Multiple upstreams, NAT and FastTrack

I have a system with three upstreams, which are of varying reliability (often don’t go hard down, but show problems). I have successfully scripted code which alters the preference of these providers in the routing table. Furthermore, I want to ensure that when the routing table is changed, neither inbound nor outbound connections (DNAT and SNAT respectively) are affected - ie that they only affect new connections. I have successfully achieved this by marking the connection with one of three tags when the connection is new, then using the appropriate routing table (by setting a routing mark) on egress to ensure outbound packets go to the right line (ie I route the packets by priority, but have routing table entries that kick in first for the various routing marks). This works fine too, and also means that when a previously broken upstream comes back up, it does not “suck” establish connections back to it’s (now higher priority) connection.

The problem is FASTTRACK. As far as I can tell Fast Path only works on the main routing table so is not compatible with the policy routing described above. IE while it all works with no FASTTRACK rule, it fails with FASTTRACK turned on. This isn’t awful for outbound connections as they seem to retry enough to keep them alive, but for inbound connections it’s terrible, as only the inbound IP that happens to be the highest priority for the time being works. I can’t simply only FASTTRACK connections that have no routing mark, because everything that is already established has a routing mark. Equally I can’t do the “normal” thing and ensure that the ‘default provider’ has no mark, because there isn’t a ‘default provider’. Inbound connections are sufficiently rare that I thought I could move all these off FASTTRACK - but that would require 3 more connection marks (for the inbound connections) and a fair amount of complication, and really isn’t solving the issue.

I think the real issue that I want some form of policy routing (per connection) to work with FASTTRACK. Any ideas on how to do that?

Aside: having a per-connection primative to disable FASTTRACK for ever on that connection would be super useful (using conn-mark means you can’t then use conn-mark for anything else).

Currently running 7.13 on this router; will be upgrading it to 7.21 tomorrow when there is someone on site (just in case), but AFAICT there is no difference.

Fasttrack doesn't really work with policy routing. To be exact, the mangle mark-routing is what's not working; the routing rules are executed even in fasttrack. But that's exactly what you would need so...

The idiomatic way to handle your situation is to fasttrack only connections that use the main routing table. This is easily done by simply modifying your fasttrack rule(s). If it gets complex, simply use an entire custom chain devoted to fasttrack.

The possibility of having more than one connection mark on a single connection is there in the kernel, but Mikrotik decided not to expose this. My guess is that this was done mostly for simplicity (and I tend to agree.) Listing all connection marks that can be fasttracked is not a huge burden.

In fact my usual way of doing these things is to simply not mark connections that should be fasttracked and use the no-mark matcher in the fasttrack rule. Of course this may not work in more complex cases where you use connection marks for non-routing things as well, e.g. queueing.