Fasttrack wiki page lacks real world example with filter and/or mangle rules

This wiki page on Fasttrack https://wiki.mikrotik.com/index.php?title=Manual:IP/Fasttrack
says “it is important to have other filter or mangle rules to get the advantage of the FastTrack”
and goes on showing 2 screenshots, but which are not in the slightest any useful for the firewall admin
b/c it just shows only some stats, but lacks showing the actual rules for the (to be) selected traffic/ports/protocols/interfaces for handling by fasttrack.

I need a practical fasttrack example for example for traffic initiated from LAN to ANY for say all dest ports 80/tcp, for example when downloading big files via http.

Is there a better reference page/info about Fasttrack in RouterOS with some advanced examples beyond the default simple/dumb “fasttrack all LAN” example?
Btw, that default simple example given in the wiki can IMO even be dangerous and insecure, or have no real effect at all! Not what you wanted to achieve with such a firewall…

Fasttrack could have some more love and attention in the Wiki.

The example shown are showing the dummy rules counting the fasttracked traffic. Showing you if you fastrack rule is working.

Fasttrack forwarded traffic should be done before accept rule or you won’t the dummy counters increase.

If you only want port 80 fasttracked then change the shown forward line to only be triggered by traffic to port 80. You will miss out on connections https/433 being fasttracked because you decided to ignore that.

Don’t forget that even fasttracked traffic is looked from to time to see if it is still ok and the some traffic goes through the slowpath (rules).

@msatter, yes thanks for the hint.
Port 80 was just an example. In practice there are more, of course.

Btw, would the following do work (especially the first shown line with “connection-state=tracked”)?:

…
#add chain=forward connection-state=tracked action=accept comment=“WRONG!”
add chain=forward connection-state=untracked action=accept comment=“THIS OK?”
add chain=forward connection-state=established,related action=accept
…
add chain=forward protocol=tcp dst-port=80 action=jump jump-target=myFT
add chain=forward action=drop

Create chain myFT for marking connection for fasttrack handling, also accepting the inital packet:

add chain=myFT action=fasttrack-connection
add chain=myFT action=accept

There is no connection-state=tracked as such. The possible connection-state values are untracked, new, invalid, established, related. In this list, the last four values are assigned by the connection tracking module of the firewall, so connection-state=new,invalid,established,related or connection-state=!untracked are two ways to express what you wanted to express using connection-state=tracked.

But as your very first rule actually says “accept everything which the connection tracking module is allowed to handle” (because the packets didn’t match any action=notrack rule in /ip firewall raw), none of the subsequent rules will ever see these packets (belonging to tracked connections). And if you prevent TCP packets towards port 80 from being tracked using a rule in /ip firewall raw, which will allow them to reach the action=jump rule matching on them, the action=fasttrack-connection rule in chain=myFT will do nothing because a non-tracked connection cannot be fasttracked.

@sindy, the intention was/is to apply fasttracking immediately/quickly right at top by accepting all such for fasttracking marked connections (the marking is done (or supposed to be done) at the end of the script).

I don’t get yet what the state “untracked” actually means. According to this wiki page https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties it means:
“untracked - packet which was set to bypass connection tracking in firewall RAW tables.”

But when and where in the examples has the RAW table ever been used? Nowhere. So, how are these fasttrack wiki examples (there are a few of them) supposed to use that fasttrack thing then? Very confusing.

So, then it seems I just should change the nonexistent/wrong “tracked” state to “untracked” and then it should work, isn’t it? Because I assumed the line “add chain=myFT action=fasttrack-connection” does the marking for fasttrack handling, so then no need to make other entries in the raw table?
Btw, here’s the doc for the raw table: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw

Or, how would you extend & fix my above posted attempt? Ie. in this example only dest port 80/tcp shall be fasttracked.

I think the following wiki page needs an update as well:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#Configurable_Facilities
The said raw table from https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Raw is missing there in the list under “Configurable Facilities”.

Untrack gives about a 30% increase in speed and is used for example in IPSEC that does not need connection tracking to function.
With the introduction (rules before connection tracking) this became posible.

I do most of my filtering in RAW but it has it limation because it has not trigger on invalid/est/rel/untracked because the traffic has not entered connection tracking yet.

Everything you filter out does not make use of the processor power to keep the conhrction table up-to-date. This is a great help to fight DDOS attacks as they ore not to strong.

Think off the example of a sheet of paper written full with rules. Then you take a pencil and fold the paper and stick the pencil through the paper at the top. The traffic represented by the pencil skips all rules on the paper and exits at the end of the rule list. This is fasttracking and the traffic needs one time walk the rules for your own safety and then it can be fasttracked.

Untracked is traffic not handked/show in connection tracking but has to walk the rules (if I am correct) but has no status derived from connrction tracking.

We got so two ways to increase speed but each has it’s own limitations. Fastracking traffic going into a VPN tunnel is not possible because the pencil goes through the paper and skips then also policy rules needed for encrypting traffic. The second best is then Untrack who is handled still by the policy.

The Wiki is not a full manual and we are happy what we are having now and if itis missing we got the forum.
If the Wiki is nit complete then you will shiffer when you visit help.mikrotik.com/docs which just at its startpoint.

RAW is relative new and overlaps how it functions with filter. The processing order is RAW --) Mangle --) filter --) nat.

Well… let’s forget about fasttracking first.

