is the essence of hardware offloading. Is this scenario possible, maybe i'm missing something? i put a passtrough rule to try to see the packets in the counters, but they don't show up. I thought that with this, this packets would be processed by the cpu, and so they should be available to process from the firewall as usual. I know that with hardware offloading those packets don't see the cpu, and so don't see the firewall, so i was looking in the "Switch > Rule" section, trying to make a rule that matches that scenario, with action being "Redirect to CPU". I need to do some redirections, to put one as example: i have one server (10.7.7.4) plugged into ether5, and one client (10.7.7.26) coming from a switch via ether2. Rb2011uias-in with routeros 6.32, ports from ether2 to ether8 bridged together with hardware offloading. I would like is someone could validate if what i want to do is possible:
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |