simple queue doesn't work with fasttrack?

RouterOS General
1

Hi guys,

I just realised that fastrack and simple queues don’t go along well


It looks like with fastrack disabled a simple bandiwth queue works but I would like to keep fastack enabled. Is there a way to bypass 10.20.0.0/24 only from fastracking ?

Perhaps can somebody please help me to figure out the firewall rule to be placed before “fastrack” for 10.20.0.0/24 thanks a lot

[admin@MikroTik_RB4011] > /export hide-sensitive                                    
# dec/30/2020 23:08:21 by RouterOS 6.48
# software id = A0JA-PWUH
#
# model = RB4011iGS+
# serial number = D1260BF19E4D
/interface bridge
add name=bridge_vlan10_main
add arp=reply-only name=bridge_vlan20_guest
/interface ethernet
set [ find default-name=ether1 ] comment=WAN_PRIMARY_VIA_FIBRE
set [ find default-name=ether2 ] comment=QNAP_BACKUP_1Gb_LINK
set [ find default-name=ether5 ] comment=Main_PC
set [ find default-name=ether8 ] comment=Monitor_VLAN_20
set [ find default-name=ether9 ] comment=Audience_VLAN_10_20 name=ether9-trunk
set [ find default-name=ether10 ] comment=WAN_SECONDARY_VIA_LTE
set [ find default-name=sfp-sfpplus1 ] comment=QNAP_PRIMARY_10Gb_LINK
/interface vlan
add comment=WAN_VLAN_100_VIA_LTE interface=ether10 name=2degress_ISP vlan-id=100
add comment=WAN_VLAN_10 interface=ether1 name=Orcon_ISP vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk name=vlan10_main vlan-id=10
add comment=VLAN_10_and_20_per_Trunk interface=ether9-trunk name=vlan20_guest vlan-id=20
/interface bonding
add mode=active-backup name=qnap_bonding primary=sfp-sfpplus1 slaves=sfp-sfpplus1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 name=IKEv2
/ip pool
add name=pool_vlan10_main ranges=10.10.0.30-10.10.0.254
add name=pool_vlan20_guest ranges=10.20.0.30-10.20.0.254
add name=pool_ikev2_vpn ranges=10.88.0.1-10.88.0.254
/ip dhcp-server
add address-pool=pool_vlan10_main disabled=no interface=bridge_vlan10_main lease-time=23h59m59s name=\
    dhcp_vlan10_main
add add-arp=yes address-pool=pool_vlan20_guest disabled=no interface=bridge_vlan20_guest lease-time=23h59m59s \
    name=dhcp_vlan20_guest
/ip ipsec mode-config
add address-pool=pool_ikev2_vpn name=IKEv2-cfg
/queue simple
add max-limit=10M/10M name=guest-wifi target=10.20.0.0/24
/interface bridge port
add bridge=bridge_vlan10_main interface=ether3
add bridge=bridge_vlan10_main interface=ether4
add bridge=bridge_vlan10_main interface=ether5
add bridge=bridge_vlan10_main interface=ether7
add bridge=bridge_vlan20_guest interface=ether8
add bridge=bridge_vlan10_main interface=vlan10_main
add bridge=bridge_vlan20_guest interface=vlan20_guest
add bridge=bridge_vlan10_main interface=ether10
add bridge=bridge_vlan10_main interface=qnap_bonding
add bridge=bridge_vlan10_main interface=ether6
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=Orcon_ISP list=WAN
add interface=bridge_vlan10_main list=LAN
add interface=bridge_vlan20_guest list=LAN
add interface=2degress_ISP list=WAN
/ip address
add address=10.10.0.1/24 interface=bridge_vlan10_main network=10.10.0.0
add address=10.20.0.1/24 interface=bridge_vlan20_guest network=10.20.0.0
/ip dhcp-client
add disabled=no interface=Orcon_ISP
add default-route-distance=2 disabled=no interface=2degress_ISP
/ip dhcp-server lease
add address=10.10.0.7 client-id=1:9c:5c:8e:20:b8:c6 comment=MainPC mac-address=9C:5C:8E:20:B8:C6 server=\
    dhcp_vlan10_main
add address=10.10.0.14 comment=Kettle mac-address=BC:DD:C2:A8:06:52 server=dhcp_vlan10_main
add address=10.10.0.17 client-id=1:d0:73:d5:24:52:2f comment=LIFXBulb mac-address=D0:73:D5:24:52:2F server=\
    dhcp_vlan10_main
add address=10.10.0.20 client-id=1:50:ec:50:3a:f7:c5 comment=CCTV mac-address=50:EC:50:3A:F7:C5 server=\
    dhcp_vlan10_main
add address=10.10.0.13 comment=NestMini_Living_Room mac-address=D4:F5:47:2B:BB:D7 server=dhcp_vlan10_main
add address=10.10.0.8 client-id=1:c0:b5:d7:5b:d7:4e comment=Printer mac-address=C0:B5:D7:5B:D7:4E server=\
