Hello Dear Friends! Again my voice is at the door…
So I have pretty simple setup.
RB4011 (ros 7.11) is connected via sfp via pppoe to internet.
RB4011 has got l2tp ipsec client + mangle rule that marks routing for some connections not included in ip addresses list.
/interface l2tp-client
add allow=mschap2 connect-to=ip address of remote IPSEC VPN dial-on-demand=yes disabled=no
keepalive-timeout=30 max-mru=1400 max-mtu=1400 name=l2tp-out1 use-ipsec=
yes user=vpnuser
/interface pppoe-client
add add-default-route=yes allow=mschap2 default-route-distance=2 disabled=no
interface=sfp-sfpplus1 name=pppoe-out1 user=xxxxxxx
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0
/ip dhcp-client
add add-default-route=special-classless comment=defconf
default-route-distance=2 disabled=yes interface=sfp-sfpplus1
use-peer-dns=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 pref-src=
“” routing-table=ipsec scope=30 suppress-hw-offload=yes target-scope=10
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/24
dst-address-list=!address list for direct access with no IPSEC VPN new-routing-mark=ipsec passthrough=yes src-address=
192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=ipsec out-interface=l2tp-out1
Of course I had to disable default fasttrack rule:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
Now I’m trying to make fasttrack valid at least for part of traffic (not ipsec traffic).
I created 2 new rules instead of default with hardcoded interfaces :
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
in-interface=bridge out-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
in-interface=pppoe-out1 out-interface=bridge
But now broken down video stories in instagram (instagram traffic routed to l2tp IPSEC VPN).
Video stories in instagram can be seen first ~10%, then stuck.
The rest internet works fine directly and via l2tp ipsec vpn, cpu usage dropped 2 times for direct connections (not thru vpn) .
If I disable these 2 new fasttrack, everything works fine and instagram video stories as well.
I realise that there is no fasttrack for ipsec.
But I wanted fasttrack to be effective for the rest of traffic.
I tried to do widely described method of marking with mangle ipsec connections and exclude marked connections with criteria in fasttrack rule, but it does not work at all with my setup.
What is wrong with my fasttrack rules?
ipv6 disabled.
Thank you in advance!