fasttrack connection question

blackmetal · June 27, 2018, 6:02pm

Hello,
i want enable fasttrack connection for my forward chain but i want add many ip addresses that not included in fast track and add a rules that drop those ips in next rules, so in this way does fast track work? and can i have better cpu performance?
this is the rules i have :

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 chain=forward action=fasttrack-connection src-address-list=!KVM log=no log-prefix=“”

2 chain=forward action=accept src-address-list=!KVM log=no log-prefix=“”

3 ;;; Accept ICMP
chain=input action=accept protocol=icmp dst-limit=10,5,dst-address/1m40s log=no log-prefix=“”

4 ;;; Drop Unauthorized Access To Router
chain=input action=drop src-address-list=!Trusted log=no log-prefix=“”

5 ;;; Drop Unauthorized Access To KVM
chain=forward action=drop src-address-list=!Trusted dst-address-list=KVM log=no log-prefix=“”

6 ;;; Block Bad IPs
chain=forward action=drop src-address-list=BlockedIPs log=no log-prefix=“”

7 ;;; Drop Unauthorized Access To Switches
chain=forward action=drop src-address-list=!Trusted dst-address-list=Switches log=no log-prefix=“”

8 ;;; Block Traceroute To Router
chain=output action=drop protocol=icmp src-address=X.X.X.X dst-address-list=!Trusted IPs icmp-options=11:0-255

9 X chain=forward action=accept in-interface=all-vlan dst-limit=2000,1000,src-address/1m log=no log-prefix=“”

10 X chain=forward action=drop in-interface=all-vlan log=no log-prefix=“”

thanks

R1CH · June 27, 2018, 6:34pm

Unfortunately this will not work. Your access control rules need to run before marking the connection for fasttrack, once the connection is fasttracked it will no longer hit the forward rule table.

blackmetal · June 27, 2018, 7:25pm

understood.. but in first step when i have enable fasttrack connection rule i see no save on cpu usages! i send test udp flood to outside and my cpu usages will be like as old. it was hug around %10 on a ccr 1036

sindy · June 27, 2018, 7:45pm

The firewall should process in detail the initial packet of each connection, and only already established and “related” connections should be fasttracked, like the default firewalls of the hXY series are pre-configured. That way, you still fasttrack 99,99% of the traffic.

chain=forward action=fasttrack-connection connection-state=established,related
chain=forward action=accept connection-state=established,related,untracked
chain=forward action=drop connection-state=invalid
... use action=accept rules here for initial packets of connections which you want to permit - only the initial packets of connections reach this rule
chain=forward action=drop

The second rule is necessary as not all packets of a fasttracked connection are actually fasttracked. The last rule may be softened e.g. by adding in-interface=!bridge-lan src-address-list=!KVM or something alike to permit all connections initiated by clients on LAN except those matching the KvM address list.