    dhcp_vlan10_main
add address=10.10.0.18 comment=NestMini_Bed_Room mac-address=D4:F5:47:12:EE:02 server=dhcp_vlan10_main
add address=10.10.0.16 comment=LIFXBulb mac-address=D0:73:D5:12:25:E9 server=dhcp_vlan10_main
add address=10.10.0.15 client-id=1:ac:d5:64:94:db:dd comment=SonyTV mac-address=AC:D5:64:94:DB:DD server=\
    dhcp_vlan10_main
add address=10.10.0.11 client-id=1:cc:f9:e4:9c:0:e0 comment=DellXPS_Laptop mac-address=CC:F9:E4:9C:00:E0 \
    server=dhcp_vlan10_main
add address=10.20.0.2 client-id=1:76:4d:28:f4:f7:f3 comment=MikroTik_Audience_VLAN_20 mac-address=\
    76:4D:28:F4:F7:F3 server=dhcp_vlan20_guest
add address=10.10.0.2 client-id=1:74:4d:28:f4:f7:f2 comment=MikroTik_Audience_VLAN_10 mac-address=\
    74:4D:28:F4:F7:F2 server=dhcp_vlan10_main
add address=10.10.0.19 client-id=1:38:f9:d3:52:a6:be comment=MacbookAir mac-address=38:F9:D3:52:A6:BE server=\
    dhcp_vlan10_main
add address=10.10.0.9 client-id=1:dc:a6:32:e:48:81 comment=RaspberryPi mac-address=DC:A6:32:0E:48:81 server=\
    dhcp_vlan10_main
add address=10.10.0.12 client-id=1:0:18:dd:24:1c:fa comment=IPTVTuner mac-address=00:18:DD:24:1C:FA server=\
    dhcp_vlan10_main
add address=10.10.0.10 client-id=1:0:a:f5:45:bf:ec comment=BookReader mac-address=00:0A:F5:45:BF:EC server=\
    dhcp_vlan10_main
add address=10.10.0.3 client-id=1:c4:ad:34:b1:33:b comment=MikroTik_hap_ac2_VLAN_10 mac-address=\
    C4:AD:34:B1:33:0B server=dhcp_vlan10_main
add address=10.20.0.3 client-id=1:c4:ad:34:b1:33:a comment=MikroTik_hap_ac2_VLAN_20 mac-address=\
    C4:AD:34:B1:33:0A server=dhcp_vlan20_guest
add address=10.10.0.4 client-id=1:b8:69:f4:ba:4f:f1 comment=Mikrotik_LtAP_mini mac-address=B8:69:F4:BA:4F:F1 \
    server=dhcp_vlan10_main
add address=10.10.0.6 comment=VOIP_PHONE mac-address=00:0B:82:EA:D2:C4 server=dhcp_vlan10_main
add address=10.10.0.5 client-id=1:24:5e:be:1a:4f:37 comment=QNAP mac-address=24:5E:BE:1A:4F:37 server=\
    dhcp_vlan10_main
add address=10.10.0.21 client-id=1:2c:26:17:82:8e:2b comment=Oculus_Quest mac-address=2C:26:17:82:8E:2B \
    server=dhcp_vlan10_main
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1 netmask=24
add address=10.20.0.0/24 gateway=10.20.0.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept connection to IKEv2 ports" dst-port=500,4500 in-interface-list=\
    WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="management over VPN" dst-port=22,80,8291 ipsec-policy=in,ipsec \
    protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" in-interface-list=WAN ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=Primary_ISP out-interface=Orcon_ISP
add action=masquerade chain=srcnat comment=Secondary_ISP out-interface=2degress_ISP
/ip ipsec identity
add auth-method=digital-signature certificate=VPN_Server generate-policy=port-strict mode-config=IKEv2-cfg \
    peer=IKEv2-peer policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.88.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=0.0.0.0/0 template=yes
/ip route rule
add action=unreachable dst-address=10.10.0.0/24 src-address=10.20.0.0/24
add action=unreachable dst-address=10.20.0.0/24 src-address=10.10.0.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name=MikroTik_RB4011
/system scheduler
add interval=4w2d name=monthly_reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=aug/27/2020 start-time=\
    03:00:00
[admin@MikroTik_RB4011] >
2

seems to be working with these rules placed before fastrack in firewall



add action=accept chain=forward connection-state=established,related src-address=10.20.0.0/24
add action=accept chain=forward connection-state=established,related dst-address=10.20.0.0/24

3

Correct, fasttrack and queues don’t go together and you have to exclude traffic subject to queues from being fasttracked. The way you chose is probably the best (easiest to read), but there are other ways (such marking connections and changing fasttrack rule to exclude marked connections).