Forward chain ipsec rule placement

john4669 · September 17, 2020, 2:30am

This is an excerpt from a pretty common “basic” firewall script:

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

I am trying to figure out why the ipsec policy needs to be before the established/related policy? What happens if it after it? Thanks.

karlisi · September 17, 2020, 6:49am

Ipsec rules should be before fasttrack rule, to exclude ipsec traffic from fasttrack. And fasttrack should be before accept established, related, untracked to work properly.

mkx · September 17, 2020, 9:14am

And all of that because fasttrack causes packets to skip most of packet processing, which includes encapsulation/decapsulation of packets into/from IPsec tunnel …