order of fasttrack

RouterOS Beginner Basics
1

I am trying to create fast track for specific address lists.

I have seen both examples of it on the forum. With both versions CPIU is lowered and I see fastrrack counter incremented in IP/Settings.

Which one is suppose to be first?

With this version, I see both fasttrack rule and accept rule packets being incremented not exactly the same value but very close

add action=fasttrack-connection chain=forward comment=\
    "fasttrack all communication from device networks" connection-state=\
    established,related hw-offload=yes log-prefix=DEVICE-NETWORKS \
    src-address-list=DEVICE-NETWORKS

add action=accept chain=forward comment=\
    "allow all communication from device networks" connection-state="" \
    log-prefix=DEVICE-NETWORKS src-address-list=DEVICE-NETWORKS

if I try this one, then fasttrack rule packets dont get incremented at all. It stays at 0. Only the accept rule and dummy counter is being incremented.

add action=accept chain=forward comment=\
    "allow all communication from device networks" connection-state="" \
    log-prefix=DEVICE-NETWORKS src-address-list=DEVICE-NETWORKS
    
add action=fasttrack-connection chain=forward comment=\
    "fasttrack all communication from device networks" connection-state=\
    established,related hw-offload=yes log-prefix=DEVICE-NETWORKS \
    src-address-list=DEVICE-NETWORKS
2

A few things to remember:

  • firewall filter rules are evaluated from top to bottom
    In second case this means that fasttrack rule never gets evaluated because it’s “overshadowed” by regular accept rule
  • it’s a bit of a mystery as to how fasttrack rules work. One of theories is that fasttrack rule only marks connection for fasttracking, but packet triggering the rule still has to be processed by subsequent rules, hence need for “regular” accept rule which covers all cases where fasttrack rule executes. Anotger theory is that a small portion of fasttracked packets still pass normal (slow) path for evaluation of connection tracking rules and stats … again requiring “regular” accept rule.
    Subsequent packets, belonging to fasttracked connections, bypass firewall altogether (and is hence impossible to “un-fasttrack” a connection) … which includes the fasttrack firewall filter rule
3

So I understand go with option 1?

4

Exactly.