I came up with a need to mark certain packets while still using FastTrack for the rest of the traffic. It turned out to be unexpectedly easy. I’m posting this to make sure I’m not missing anything, and also for the benefit of future visitors.
The logic is simple. FastTrack is only applied to already established and related connections, this is the default rule out of the box. All other connections are not fast-tracked by definition. Particularly, the new connections will go through the firewall and will get the chance to be packet-marked by the mangle rule. I modified the FastTrack rule to match only packets with no packet marks (“no-mark”). So, the subsequent packets from this connection will bypass FastTrack and continue to go through the firewall, including the mangle rules, continuing to mark packets - which otherwise would not happen due to FT.
Because I’m working with packet marks rather than connection marks (need that since queue trees only work with packet marks), I needed to take care of both directions, hence two mangle rules.
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack for established,related" connection-state=established,related hw-offload=yes packet-mark=no-mark
/ip firewall mangle
add action=mark-packet chain=forward in-interface=vlan101 new-packet-mark=intervlan out-interface=vlan102 passthrough=yes
add action=mark-packet chain=forward in-interface=vlan102 new-packet-mark=intervlan out-interface=vlan101 passthrough=yes
P.S. While testing this configuration and watching packet counters, I had to remember that only TCP and UDP protocols are fast-tracked. Therefore, running pings doesn’t truly represent the packet flow for most of real traffic.