this post was submitted on 29 Nov 2023
1 points (100.0% liked)

Homelab

371 readers
3 users here now

Rules

founded 1 year ago
MODERATORS
 

I have a CRS317 (idk the numbers, 16x sfp+ and one 1gbe rj45). I've had it running SwOS for years with my esxi hosts connected to it. My home network is a router on stick setup and it's been awesome for ~10 years.

But with all this pfsense plus fees and money garbage, I'm thinking about putting the microtik crs317 into routeros L3 mode so I can buy a netgate box like 1100/2100 (and get pfsense plus with the appliance).

Wondering what people's real-world experience is with routeros on the crs317 switch? I can currently saturate 10gbe and part of my battery backup and shutdown procedure is based on the timing of those transfers/migrations, etc. so while I don't need to absolutely keep every bit of 10GbE, I can't go down to something like 2.5GbE.

Thanks.

I guess if the mikrotik won't work: Should I buy a router? Should I buy a Cisco sx550x 10gbe switch? Thx.

you are viewing a single comment's thread
view the rest of the comments
[–] Eavus@alien.top 1 points 11 months ago

Mikrotik does support l3 offloading to the switch chip on some switch models assuming you are running version 7 of their OS, ideally latest has most of the bugs ironed out around l3hw from my experience. CRS317 is one of those switches that do support l3 hw offload. My experience is it handles line rate l3 routing but I am also using it as a very simple L3 router, no NAT etc. You have to be cautious of which models you use with which feature set.

I would give this doc a read over to see if all of your requirements can be met: https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading according to it, CRS317 does support NAT in hardware but I personally haven't tried. I use a CCR2116 with L3 offload for any firewall rules that are more than basic as well as NAT, it works great from my experience.

The only shortcomming I have with mikrotik l3 offload right now is ipv6 support, they do support it but the lack of a fastrack action for ipv6 firewall rules means you have to offload all ipv6 traffic (no statefull firewall just switch acl's) or offload none of it.