The whole concept of a stateful firewall is that you only take the real decisions, which require complex match conditions, when handling the initial packet of a new connection. Once a decision to let the initial packet through is made (by means of letting it through all layers of the firewall which are capable of dropping or rejecting it), the connection tracking module takes care of labeling all further packets belonging to the same connection with one of the connection states listed above, so you then can use matching to connection-state alone to handle packets belonging to all connections rather than setting up individual rules per protocol, port etc. for the mid-connection packets.

As there are many times more “mid-connection” packets than initial ones, it makes sense to place “accept established, related, or untracked” as the very first rule in the chain, so vast majority of packets ever reaches only this rule, thus saving the CPU consumption necessary to match them against any other rules. Only the initial ones (connection-state=new) and “weird” ones (connection-state=invalid) get past this rule, and are processed by the more detailed rules.

Fasttracking is an extension of this idea even further - assuming that the normal handling of packets bearing the connection-state=established or related label is to let them through anyway, why should we bother to push them through all the layers of the firewall, let’s make just the connection tracking identify them and if found to belong to an existing connection, let’s let them through. So regardless where in the rule chain a packet matches the conditions of an action=fasttrack-connection rule, the “fasttrack” bit is set in the connection context, so subsequent packets of the same connection will bypass all the firewall layers which follow after the connection tracking module.

But connection tracking itself is also quite CPU intensive - packet’s source and destination address, protocol, and port where applicable, have to be searched for in the complete list of connections, which may contain thousands of items. So for some types of traffic, it makes sense to bypass this query to the connection list - e.g. the traffic between internal subnets, or the VPN traffic between sites. For this purpose, the action=notrack in raw table exists.

So the table raw is more or less unrelated to fasttracking (because there can be no fasttracking without connection tracking), hence there is no reason to mention it in the chapter related to fasttracking.

The idea above transforms into the firewall rules created when you set the machine to factory defaults - they say “accept anything that matches any active IPsec policy” (because IPsec is one of the layers of packet processing which fasttracked packets bypass), followed by “fasttrack whatever is established or related (and, implicitly, what didn’t match the previous rule)”, and then “accept whatever is established, related or untracked” (because some small share of packets belonging to fasttracked connections is not actually fasttracked, plus to handle the untracked ones). And only after those generic rules, some more detailed ones are used to decide which traffic to let through and which not.

In most real cases you want to fasttrack the vast majority of the traffic, and only exclude from fasttracking those connections which need some specific treatment requiring that they always pass through all the layers of the firewall. So your example is illustrative but in real life a need to fasttrack only the traffic matching some detailed criteria is quite unlikely; the inverse situation (exclusion of traffic matching some detailed criteria from fasttracking) is much more frequent.

A separate case is QoS handling - if you need one, you cannot use fasttracking for most of the traffic, because fasttracked packets bypass also the queueing. And the share of highest priority traffic is usually so low that creating dedicated rules to fasttrack it would make little sense, especially since in advanced QoS scenarios, it is not unusual to decrease the priority of a connection during its existence as the amount of data it has transported increases, so that interactive communication was responsive while large downloads would give way to it.

Ah, ok, thx. https://help.mikrotik.com/docs/ looks much better and also more modern and also professional.
It seems I just needed that page: https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall titled “Building Advanced Firewall”

Oops! Found a minor bug on the above page: the section header for IPv6 reads “IPv4 RAW Rules” Ie. there are 2 such headers in the text.
https://help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall#BuildingAdvancedFirewall-IPv4RAWRules.1

Ok, I think I too should use the raw table from now on. Thx.

On a PC server I once had a bad experience with iptables conntrack module: it’s table was full, it had stored there all connections… I had to find out the system settings for shrinking that buffer (was too big), and changing a time or timeout setting to limit the time to keep that stuff in its table(s).
I think best is with very minimal & efficient connection tracking.
A stateless firewall is the fastest, but not everything is possible with it…

Be careful with use of the RAW firewall. Its very indiscriminate. Lets say you need a scalpel, raw = bulldozer.

@sindy, thx for your excellent explanation.

Did I got it right that you mean that action=notrack in the raw table is not intended for the fasttrack feature of the conntrack module?
If that’s true, then the wiki page(s) are wrong, IMHO.

I need to have QoS, so then in this case fasttracking cannot be used, if I got you right.
But what about the said action=notrack in the raw table you wrote about: can QoS be used with that one?
Ie. I need fast packet handling stuff as well QoS stuff.

Thx

I like low level challenges

Yes. action=notrack disables handling of that particular packet by connection tracking, hence fasttracking cannot work either. Can you link to the wiki page an quote the paragraph which according ro your reading says otherwise?

It depends. action=notrack in raw “only” prevents packets from being handled by connection tracking, but not from being handled by the other firewall tables, queues, ipsec policy matching etc. But also other features than fasttracking and referring to connection-state depend on connection tracking - namely, NAT and connection marking. So you can use QoS without connection tracking, but like with the primary function of the firewall, which is packet filtering, you’ll be unable to easily give the same treatment to groups of connections matching some complex criteria, which is the purpose of connection marking. Nor will you be able to dynamically adjust the priority of the flows depending on the volume of data they have transported so far, as per-connection traffic counting is also provided by the connection tracking module.

So all in all, if you need QoS and your hardware becomes a bottleneck (so you cannot utilize the whole bandwidth provided by your uplink) if prioritizing traffic (doing QoS), forget about software tricks like notrack and fasttrack and obtain a more powerful hardware.