Mikrotik rb750gr3 fasttrack and wireguard issue

I am living in gulf country here Whatsapp call is block when I active fasttrack Whatsapp call not working

# 2024-01-06 21:58:35 by RouterOS 7.12.1
# software id = 96V2-N22P
#
# model = RB750Gr3

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=Main-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=Main-WAN user=\
    zahidmoh
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=10m name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WhatsApp+imo
/interface bridge filter
add action=drop chain=input comment=naeem disabled=yes in-bridge=bridge1 \
    src-mac-address=78:98:E8:6E:B7:C4/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="black diamond" disabled=yes in-bridge=\
    bridge1 src-mac-address=98:DA:C4:8B:A1:10/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="mota dukan wala" disabled=yes in-bridge=\
    bridge1 src-mac-address=CC:32:E5:C5:C9:DE/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment=misri disabled=yes in-bridge=bridge1 \
    src-mac-address=D8:07:B6:D7:F8:AE/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment=room2 disabled=yes in-bridge=bridge1 \
    src-mac-address=C0:06:C3:7F:FE:FA/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment=room10 disabled=yes in-bridge=bridge1 \
    src-mac-address=F4:F2:6D:59:E5:FC/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment="afzal end wala" disabled=yes in-bridge=\
    bridge1 src-mac-address=9C:53:22:04:49:2A/FF:FF:FF:FF:FF:FF
add action=drop chain=input comment=mohsinbro disabled=yes in-bridge=bridge1 \
    src-mac-address=40:ED:00:4B:47:35/FF:FF:FF:FF:FF:FF
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN protocol=cdp
/interface list member
add interface=Main-WAN list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=193.32.249.66 endpoint-port=\
    51820 interface=wireguard1 public-key=\
    "UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM="
/ip address
add address=192.168.100.1/24 interface=bridge1 network=192.168.100.0
add address=10.67.166.112 interface=wireguard1 network=10.67.166.112
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.100.249 client-id=1:d8:7:b6:d7:f8:ae comment=misri \
    mac-address=D8:07:B6:D7:F8:AE server=dhcp1
add address=192.168.100.88 client-id=1:78:98:e8:6e:b7:c4 comment="naeem nai" \
    mac-address=78:98:E8:6E:B7:C4 server=dhcp1
add address=192.168.100.244 client-id=1:9c:53:22:4:49:2a comment=\
    "afzal end wala" mac-address=9C:53:22:04:49:2A server=dhcp1
add address=192.168.100.57 client-id=1:40:ed:0:4b:47:35 comment=Mohsinbro \
    mac-address=40:ED:00:4B:47:35 server=dhcp1
add address=192.168.100.127 client-id=1:50:c7:bf:c2:a9:a2 mac-address=\
    50:C7:BF:C2:A9:A2 server=dhcp1
add address=192.168.100.4 client-id=1:0:12:17:18:83:d4 mac-address=\
    00:12:17:18:83:D4 server=dhcp1
add address=192.168.100.30 client-id=1:98:da:c4:8b:a1:10 comment=\
    "Black diamond" mac-address=98:DA:C4:8B:A1:10 server=dhcp1
add address=192.168.100.32 client-id=1:1c:3b:f3:c3:a1:dd mac-address=\
    1C:3B:F3:C3:A1:DD server=dhcp1
add address=192.168.100.224 client-id=1:d4:6e:e:76:8f:51 mac-address=\
    D4:6E:0E:76:8F:51 server=dhcp1
add address=192.168.100.137 client-id=1:48:22:54:55:c8:c7 comment=\
    "upper Wala new" mac-address=48:22:54:55:C8:C7 server=dhcp1
add address=192.168.100.140 client-id=1:b0:be:76:7b:97:12 mac-address=\
    B0:BE:76:7B:97:12 server=dhcp1
add address=192.168.100.174 client-id=1:38:6b:1c:3f:e6:e comment="siddik " \
    mac-address=38:6B:1C:3F:E6:0E server=dhcp1
add address=192.168.100.38 client-id=1:f4:f2:6d:59:e5:fc comment=room10 \
    mac-address=F4:F2:6D:59:E5:FC server=dhcp1
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,100.64.0.31 gateway=\
    192.168.100.1
