problem with fasttrack

jjpc · August 3, 2024, 12:39pm

The following problem occurs to me, I have two wan connections configured with route markings to offer internet to different local networks, to optimize CPU resources I have activated fasttrack, but it is only working correctly in one of the wans, in the other it occurs a packet drop and traffic on that wan is never recovered.
I would appreciate any opinion or idea about what may be happening.

/ip firewall mangle

add action=accept chain=prerouting comment="ACCESO A SERVICIOS " dst-address=\
    10.10.0.0/24
add action=accept chain=prerouting comment="ACCESO A SERVICIO VOIP " \
    dst-address=192.168.0.0/21
add action=accept chain=prerouting comment="ACCESO UNMS" dst-address=\
    0.0.0.0/0 src-address=10.10.0.58
add action=accept chain=prerouting comment="ACCESO ACS" dst-address=0.0.0.0/0 \
    src-address=10.10.0.26
add action=accept chain=prerouting comment="ACCESO HOST BANCARIO" \
    dst-address-list=Host_Bancario src-address-list=POOL_PPPoE
add action=accept chain=prerouting comment=\
    "ACCESO CLIENTES A Server SpeedTest" dst-address=38.41.0.100 dst-port=\
    80,443,8080 protocol=tcp src-address-list="REDES LOCALES"
add action=accept chain=prerouting comment=\
    "ACCESO CLIENTES A Servicios Locales" dst-address-list=POOL_PPPoE \
    src-address=10.10.0.0/24
add action=accept chain=prerouting comment=\
    "ACCESO A RED BASE desde Redes_Administrativas" dst-address-list=\
    Redes_Administrativas src-address=10.10.0.0/24
add action=accept chain=prerouting comment=\
    "ACCESO A ANTENAS desde Redes_Administrativas" dst-address-list=\
    Redes_Administrativas src-address-list=IpAntenas
add action=accept chain=prerouting comment=\
    "ACCESO A ROUTERS CLIENTES desde Redes_Administrativas" dst-address-list=\
    Redes_Administrativas src-address-list=POOL_PPPoE
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Red Gestion" dst-address-list="!REDES LOCALES" \
    new-routing-mark=TO_INTER passthrough=no src-address=192.168.148.0/23
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Salida para_200.8.121.36" disabled=yes dst-address=\
    0.0.0.0/0 new-routing-mark=TO_INTER passthrough=no src-address-list=\
    para_200.8.121.36
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Salida para_38.41.0.100" disabled=yes dst-address=\
    0.0.0.0/0 new-routing-mark=TO_MDS passthrough=no src-address-list=\
    para_38.41.0.100
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Salida para_INTER" dst-address=0.0.0.0/0 \
    new-routing-mark=TO_INTER passthrough=no src-address-list=para_INTER
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Salida para_MDS" dst-address=0.0.0.0/0 \
    new-routing-mark=TO_MDS passthrough=no src-address-list=para_MDS
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Ips INTER" new-routing-mark=TO_INTER passthrough=no \
    src-address=190.142.231.108/30
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Ips INTER" new-routing-mark=TO_INTER passthrough=no \
    src-address=200.8.121.36/30
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Ips MDS" new-routing-mark=TO_MDS passthrough=no \
    src-address=38.41.0.96/28
add action=mark-routing chain=prerouting comment=\
    "POLITICAS SALIENTES__Ips Servicios Locales" new-routing-mark=TO_MDS \
    passthrough=no src-address=10.10.0.0/24

/ip firewall nat
add action=masquerade chain=srcnat comment="Enmascarado__Host Bancario" \
    dst-address-list=Host_Bancario to-addresses=192.168.88.1
add action=src-nat chain=srcnat comment="Enmascarado__to AddressList" \
    dst-address-list="!REDES LOCALES" src-address-list=src-nat to-addresses=\
    38.41.0.100
add action=src-nat chain=srcnat comment="_Enmascarado__Red Wisp Mapuey" \
    out-interface=Sfp-sfpplus1-vlan-2018_LINK_MDS src-address=10.20.1.0/30 \
    to-addresses=38.41.0.111
add action=src-nat chain=srcnat comment="_Enmascarado__Red Wisp LaFe" \
    disabled=yes out-interface=Sfp-sfpplus1-vlan-2018_LINK_MDS src-address=\
    10.20.2.0/28 to-addresses=38.41.0.111
add action=src-nat chain=srcnat comment="_Enmascarado__RedWisp Preyes" \
    disabled=yes out-interface=Sfp-sfpplus1-vlan-2018_LINK_MDS src-address=\
    10.20.3.0/30 to-addresses=38.41.0.111
add action=src-nat chain=srcnat comment=\
    "__Enmascarado__src- address-list__to_38.41.0.100/32" out-interface=\
    Sfp-sfpplus1-vlan-2018_LINK_MDS src-address-list=para_38.41.0.100 \
    to-addresses=38.41.0.100
add action=src-nat chain=srcnat comment=\
    "___Enmascarado__Red  FTTH____to_38.41.0.104/30" out-interface=\
    Sfp-sfpplus1-vlan-2018_LINK_MDS src-address-list="Pool_red FTTH" \
    to-addresses=38.41.0.104/30
add action=src-nat chain=srcnat comment=\
    ____Enmascarado__General______to_38.41.0.108/30 out-interface=\
    Sfp-sfpplus1-vlan-2018_LINK_MDS src-address-list="Pool_red GENERAL" \
    to-addresses=38.41.0.108/30
add action=src-nat chain=srcnat comment="_____Enmascarado__Red Gestion" \
    dst-address-list="!REDES LOCALES" out-interface=\
    Sfp-sfpplus1-vlan-2018_LINK_MDS src-address=192.168.148.0/23 \
    to-addresses=38.41.0.107
add action=src-nat chain=srcnat comment="_Enmascarado__RedWisp Mapuey" \
    out-interface=sfp-sfpplus2_to__LINK-INTER src-address=10.20.1.0/30 \
    to-addresses=190.142.231.110
add action=src-nat chain=srcnat comment="_Enmascarado__Red Wisp LaFe" \
    out-interface=sfp-sfpplus2_to__LINK-INTER src-address=10.20.2.0/28 \
    to-addresses=190.142.231.110
add action=src-nat chain=srcnat comment="_Enmascarado__RedWisp Preyes" \
    disabled=yes out-interface=sfp-sfpplus2_to__LINK-INTER src-address=\
    10.20.3.0/30 to-addresses=190.142.231.110
add action=src-nat chain=srcnat comment=\
    "__Enmascarado__src- address-list__to_200.8.121.36/32" out-interface=\
    sfp-sfpplus2_to__LINK-INTER src-address-list=para_200.8.121.36 \
    to-addresses=200.8.121.36
add action=src-nat chain=srcnat comment=\
    "___Enmascarado__Red  FTTH____to_190.142.231.108/30" out-interface=\
    sfp-sfpplus2_to__LINK-INTER src-address-list="Pool_red FTTH" \
    to-addresses=190.142.231.108/30
add action=src-nat chain=srcnat comment=\
    ____Enmascarado__General______to_190.142.231.108/30 out-interface=\
    sfp-sfpplus2_to__LINK-INTER src-address-list="Pool_red GENERAL" \
    to-addresses=190.142.231.108/30
add action=src-nat chain=srcnat comment="_____Enmascarado__Red Gestion" \
    dst-address-list="!REDES LOCALES" out-interface=\
    sfp-sfpplus2_to__LINK-INTER src-address=192.168.148.0/23 to-addresses=\
    200.8.121.36

