No fasttrack on HAP AX2 ?

sas2k · October 25, 2024, 7:58pm

Hello Dear Friends.
Set up new HAP AX2 with same config as RB4011 & rb750gr3.
No wireless package, only ROS 7.16.1 installed.
Traffic processed between ethernet port 1 & 2.
Faced with strange issues with firewall fasttrack rule and finally disabled it.
Without firewall fasttrack rule everything works fine.

Noticed there is “IPv4 Fasttrack Active” always disabled which is different comparing to RB4011 or rb750gr3. (see pic below).
Is it due to Fasttrack is unsupported with HAP AX2?
Or I can thange something to enable for ethernet ports ?
https://wiki.mikrotik.com/Manual:IP/Fasttrack

Thank you in advance !

anav · October 25, 2024, 8:03pm

Sounds like a mis configuration perhaps… however no facts, no comment.

sas2k · October 25, 2024, 8:18pm

sorry
here it is
config.rsc (9.33 KB)

kleshki · October 25, 2024, 8:54pm

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=no-mark connection-state=established,related disabled=yes \
    hw-offload=yes

disabled=yes

anav · October 25, 2024, 9:32pm

Kleshki, one needs to actually read the OPs post, he stated that in the end he disabled the rule, so it should be no surprize to find it ‘disabled’.

I would tend to find other things’out of the ordinary’

1 - Being a DNS idiot, but this looks funny to me…
/ip dns
set allow-remote-requests=yes use-doh-server=https://dns.google/dns-query
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=8.8.8.8 name=dns.google type=A
add address=8.8.4.4 name=dns.google type=A

Assuming that for google DOH, one needs to reach the unencrypted google DNS service first and thus the reason for the 2nd, 3rd static rules ???
But why do you need the first rule for 192.168.88.1 ???

2. Why is your rule structured like this…
add action=accept chain=input dst-address-list=myIP **dst-port=8291,**443
protocol=tcp

You have an IP address for the WANIP of the router, so I assumed its a fixed/static Private IP???
If its not then it should be entered via IP DHCP client or pppoe client etc…

Why do you open up your winbox port open to the internet??? Not a good idea, it should be accessed locally from the LAN or after reaching the router through a VPN.
I mean why have back to home Wireguard and then do this??

Possible winner! Your fastrack rule makes sense to me in that you have added no-mark, so I expect to find some mangling.
But why on earth are you butchering the standard forward chain accept established,related,untracked rule ???

add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-mark=no-mark
connection-state=established,related,untracked routing-mark=main

Looking at your mangling it looks like you want all traffic heading out the WAN for anything other than specific WANIPs, to use the special table instead.
Okay thats reasonable. Adjusted slightly in order and changed/removed some things ( no need for output chain )!! Misconfiguration also may cause some issues.

/ip firewall mangle
add action=change-mss chain=forward comment=“clamp to pmtu” new-mss=
clamp-to-pmtu out-interface=l2tp-out1 passthrough=yes protocol=tcp
tcp-flags=syn
add action=mark-connection chain=forward connection-mark=no-mark
dst-address-list=!XX dst-address-type=!local in-interface-list=LAN
new-connection-mark=conn_ipsec1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_ipsec1
new-routing-mark=ipsec1 passthrough=no

(no requirement for new connection on mark-connection rule and forward chain is more accurate)
(no requirement for in-interface–list=LAN on mark-routing rule)
(passthrough=no for mark-routing rule)

Distance on the Special Table route rule is meaningless ( in fact for both route rules ) as there are no other routes available for either table.
Not critical but if IVP6 is not being used.
/ipv6 settings
set disable-ipv6=yes

Then copy ipv6 firewall rules and address lists to a file for potential later use and REMOVE. Replace with
add chain=input action=drop
add chain=forward action=drop

Same with insecure protocol access (mac-server only) to winbox modify the below to:
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Other observations, confirming that you are connecting to a router service https (www=ssl) I suppose to supplement wireguard connectivity to configure the router maybe ???

chechito · October 25, 2024, 9:44pm

i have one hAP ax2 deployed on customer premises with ros 7.13.5 and shows fast-track working ok

kleshki · October 25, 2024, 10:10pm

@anav I expected to see a config with fasttrack enabled and checkbox disabled for the situation to be strange. Now I only see disabled fasttrack and disabled checkbox as a result. OP should try reboot. As for your question in n.1

add address=192.168.88.1 comment=defconf name=router.lan type=A

is actually needed for traceroutes to resolve first hop. So when you trace from PC or whatever behind router, you see “1. 192.168.88.1 router.lan”.

anav · October 26, 2024, 1:06am

So its not needed for normal traffic then…its a testing tracing tool support …

sas2k · October 26, 2024, 6:28am

Anav, thank you for thorough investigations!

enabling\disabling fasttrack rule , makes no effect on that status, “IPv4 Fasttrack Active” always disabled - pic above.
Am I right that its due to no support of ethernet fasttrack on HAP AX2?
https://wiki.mikrotik.com/Manual:IP/Fasttrack
Quote: “All devices wireless interfaces, if wireless-fp, wireless-cm2, wireless-rep or wireless (starting from 6.37) package used”
My guess - there no support for ethernet ports on this device.
Only wifi interfaces when wifi package is present.
But I removed wifi packages.

You are right , it was my mistake.
But again, no effect to “IPv4 Fasttrack Active” - always disabled

Could you please explain, why should I mark already not new connections ? They already marked before as “new”.
Could you please explain, why forward more accurate than the prerouting ?
Could you please explain, why I do not need for output ? (My router itself requests doh thru l2tp-out1 !)

sas2k · October 26, 2024, 6:48am

Enabling\disabling this rule obviously produces no effect to “IPv4 Fasttrack Active” - always disabled.
Just check with your device to be sure.
The problem I think is global:
https://wiki.mikrotik.com/Manual:IP/Fasttrack
Quote: “All devices wireless interfaces, if wireless-fp, wireless-cm2, wireless-rep or wireless (starting from 6.37) package used”.
My guess - there is no support for ethernet ports on this device.
Only wifi interfaces when wifi package is present.
But I removed wifi packages.

sas2k · October 26, 2024, 6:53am

May be due to wifi packages present ?

https://wiki.mikrotik.com/Manual:IP/Fasttrack

RouterBoard Interfaces
RB6xx series ether1,2
RB7xx series all ports
RB800 ether1,2
RB9xx series all ports
RB1000 all ports
RB1100, RB1000AHx2 ether1-11
RB1000AHx2 all ports
RB2011 series all ports
RB3011 series all ports
RB4011 series all ports
CRS series routers all ports except management interface (if the device has one)
CCR series routers all ports except management interface (if the device has one)
All devices wireless interfaces, if wireless-fp, wireless-cm2, wireless-rep or wireless (starting from 6.37) package used