Is still ipsec fasttrack bypass rule needed in ROS7

fpawlak · March 7, 2022, 11:49am

Hi guys,
simple question about ipsec and fasttrack.
With ROS7+ do I still need to add ‘bypass rule’?
eg.

/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
	
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related

I have seen something similar on default config on my CAP ac after upgrade to ROS 7.1.3 so probably is still needed

g18c · June 30, 2022, 4:38am

Yes still needed.

Braddock · October 21, 2022, 9:41am

I have a question regarding the mangle rules that mark ipsec connections to be skipped by fasttrack:
Do the mangle rules have to check every packet, or is it good enough to mark only packets with connection-state=new ?

Something like this:

/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec

Sob · October 23, 2022, 9:27pm

New is enough. That’s the point, connection tracking recognizes to what connection each packet belongs, so once you mark connection, you can use just connection-mark=XXX as condition, when you need do to something else with packets that belong to this connection. You don’t have to test each packet against all other possibly complicated conditions.