/ip dns
set servers=1.1.1.1,100.64.0.31
/ip firewall address-list
add address=192.168.100.0/24 list=out
/ip firewall filter
add action=fasttrack-connection chain=forward disabled=yes hw-offload=yes \
    protocol=tcp
add action=jump chain=forward disabled=yes jump-target=No-Fasttrack
add action=accept chain=No-Fasttrack disabled=yes dst-port=13231 protocol=udp
add action=accept chain=No-Fasttrack disabled=yes dst-port=\
    5242,5243,3478,34784,45395,50318,59234,5222,4244,5223,5228,443 protocol=\
    udp
add action=accept chain=No-Fasttrack disabled=yes dst-port=\
    5242,5243,3478,34784,45395,50318,59234,5222,4244,5223,5228,443 protocol=\
    tcp
add action=drop chain=forward comment="black diamond " disabled=yes \
    src-mac-address=98:DA:C4:8B:A1:10
add action=drop chain=forward comment="Afzal end Wala " disabled=yes \
    src-mac-address=9C:53:22:04:49:2A
add action=drop chain=forward comment=mohsinnbro disabled=yes \
    src-mac-address=40:ED:00:4B:47:35
add action=drop chain=forward comment=naeem disabled=yes src-mac-address=\
    78:98:E8:6E:B7:C4
add action=drop chain=forward comment=room10 disabled=yes src-mac-address=\
    F4:F2:6D:59:E5:FC
add action=drop chain=forward comment="upper Wala new" disabled=yes \
    src-mac-address=48:22:54:55:C8:C7
add action=drop chain=forward comment="pata nahi" disabled=yes \
    src-mac-address=1C:3B:F3:C3:A1:DD
add action=drop chain=forward comment="pata nahi2" disabled=yes \
    src-mac-address=50:C7:BF:C2:A9:A2
add action=drop chain=forward comment="pata nahi3" disabled=yes \
    src-mac-address=D4:6E:0E:76:8F:51
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=\
    3478,34784,45395,50318,59234,5222,4244,5223,5228 new-routing-mark=\
    WhatsApp+imo passthrough=yes protocol=tcp src-address-list=out
add action=mark-routing chain=prerouting dst-port=\
    3478,34784,45395,50318,59234,5222,4244,5223,5228 new-routing-mark=\
    WhatsApp+imo passthrough=yes protocol=udp src-address-list=out
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="liteap ac" dst-address=86.97.25.76 \
    dst-port=1987 protocol=tcp to-addresses=192.168.100.246 to-ports=443
add action=dst-nat chain=dstnat comment=\
    "mohsinbro https://94.59.97.164:1981/" dst-address=86.97.25.76 dst-port=\
    1981 protocol=tcp to-addresses=192.168.100.57 to-ports=443
add action=dst-nat chain=dstnat comment="mohsin http://31.215.229.233:1988/" \
    dst-address=217.164.194.166 dst-port=1988 protocol=tcp to-addresses=\
    192.168.100.240 to-ports=8888
add action=dst-nat chain=dstnat comment=naeem disabled=yes dst-address=\
    217.164.195.94 dst-port=1989 protocol=tcp to-addresses=192.168.100.88 \
    to-ports=8081
add action=dst-nat chain=dstnat comment="speedup ping" protocol=icmp \
    to-addresses=192.168.100.1
add action=dst-nat chain=dstnat comment="mikrotik " dst-address=86.97.25.76 \
    dst-port=2222 protocol=tcp to-addresses=192.168.100.1 to-ports=80
add action=dst-nat chain=dstnat comment=siddik dst-address=176.205.92.5 \
    dst-port=5555 protocol=tcp to-addresses=192.168.100.174 to-ports=8888
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
set rtsp disabled=no
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=WhatsApp+imo scope=30 suppress-hw-offload=yes \
    target-scope=10
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=\
    192.168.222.1 pref-src="" routing-table=WhatsApp+imo scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=*A pref-src="" \
    routing-table=WhatsApp+imo scope=30 suppress-hw-offload=yes target-scope=\
    10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Dubai
/system identity
set name=tplink
/system note
set show-at-login=no
/tool graphing
set store-every=hour
/tool sniffer
set streaming-server=0.0.0.0:51820

