L7 rule together with fasttrack rule

zajjar · January 21, 2017, 2:22pm

Hello guys,

I have default configuration with two Filter Rules in IP/Firewall:

/ip firewall filter
add action=drop chain=forward layer7-protocol=mikrotik
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack" connection-state=established,related

L7 have a simple regexp, for example:

^.+(mikrotik).*$

I noticed when the second “fastrack” rule is enabled the L7 filter rule does not work.
But when I disable the “fasttrack” rule the L7 filter rule works good and its DROP connection to the “mikrotik” site.

What is wrong with that rules?
Does the “fasttrack” rule not work or have a higher priority than the first L7 rule?

Why?

I have RouterOS 6.38.1 version.

andriys · January 21, 2017, 2:48pm

People just keep asking similar questions over and over and over again here.
Please learn what fasttrack does first. Here’s the link to the documentation: http://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack.
Then come here and ask specific questions if any remain.

zajjar · January 21, 2017, 3:07pm

I read it.

Ass you see, my fasttrack rule is placed at the END of the list and The L7 rule is placed at the TOP of the list.
So the L7 rule should works firstly and DROP that connection but that does not happen, connection is not DROPPED.

When I only remove L7 filter from that rule or disable “fastrack” rule everything works correctly.

msatter · January 21, 2017, 3:36pm

Fastrack will catch the traffic and will bypass the rules what ever you do. You can only switch it off or split the traffic like I did.

Using the fasttrack in Rules obstruct the dectection the package that contains the IP (name) I want to filter. I have now split fasttrack in what direction the NAT is going. I want to detect incoming packets so I changed fasttrack to only accelerate the traffic I have generated, by setting the “connection-nat-state=srcnat” in fasttrack-connection.

Any packets that coming from outside will be exempted from acceleration and the RAW will now be able to catch the package that is further up in the package stream.

This was a learning experience for me and my first impression was wrong because I did not see that fasttrack did his work but made the interpretation of the RAW line difficult.

zajjar · January 21, 2017, 4:10pm

Can the fasttrack rule catch the traffic even it is the last rule at the list?! … and the other rules like L7 are ignored (even is the first one on the list)?

It is not clearly for me, so thanks for your patience.

zajjar · January 21, 2017, 5:11pm

Generally I see that the L7 rules are totally ignored when the fast track rule is anywhere on the list.

pe1chl · January 21, 2017, 5:59pm

That is correct. When you use fasttrack, the initial connection setup packets get processed by rules
and a connection tracking entry is setup, and from then all traffic shortcuts all checks.
Because L7 rules look at the content of traffic AFTER this initial setup, they cannot be combined with fasttrack.

zajjar · January 21, 2017, 6:03pm

So when I want to use L7 rules, I can not put any other rule with fasttrack action because L7 will not work?

zajjar · January 21, 2017, 6:22pm

“Combined” do you mean in one rule (L7 and fastrack) or L7 rule can not exists with fastrack rule together?