You've answered yourself. Fasttracking means bypass of all firewall rules, fasttracked packets only pass through the connection-tracking part of the firewall.

Is there a way to still mark / count this traffic or is the only way for proper bandwidth management to have fasttracking disabled?

I have a RDP server on LAN which is forwarded to WAN: add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-mark=rdp-connection-mark passthrough=yes port=3389 protocol=tcp add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-ma...

I have a RDP server on LAN which is forwarded to WAN: add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-mark=rdp-connection-mark passthrough=yes port=3389 protocol=tcp add action=mark-connection chain=prerouting comment="MARK RDP CONNECTIONS" new-connection-ma...

Sorry for necroing an old thread, but it might be useful to mention that it is possible to drop packets before dstnat by using Raw rules in prerouting chain. An example: /ip firewall raw add action=drop chain=prerouting dst-port=3389 in-interface=your_wan_interface protocol=tcp src-address-list=\ !T...

It would be nice if MikroTik would add a variable that could be used in place of src-address, dst-address, or to-addresses in NAT commands. Vyatta has this option where you can reference for example ADDRv4_eth2 to get current eth2 IP address anywhere in NAT rule and it is replaced and maintained tra...

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not y...

Hopefully my comment won't come through as rude, but to me it seems a bit irresponsible (or at least over-confident) to say "we are highly certain" without having an actual sample of the malware to analyze and confirm that it was exploiting the old vulnerability and not some new one you might not ye...

MikroTik (just like Ubiquiti and many others for that matter) are depending on the hardware (CPU/chipset) manufacturer for major upgrades. Those manufacturers are the ones who provide SDK and drivers (the latter usually in binary form only due to patents), and those drivers cannot be loaded on newer...

Cloudflared (daemon for cloudflare services including DNS over HTTPS) is open-source and written in Go language, you can find it on GitHub and port to MikroTik.

Hello, new MikroTik owner here. I'd also like to see DNS over HTTPS support. I am not sure if the forum will let me post a link but I will try anyway. This is the source code of cloudflared (daemon) which can act as DNS over HTTPS proxy. It is written in Go language, it should be straightforward to ...