Hey all, it’s been a while since i’ve worked on a MikroTik and I noticed as i’m setting up my new CCR1009 that it has a dynamic firewall filter rule that i cannot delete. I understand the purpose of this entry but i’m not sure how to delete it, i’d prefer to control this manually. If I can’t control it manually, how do i add items to fastrack to make use of this policy.
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
Connections are switched to fasttrack mode by hitting an action=fasttrack-connection rule in the forward chain of /ip firewall filter. The dynamic rule you want to get rid of (which is not possible) is there because the action=fasttrack-connection rule exists and is enabled (or at least it used to be like this).
Fasttracking conflicts with IPsec policies, policy routing, and QoS handling (queueing packets).
Thanks for the reply, much appreciated. I built all of my filter rules (first pass) the way i think they need to be built, everything seems to be working well. The dynamic policy i mentioned doesn’t show up in the filter rules below but i went ahead and changed the rule below “Accept Packets From LAN to WAN” from accept to fasttrack action and it didn’t allow traffic to pass-through the firewall at all, i could no longer ping wan addresses and the hit count of the dynamic policy didn’t increase. What am I missing here?
/ip firewall filter
–INPUT
add action=drop chain=input comment=“Drop Bogon Packets From WAN”
in-interface-list=WAN log=yes log-prefix=fw-inp-bogon src-address-list=
Bogon
add action=drop chain=input comment=“Drop Invalid Packets From All Interfaces”
connection-state=invalid
add action=accept chain=input comment=
“Accept Established/Related Packets From All Interfaces” connection-state=
established,related
add action=accept chain=input comment=“Accept Packets From LAN Subnet”
connection-state=new src-address=192.168.1.0/24
add action=drop chain=input comment=“Drop All Packets From All Interfaces”
–FWD
add action=drop chain=forward comment=“Drop Bogon Packets To WAN”
dst-address-list=Bogon log=yes log-prefix=fw-fwd-bogon out-interface-list=
WAN src-address=192.168.1.0/24
add action=drop chain=forward comment=
“Drop Invalid Packets Through All Interfaces” connection-state=invalid
add action=accept chain=forward comment=
“Accept Established/Related Packets Through All Interfaces”
connection-state=established,related
add action=accept chain=forward comment=“Accept Packets From LAN to WAN”
connection-state=new dst-address=0.0.0.0/0 out-interface-list=WAN
src-address=192.168.1.0/24
add action=drop chain=forward comment=“Drop All Packets Through All Interfaces”
I found my mistake. I located this wiki which helped guide me to enabling fast-track passthrough on my filter rules above.
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#IPv4_firewall_to_a_router
My issue was a misunderstand on how to and where to apply the fast track filter rule. In short, I applied it to the forward rule for new connections when i should have created a new rule above my accept established/related packets, see screenshot below.
