Hello,
ip setting print
ip-forward: yes
send-redirects: yes
accept-source-route: no
accept-redirects: no
secure-redirects: yes
rp-filter: no
tcp-syncookies: no
max-neighbor-entries: 8192
arp-timeout: 30s
icmp-rate-limit: 10
icmp-rate-mask: 0x1818
route-cache: yes
allow-fast-path: yes
ipv4-fast-path-active: no
ipv4-fast-path-packets: 0
ipv4-fast-path-bytes: 0
ipv4-fasttrack-active: no
ipv4-fasttrack-packets: 0
ipv4-fasttrack-bytes: 0
Yes.
Does the position of the rule important ? (for me dummy=0, fasttrack=1)
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
2 ;;; Accept all establish related connection
chain=input action=accept connection-state=established,related log=no
log-prefix=""
3 ;;; Drop all invalid connection
chain=input action=drop connection-state=invalid log=yes log-prefix=""
4 ;;; Drop all invalid connection to forward
chain=forward action=drop connection-state=invalid connection-type=""
log=no log-prefix=""
5 ;;; Accept all establish related connection to forward
chain=forward action=accept connection-state=established,related
connection-type="" log=no log-prefix=""
6 ;;; VOIP
chain=forward action=accept protocol=tcp src-address-list=Peoplefone
in-interface=combo1 src-port=5060 log=no log-prefix=""
7 chain=forward action=accept protocol=udp src-address-list=Peoplefone
in-interface=combo1 src-port=5060 log=no log-prefix=""
8 chain=forward action=accept protocol=udp src-address-list=Peoplefone
in-interface=combo1 src-port=8000-30000 log=no log-prefix=""
9 chain=forward action=drop protocol=tcp in-interface=combo1 src-port=5060
dst-port="" log=yes log-prefix=""
10 chain=forward action=drop protocol=udp in-interface=combo1 src-port=5060
dst-port="" log=yes log-prefix=""
11 chain=forward action=drop protocol=udp in-interface=combo1
src-port=8000-30000 dst-port="" log=yes log-prefix=""
strods
October 10, 2017, 2:01pm
4
Is it possible that sniffer, torch, MAC telnet, IP scan or traffic generator is running?
No I checked it as mentionned in the manual.
I had a glance at the forum and noted that many people have problem with fasttrack.
jphconstantin:
Yes.
Does the position of the rule important ? (for me dummy=0, fasttrack=1)
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
2 ;;; Accept all establish related connection
chain=input action=accept connection-state=established,related log=no
log-prefix=""
3 ;;; Drop all invalid connection
chain=input action=drop connection-state=invalid log=yes log-prefix=""
4 ;;; Drop all invalid connection to forward
chain=forward action=drop connection-state=invalid connection-type=""
log=no log-prefix=""
5 ;;; Accept all establish related connection to forward
chain=forward action=accept connection-state=established,related
connection-type="" log=no log-prefix=""
6 ;;; VOIP
chain=forward action=accept protocol=tcp src-address-list=Peoplefone
in-interface=combo1 src-port=5060 log=no log-prefix=""
7 chain=forward action=accept protocol=udp src-address-list=Peoplefone
in-interface=combo1 src-port=5060 log=no log-prefix=""
8 chain=forward action=accept protocol=udp src-address-list=Peoplefone
in-interface=combo1 src-port=8000-30000 log=no log-prefix=""
9 chain=forward action=drop protocol=tcp in-interface=combo1 src-port=5060
dst-port="" log=yes log-prefix=""
10 chain=forward action=drop protocol=udp in-interface=combo1 src-port=5060
dst-port="" log=yes log-prefix=""
11 chain=forward action=drop protocol=udp in-interface=combo1
src-port=8000-30000 dst-port="" log=yes log-prefix=""
Did you tried to move your rule #5 , to above the rule #2 for testing?
No, you should not. Fasttrack and FastPath work fine, and they are awesome. Most people complaining about fasttrack simply do not understand what it is, and what its limitations are (and then, for instance, complain that mangle or queues are not working with fasttracked traffic- whereas they do not for a reason, and that is fully documented). This does not seem to be your case, however.
I suggest you generating a supout.rif and emailing it to support@ asking for a help. I believe this should be something simple. Just not immediately obvious, and not something that experienced forum members ever faced themselves.
No because the forward chain is always empty
CZFan
October 12, 2017, 4:09pm
10
I am new to Mikrotik but will try and answer. Experts welcome to correct me if I am wrong.
My thinking is your forward chain will always be empty because you only allow related & Establsihed, you need a rule to allow “new” from LAN/INTERNAL
This is what I would suggest
Move Rule 5 to Rule 2.
Add rule to accept “new” connections only from LAN/INTERNAL in forward chain
