Fastpath on L2TP client only working for RX

RouterOS General
1

Hi,

I’m using a PIA VPN L2TP connection without ipsec, I’ve enabled NAT (masquerade), fasttrack & accept filter rules & no other settings that might affect Fastpath.
Why is my L2tp client connection only doing Fastpath on TX packets? Am I missing something?
I’ve also messed with lowering MSS to avoid fragmentation, but that’s not the issue here.

# oct/18/2019 14:27:13 by RouterOS 6.44.5
# software id = 8J6L-XKD7
#
# model = RouterBOARD D52G-5HacD2HnD-TC
# serial number = 8A2A0808EA5B
/interface bridge
add name=BRIDGE protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full arp=disabled l2mtu=2026 \
    loop-protect=off name=LAN1 speed=100Mbps
set [ find default-name=ether2 ] advertise=1000M-full arp=disabled l2mtu=2026 \
    loop-protect=off name=LAN2 speed=100Mbps
set [ find default-name=ether3 ] advertise=1000M-full arp=disabled disabled=yes \
    l2mtu=2026 loop-protect=off name=LAN3 rx-flow-control=on speed=100Mbps \
    tx-flow-control=on
set [ find default-name=ether4 ] advertise=1000M-full arp=disabled disabled=yes \
    l2mtu=2026 loop-protect=off name=LAN4 speed=100Mbps
set [ find default-name=ether5 ] advertise=1000M-full arp=disabled disabled=yes \
    l2mtu=2026 loop-protect=off name=LAN5 speed=100Mbps
/interface ethernet switch
set 0 name=SWITCH
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
    group-key-update=1h mode=dynamic-keys name=WPA-ERDEESH supplicant-identity=\
    ""
/interface wireless
set [ find default-name=wlan1 ] arp=disabled band=2ghz-onlyn bridge-mode=\
    disabled channel-width=20/40mhz-Ce distance=indoors frequency-mode=\
    superchannel l2mtu=2026 mode=ap-bridge multicast-helper=full name=\
    erdeesh_2G radio-name="" security-profile=WPA-ERDEESH ssid=erdeesh \
    wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] ampdu-priorities=0,1,2,3,4,5,6,7 amsdu-limit=\
    2048 amsdu-threshold=2048 arp=disabled band=5ghz-onlyac bridge-mode=\
    disabled channel-width=20/40/80mhz-Ceee disabled=no distance=indoors \
    frequency-mode=superchannel l2mtu=2026 mac-address=F2:2D:5E:37:50:48 mode=\
    ap-bridge multicast-helper=full name=erdeesh_5G radio-name="" \
    security-profile=WPA-ERDEESH ssid=erdeesh-5G station-roaming=disabled \
    tx-power=30 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
    wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set erdeesh_2G enable-polling=no
set erdeesh_5G enable-polling=no
/ip pool
add name=dhcp-pool ranges=192.168.43.100-192.168.43.199
/ip dhcp-server
add address-pool=dhcp-pool allow-dual-stack-queue=no bootp-lease-time=\
    lease-time bootp-support=dynamic disabled=no interface=BRIDGE lease-time=1w \
    name=dhcp
/ppp profile
add change-tcp-mss=yes name=no-encrypt only-one=no use-compression=no \
    use-encryption=no use-mpls=no use-upnp=no
set *FFFFFFFE only-one=no use-compression=no use-encryption=required use-mpls=\
    no use-upnp=no
/interface l2tp-client
add add-default-route=yes allow-fast-path=yes connect-to=\
    ro.privateinternetaccess.com disabled=no keepalive-timeout=10 max-mru=1410 \
    max-mtu=1410 name=PIA profile=no-encrypt user=x9989578
/queue interface
set erdeesh_2G queue=only-hardware-queue
set erdeesh_5G queue=only-hardware-queue
/system logging action
set 0 memory-lines=50000
/caps-man manager interface
set [ find default=yes ] forbid=yes
/certificate settings
set crl-download=no crl-use=no
/interface bridge port
add bridge=BRIDGE comment=UPLINK edge=yes interface=LAN1 internal-path-cost=0 \
    learn=yes path-cost=0 point-to-point=yes priority=0 trusted=yes
add bridge=BRIDGE edge=yes interface=LAN2 internal-path-cost=0 learn=yes \
    path-cost=0 point-to-point=yes priority=0 trusted=yes
add bridge=BRIDGE edge=yes interface=erdeesh_5G internal-path-cost=0 path-cost=\
    0 point-to-point=yes priority=0 trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set icmp-rate-limit=0 secure-redirects=no send-redirects=no
/interface wireless align
set active-mode=no
/interface wireless sniffer
set multiple-channels=yes only-headers=yes
/interface wireless snooper
set multiple-channels=no
/ip address
add address=192.168.43.254/24 interface=BRIDGE network=192.168.43.0
/ip cloud
set update-time=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server lease
add address=192.168.43.100 allow-dual-stack-queue=no mac-address=\
    1C:1B:0D:67:DA:5E server=dhcp
add address=192.168.43.103 allow-dual-stack-queue=no mac-address=\
    0C:48:85:A7:EE:09 server=dhcp
add address=192.168.43.102 allow-dual-stack-queue=no mac-address=\
    00:9E:C8:B4:39:CB server=dhcp
add address=192.168.43.101 allow-dual-stack-queue=no mac-address=\
    4C:49:E3:F5:87:05 server=dhcp
add address=192.168.43.104 allow-dual-stack-queue=no mac-address=\
    64:B8:53:48:2B:9F server=dhcp
add address=192.168.43.105 allow-dual-stack-queue=no mac-address=\
    A4:77:33:C7:B8:58 server=dhcp
/ip dhcp-server network
add address=192.168.43.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.43.99 \
    netmask=24
add address=192.168.43.102/32 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.43.254 \
    netmask=24
/ip dns
set cache-size=512KiB servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1360 out-interface=PIA \
    passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1361-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PIA
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=2 gateway=192.168.43.99
/ip service
set telnet address=192.168.137.0/25 disabled=yes
set ftp disabled=yes
set www disabled=yes port=58293
set ssh port=22
set www-ssl certificate=certificate.crt_0 port=58292
set api disabled=yes
set winbox disabled=yes port=58291
set api-ssl disabled=yes
/ip smb
set allow-guests=no comment=hap-gw domain=hap-gw
/ip smb shares
set [ find default=yes ] disabled=yes
/ip upnp
set show-dummy-rule=no
/port firmware
set directory=flash
/ppp aaa
set accounting=no

l2tp.png

2

does anyone have a clue?

3

@icsterm Have you solved your problem? I have the same issue

4

I stopped using L2TP all together.
I don't remember finding a fix for fastpath over L2TP.

5