mkx · August 3, 2024, 2:08pm

Fasttrack and mangle are mutually exclusive.

Now, you can keep using fasttrack for traffic which doesn’t have to be mangledmby adding accept rule (which accepts traffic to be mangled) and place it above fasttrack rule. This way traffic to be mangled won’t escape being mangled via fasttrack, instead it’ll take the normal (slow) track through all the firewall twists, one of them is mangle.

sindy · August 3, 2024, 2:22pm

Given that all your mangle rules except one only match on addresses and address-lists, it might be possible, depending on the complexity of the address lists, to use routing rules instead of mangle ones. While most packets belonging to fasttracked connections skip the mangle rules, they do not skip the routing ones.

jjpc · August 4, 2024, 2:44pm

I appreciate your contributions, could you give me some example of your approaches?
I understood that the prerouting chain was above forward, and that what was executed in the mangrove under the forward chain was executed before fasttrack. I also wonder why fasttrack does work with the wan marked as MDS.

sindy · August 4, 2024, 4:03pm

The very essence of fasttrack is that most packets belonging to fasttracked connections skip quite a few stages of firewall processing, including mangle.

let’s assume the following initial state:
/routing/table/add table=sometable
/ip/firewall/address-list
add list=somelist address=192.168.10.0/24
add list=somelist address=10.30.0.0/16
/ip/firewall/mangle add chain=prerouting dst-address-list=somelist action=mark-routing new-routing-mark=sometable

A configuration with the same ultimate effect but compatible with fasttracking looks as follows:
/routing/table/add table=sometable
/routing/rule
add dst-address=192.168.10.0/24 action=lookup table=sometable
add dst-address=10.30.0.0/16 action=lookup table=somename

The matching possibilities of routing rules are very limited as compared to those of the firewall rules, so if your address lists contain tens of addresses/prefixes, this approach may be too complicated.

jjpc · August 4, 2024, 5:46pm

Thanks, I will put this approach to the test. I have never used lookup, but basically my interest in using fasttrack is based on the need to lower the load on the processor, knowing the configuration that I shared that would be the most effective or viable to achieve this goal?

sindy · August 4, 2024, 6:27pm

It’s not only your interest, it’s the very reason why fasttracking has been implemented.

Not sure what you are asking. If you need to use mangle rules together with fasttracking, you have to carefully plan them so that the largest part of the total traffic would not need any routing mark and therefore could benefit form fasttracking. If you, theoretically, wanted to distribute traffic evenly between two WANs by means of mangle rules, only half of the traffic volume would benefit from fasttracking. Try reading http://forum.mikrotik.com/t/static-default-route-im-missing-something/119183/9 .

jjpc · August 4, 2024, 8:30pm

What I mean is, do you know how I can lower the processor usage more efficiently?

sindy · August 5, 2024, 6:41am

More efficiently than using fasttrack? If you did not need NAT and you did not need to provide any kind for packet filtering to forwarded traffic, you could empty chain forward in firewall filter and use rules in the raw table to let transit traffic skip connection tracking. Or even disable connection tracking completely if you had a dedicated interface for management so you could set up the input firewall without relying on connection-state. But since you use NAT and NAT is executed in the connection tracking, there’s no way.

jjpc · August 5, 2024, 2:24pm

In my case it is necessary to use nat, since that would be the edge or core router that provides Internet access to all users.

sindy · August 5, 2024, 2:29pm

As said, if NAT is required, fasttrack is the maximum optimisation you can get.

jjpc · August 7, 2024, 3:02am

I chose to use routing rules and left out mangle, so I could use fasttrack without a problem. grateful.

jjpc · August 7, 2024, 3:04am

I was able to optimize the cpu and now I have lower usage, I am now thinking about activating L3 Hw Offloading, any suggestions?

mkx · August 7, 2024, 7:13pm

Which device are you using?

jjpc · August 14, 2024, 5:02pm

CCR 2116