Mangle and fasttrack are not compatible. When mangling is needed (I’m assuming ypu need it as you created quite a few mangle rules), then easiest way out is to completely disable fasttrack. This in turn signifficantly reduces router’s performance and if the performance drop is unbearably large, you can selectively enable fasttrack. Or rather exclude traffic, which has to be mangled, from being fasttracked. This is, again, easiest achieved if one creates a number of accept firewall filter rules with selection criteria matching criteria for mangle rules. These accept firewall filter rules have to be above fasttrack rule.

You should only fasttrack “outer” traffic, not marked for wireguard
Two ways.

1. Simple one. Create 2 rules for fasttrack, just like default one. But specify in\out interfaces as ether1\bridge1. And vice versa.
2. Mark new connections for wireguard. Fasttrack ‘no-mark’.
   Lots of examples.

I used both with rb750gr3, both work fine, but second way I like more because I mark connections and mark routes for country ip based access.

Please make configuration for me I will just copy paste in mikrotik terminal please

Method 1:

add action=fasttrack-connection chain=forward comment=“fasttrack not tunneled” connection-state=established,related disabled=no hw-offload=yes in-interface=bridge1 out-interface=ether1

add action=fasttrack-connection chain=forward comment=“fasttrack not tunneled” connection-state=established,related disabled=no hw-offload=yes in-interface=ether1 out-interface=bridge1

Thats it.

Method 2:

Disable your existing routing marks:
add action=mark-routing chain=prerouting dst-port=
3478,34784,45395,50318,59234,5222,4244,5223,5228 new-routing-mark=
WhatsApp+imo passthrough=yes protocol=tcp src-address-list=out disabled=yes
add action=mark-routing chain=prerouting dst-port=
3478,34784,45395,50318,59234,5222,4244,5223,5228 new-routing-mark=
WhatsApp+imo passthrough=yes protocol=udp src-address-list=out disabled=yes

Modify your previous routing marks to connection marks like this:
add action=mark-connection connection-mark=no-mark connection-state=new chain=prerouting dst-port=3478,34784,45395,50318,59234,5222,4244,5223,5228 new-connection-mark=cm_WhatsApp+imo passthrough=yes protocol=tcp src-address-list=out

add action=mark-connection connection-mark=no-mark connection-state=new chain=prerouting dst-port=3478,34784,45395,50318,59234,5222,4244,5223,5228 new-connection-mark=cm_WhatsApp+imo passthrough=yes protocol=udp src-address-list=out

Now mark routing for marked connections:

add action=mark-routing chain=prerouting connection-mark=cm_WhatsApp+imo new-routing-mark=WhatsApp+imo passthrough=yes

add action=mark-routing chain=output connection-mark=cm_WhatsApp+imo new-routing-mark=WhatsApp+imo passthrough=yes



Add fattrack rule for non-marked only:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-mark=no-mark connection-state=established,related hw-offload=yes

ps: use latest 7.13.1 ROS

Dear did u know I use this ports
dst-port=3478,34784,45395,50318,59234,5222,4244,5223,5228 for Whatsapp call with the help of wireguard

I did not get the message or question.
Please explain.

ps - for past 3-4 years I visit one gulf country 1-2 times a year. I tried ipsec\wireguard\ovpn, everything with 100% traffic over ipsec\wireguard\ovpn.
Nothing works fine.
I dont know how they did it but they did it perfectly. I mean voice is being perfectly erased each time I try over ipsec\wireguard\ovpn.
The only working solution for whatsapp voice call - xtls reality over https. Works fine.
But it has nothing to do with mikrotik.

Dear this commend not working