No traffic through forward fasttrack or forward established|related [solved]

patrickmkt · November 2, 2025, 1:57pm

I have an older RB1100AH that I had reset.

I put the standard fastrack connection with hardware offload and accept established related in the top of my forward firewall filter rules.

I also have the standard forward accept from LAN

And then the standard forward drop from WAN not dst-nat.

I also have the srcnat masquerade out WAN.

But strangely, I can not get any connectivity to WAN from LAN. When I try a ping, the ping goes out but I never receives the reply until I disable the last forward drop from WAN rules.

My fasttrack counter never increases, same with the accept forward established related that stays at zero.

What I am missing? Why the established/related is not detected for the returned traffic?

I checked IP settings that allow fast path is checked.

Any clue what to check?

# 2025-11-02 08:52:38 by RouterOS 7.20.2
#
# model = RB1100AH

/interface bridge add name=bridge_inside port-cost-mode=short
/interface ethernet set [ find default-name=ether1 ] name=eth1-internet
/interface list add name=WAN
/interface list add name=LAN

/ip pool add name=dhcp_inside ranges=192.168.50.96/27
/ip dhcp-server add address-pool=dhcp_inside interface=bridge_inside lease-time=12h name=inside

/interface bridge port add bridge=bridge_inside ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge_inside ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/ip firewall connection tracking set udp-timeout=10s
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192 soft-max-neighbor-entries=8191
/interface list member add interface=eth1-internet list=WAN
/interface list member add interface=bridge_inside list=LAN

/ip address add address=192.168.50.1/24 interface=bridge_inside network=192.168.50.0
/ip dhcp-client add interface=eth1-internet

/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related connection-type="" hw-offload=yes
/ip firewall filter add action=accept chain=forward connection-state=established,related connection-type=""
/ip firewall filter add action=drop chain=forward connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="dst nat from WAN" connection-nat-state=dstnat in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="exit rule" in-interface=bridge_inside out-interface=eth1-internet
/ip firewall filter add action=accept chain=forward comment="inter LAN" in-interface=bridge_inside
/ip firewall filter add action=accept chain=forward connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward
/ip firewall filter add action=drop chain=input connection-state=invalid
/ip firewall filter add action=accept chain=input in-interface-list=LAN
/ip firewall filter add action=accept chain=input connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input disabled=yes in-interface-list=WAN
/ip firewall filter add action=drop chain=input disabled=yes
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

/ipv6 firewall filter add action=drop chain=forward
/ipv6 firewall filter add action=drop chain=input
/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

KexyBiscuit · November 2, 2025, 2:35pm

Setadd-default-route=yes for the DHCP Client?

anav · November 2, 2025, 3:06pm

ip firewall filter 
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN /
    comment="internet traffic" 
add action=accept chain=forward connection-nat-state=dstnat comment="port forwarding"
add action=drop chain=forward comment="drop all else"
++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input  comment="drop all else"  { put this rule here but last of all rules created }
/ip firewall nat 
add action=masquerade chain=srcnat out-interface-list=WAN

CGGXANNX · November 2, 2025, 5:22pm

Fix this! The field should be cleared, not set to the empty string "". In WinBox, click on the triangle up-arrow to clear the field (make it greyed out).

Do that for both the fasttrack and the accept established,related rules.

KexyBiscuit · November 2, 2025, 6:21pm

Nice catch, not the first time this kind of misconf. comes up? What’s going on here…

patrickmkt · November 2, 2025, 8:53pm

That did it and that makes sense… I probably went through that setting ten times without noticing it…

Thanks for the proofreading… I have set up over hundreds of Mikrotik routers from scratch and I was starting to lose my sanity.

rextended · November 3, 2025, 9:50am

Are there any things either misconfigured or left behind between versions?