How do I bypass fasttrack for one connection

RouterOS General
1

I have a CRS125 router/switch combo and need to bypass fasttrack for one particular connection. The problem is that one device in my LAN uses IP TTLs of 32 and the target device is over 32 hops away in Europe (I am in Australia).

Here’s the relevant code. Note that I placed a dedicated “accept” rule before the “fasttrack-connection” rule so as to attempt to stop the session from being added to fasttrack. The fasttrack rule below is the default one.

/ip firewall filter
add chain=forward dst-port=80 protocol=tcp src-address=192.168.0.51
add action=fasttrack-connection chain=forward connection-state=established,related
/ip firewall mangle
add action=change-ttl chain=prerouting dst-port=80 new-ttl=set:64 protocol=tcp src-address=192.168.0.51

The behaviour I get is that the TCP handshake uses the right TTL (64) but then the connection gets added to the fasttrack table and the TTL goes back to 32 because fasttrack bypasses the firewall (and hence the mangle rules are not applied).

So, how do I reliably stop this one connection from hitting fasttrack?

2

Have you tried something like

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.0.51
/ip firewall mangle
add action=change-ttl chain=prerouting dst-port=80 new-ttl=set:64 protocol=tcp src-address=192.168.0.51
3

Yes I did try that - putting the IP address as an exclusion in the Fasttrack rule. It didn’t work.
I’ve disabled the Fasttrack rule and the problem goes away, but then my CPU consumption also shoots up.

It’s almost like if there is a fasttrack rule in place, the rule is always processed, and advanced options like IP exclusions are ignored.

4

Looks like…

Which RouterOS and firmware version is the CRS running?

5

RouterOS 6.34.3 and firmware 3.24.

6

I’d ask mikrotik support directly, attach a supout on the email.

7

Thanks. I’m currently operating without fasttrack and the CPU hasn’t spiked over 50% so far. At least that means I have a workaround.

8

Is the connection always initiated from the lan side?

If you have port forwards and the connection is incoming you may need to use dst-address as the filter on the fast-track.

Also, when you change the rule, any current connections will still be fast-tracked until they drop off.

9

The connection is outgoing. I also rebooted the router to make sure the memory is cleared.

It works with Fasttrack turned off. It breaks with Fasttrack turned on.

10

I do some alternate routing marks via pre-routing that don’t work well with fast-track and make sure that I only fast-track connections with connection-mark=no-mark and routing-table=main.

Maybe you can add another mangle before your other mangle setting a connection mark (and passthrough) and then change your fast-track to only do connection-mark=no-mark.

11

You sir, are a legend. That worked perfectly.

I can therefore confirm the following rules make the fasttrack bypass work!

/ip firewall filter
add action=fasttrack-connection chain=forward comment="Forward using FastTrack for any existing connections not marked by a mangle rule." connection-mark=no-mark \
    connection-state=established,related
add chain=forward comment="Forward any existing sessions which are marked or if they don't match FastTrack rule for some reason" connection-state=established,related

/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=lowttl ttl=less-than:60
add action=change-ttl chain=prerouting connection-mark=lowttl new-ttl=set:64
12

Awesome! You can probably optimize this statement by adding connection-state=new as it just needs to mark the connection once at startup.

13

Good point - sometimes I forget that it’s marking the connection rather than marking a packet.