If FastTrack is useful for VPN?

upower3 · July 5, 2017, 1:28pm

I set up PPTP, OVPN, L2TP and SSTP servers on the same routerboard, and it works fine. Now I try to lower the CPU burden and decided to play with FastTrack.

Here is the idea: I used to allow every type of VPN packets on input chain (like 1723/tcp and GRE for PPTP, etc.), and I can duplicate these rules with ‘fasttrack connection’ action:

Before:

/ip firewall filter
add action=accept chain=input comment="PPTP in 1" dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="PPTP in 2" in-interface-list=WAN protocol=gre

After:

/ip firewall filter
add action=fasttrack-connection chain=input comment="PPTP in 1" dst-port=1723 in-interface-list=WAN protocol=tcp
add action=fasttrack-connection chain=input comment="PPTP in 2" in-interface-list=WAN protocol=gre
add action=accept chain=input comment="PPTP in 1" dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="PPTP in 2" in-interface-list=WAN protocol=gre

But if this is useful? The VPN-in connections are work ok, but the system → settings says the is no packets/bytes of FastTrack.

The ROS is 6.39.2 (stable), f/w is 3.33, the device is CCR1009-7G-1C-1S+ - all is the latest and looks like should work fine.

mrz · July 5, 2017, 1:40pm

FastTrack works only for forwarded traffic over the router, so there is no point adding fasttrack-connection in input chain.

Kindis · July 5, 2017, 1:45pm

Read more here.

http://forum.mikrotik.com/t/fasttrack-new-feature-in-6-29/87517/3

upower3 · July 5, 2017, 1:50pm

Yeap, I’ve read that that long ago, but since that time I read some updated on fasttrack in changelogs so I hoped fasttrack finally can be used for input, too.

But if I run NAT then no point in it, too?

Kindis · July 5, 2017, 4:20pm

It is my understanding that fasttrack is to be used in forward as it lowers the CPU usage as if does not go trough the firewall and so on. Input terminates on the router and my guess is would gain no performance with fasttrack. Output might be another story but you can use fasttrack with VPN but not the termination.

I have VPN to my 750gr3 and all traffic that passes this device and is approved will hit my fasttrack rule and will be fasttracked. So when I access internal resources or internet if it is approved fasttrack will be used for the connecting during routing thus lowering the CPU usage but I look at the traffic in forward chain then and not the terminating VPN tunnel traffic.
In the end I gain little anyway as encryption of the tunnel is what consumes the CPU anyway

upower3 · July 5, 2017, 7:51pm

This idea appears to be worth to consider ) Thank you!

macgaiver · July 6, 2017, 5:16am

Fastpath/Fasttrack can’t and never will be used for input “traffic”.

Fastpath/Fasttrack allow to skip packet processing when it is not necessary, it uses routing cache ( in case of fastpath) and conntrack (in case of fasttrack) to determine what out-interface packet should end up to. and sends that packet there directly.

“input” traffic implies that router must process that traffic, so no skipping is possible, so no fastpath.

In order for fastpath to work in-interface where packet is received need to have fastpath support, in latest version MT added support for some PPP tunnel configurations