Tue Jul 31, 2018 4:54 pm
It is the terms that are the problem. Firewall to me is anything under the Firewall tab, not the entire device like I found out the hard way when I was trying to setup a DNAT, but had to use connection marks, but only connection tracking is mentioned, and I didn't know those two were the same thing. I assumed since the firewall is stateful that connection tracking just meant the tracking tab in WinBox.
*edit* My wan connections are on port 12 and port 13 of the RB1100AHx4 device, which fasttrack documentation says is not supported since it's just ether1-11. Which just made this even stranger.
I'm suggesting edits to the documentation you linked to clarify, because others have ran into this issue, and posting "this is the point of fasttrack" doesn't help us beginners.
"IPv4 FastTrack handler is automatically used for marked connections. Use firewall action "fasttrack-connection" to mark connections for fasttrack. Currently only TCP and UDP connections can be actually fasttracked (even though any connection can be marked for fasttrack). IPv4 FastTrack handler supports NAT (SNAT, DNAT or both).
Note that not all packets in a connection can be fasttracked, so it is likely to see some packets going through slow path even though connection is marked for fasttrack. This is the reason why fasttrack-connection is usually followed by identical action=accept rule. Fasttracked packets bypass firewall, connection tracking, connection marks, policy based routing, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), IP accounting, IPSec, hotspot universal client, VRF assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration; If you have fasttrack enabled and experience any networking issues, temporarily disable fasttrack. If this solves your issue, make your fasttrack rule more specific to interfaces that do not use any of the above features."