I have a CRS317 (idk the numbers, 16x sfp+ and one 1gbe rj45). I’ve had it running SwOS for years with my esxi hosts connected to it. My home network is a router on stick setup and it’s been awesome for ~10 years.
But with all this pfsense plus fees and money garbage, I’m thinking about putting the microtik crs317 into routeros L3 mode so I can buy a netgate box like 1100/2100 (and get pfsense plus with the appliance).
Wondering what people’s real-world experience is with routeros on the crs317 switch? I can currently saturate 10gbe and part of my battery backup and shutdown procedure is based on the timing of those transfers/migrations, etc. so while I don’t need to absolutely keep every bit of 10GbE, I can’t go down to something like 2.5GbE.
Thanks.
I guess if the mikrotik won’t work: Should I buy a router? Should I buy a Cisco sx550x 10gbe switch? Thx.
You must log in or register to comment.
Mikrotik does support l3 offloading to the switch chip on some switch models assuming you are running version 7 of their OS, ideally latest has most of the bugs ironed out around l3hw from my experience. CRS317 is one of those switches that do support l3 hw offload. My experience is it handles line rate l3 routing but I am also using it as a very simple L3 router, no NAT etc. You have to be cautious of which models you use with which feature set.
I would give this doc a read over to see if all of your requirements can be met: https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading according to it, CRS317 does support NAT in hardware but I personally haven’t tried. I use a CCR2116 with L3 offload for any firewall rules that are more than basic as well as NAT, it works great from my experience.
The only shortcomming I have with mikrotik l3 offload right now is ipv6 support, they do support it but the lack of a fastrack action for ipv6 firewall rules means you have to offload all ipv6 traffic (no statefull firewall just switch acl’s) or offload none of it.
The hardware Mikronik has does not do L3 on-chip so it will be CPU based, and will be horrible. I also find RouterOS really hard to use compared to things like JunOS. I’m bias here.
Why can’t you use OPNsense if you for some reason dont want to sit in the same boat as PFsense? I have not followed whatever happens there as I left PFSense years ago.
Having L3 at the access switch layer have other benefits.
Having L3 at the access switch layer have other benefits.
Thx. for the response. I bit the bullet and bought a second identical machine (lenovo tiny m720q) to what I’m running now with pfsense. When it gets here and I get it together I’ll run the second machine with opnsense, in parallel to the current pfsense setup. I’ll probably do something like a double-nat and use opnsense for my esxi and homelab stuff so I can keep pfsense running the rest of the house.
What do you mean other benefits? ACLs? I have pfsense (2x sfp+ lan lacp, 1x mobo gigabit wan), then a Cisco SG500X-24 in L2 mode, then from there I’ve got the mikrotik crs317 and a bunch of cisco sg300 switches. If I make a change I’d probably offload the dhcp server too. What else am I missing?
Should I try to replace pfsense 1:1 with opnsense for now, and then make changes later (or don’t change anything once I’m comfortable)? I’ve been using essentially the same setup for so long I don’t really know much else.
Just to be clear, you’re upset with pfSense so your solution is to spend money on pfSense…
Move to OPNsense if you like but I’m unclear what that has to do with changing the function of your switch. Why are you considering that?
Why are you considering that?
Because the Netgate appliances I’d need to replace my whitebox appliance are either the 6100 or the 8200. So if I offload most of the routing into a L3 switch, and I can put dhcp somewhere else too, then all I need is a little 1100 or 2100 appliance to just do firewall.
My current setup has all my switches in L2 mode and all firewall/routing is done in pfsense. If I break out the routing portion (and dhcp) then I don’t need nearly as much hardware for pfsense.
Microtik publishes test results on their website. As you can see, the switch can achieve full 10Gbps for all 16 ports when doing level 2 switching, but when routing, the best case is a bit above 1 Gbps. See https://mikrotik.com/product/crs317_1g_16s_rm#fndtn-testresults
Why not just move to OPNsense?
Even if you stay with Pfsense, I don’t get what that has to do with moving to a level 3 switch.
Why not just move to OPNsense?
I’m buying some hardware that I can run in parallel. I don’t want to just switch to OPNSense, I’d like to know and understand the differences in the software before I just deploy OPNsense.
moving to a level 3 switch.
Moving to a layer 3 switch: Right now I am doing firewall+router on the same appliance. A layer 3 switch will let me break out the firewall/router so that the L3 switch does routing (most of it) and the netgate appliance would do the firewall work.
Since ~2008 all I’ve used is pfsense so moving to opnsense is a little unknown. I’m buying a second piece of hardware so I can try a few different setups and run something in parallel for a few months so I can make an educated decision. I don’t know much about OPN so I don’t want to comment until it’s up and running.