Hey everyone.
Recently moved over to a MikroTik RB5009 from OPNsense and have been enjoying the learning curve! I’m a technical professional by trade but not in a networking field, so my learning in that area has been all self-taught through homelab experience and intrigue.
I have a question around Firewall rules and chains. I hope someone may be able to help me out as I couldn’t find anything conclusive in the docs. I understand the principles of the chains, and largely I’m only working with input and forward chains. I have a number of input chain rules that permit traffic to various interface addresses that host services like DNS and NTP. I also then have a number of forward chain rules that permit my hosts in various VLANs to communicate on relevant ports etc. Input chain rules are all above the forward chain rules. All works seemingly perfectly.
Now, my confusion has come as I try to implement a FastTrack rule for my forward chain. Having read the documentation and example, I replicated the two rules relating to FastTrack. The first being the ‘Allow FastTrack for Established and Related connection (fasttrack)’ and the second being the ‘Allow Established and Related connections (accept)’ rules.
Where do these fit in the overall ruleset? Should I place these at the top of my ruleset, above the input rules? This is where I have them now, and everything seems to work, I just wanted to ensure I have not needlessly left myself at risk. Or do they go at the top of the forward rules, so instead, at the top of the ruleset, have all my input chain rules, then the 2 FastTrack rules, then the rest of my forward rules?