fasttrack ignores marked packets and port forwarding

stefki · Mon Jan 28, 2019 7:00 pm

Hello all, I need some advice about this issue with fasttrack, I am using CRS125-24G-1S with 6.43.8 latest stable version installed.
The problem is that I am using two WAN interfaces with fastrack enabled, and all my ports from interface pppoe-out1 forwarded are not accessible.
When I disable fasttrack the forwarded ports from WAN2--pppoe-out1 marked interface are accessible. But when fast track is enabled again, the ports are not accessible from "outside".

Here is my full config.

/interface bridge
add admin-mac=XX:3B:XX:XX:21:94 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on mac-address=F4:XX:XX:32:40:XX name=ether1-kabelnet speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
set [ find default-name=ether11 ] disabled=yes speed=100Mbps
set [ find default-name=ether12 ] disabled=yes speed=100Mbps
set [ find default-name=ether13 ] disabled=yes speed=100Mbps
set [ find default-name=ether14 ] disabled=yes speed=100Mbps
set [ find default-name=ether15 ] disabled=yes speed=100Mbps
set [ find default-name=ether16 ] disabled=yes speed=100Mbps
set [ find default-name=ether17 ] disabled=yes speed=100Mbps
set [ find default-name=ether18 ] disabled=yes speed=100Mbps
set [ find default-name=ether19 ] disabled=yes speed=100Mbps
set [ find default-name=ether20 ] disabled=yes speed=100Mbps
set [ find default-name=ether21 ] disabled=yes speed=100Mbps
set [ find default-name=ether22 ] disabled=yes speed=100Mbps
set [ find default-name=ether23 ] disabled=yes speed=100Mbps
set [ find default-name=ether24 ] comment=Maxnet speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=ether24 name=pppoe-out1 password=mail.server user=mail.server
/interface list
add exclude=dynamic name=discover
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity="home"
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=1w name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether2
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=ether11 list=discover
add interface=ether12 list=discover
add interface=ether13 list=discover
add interface=ether14 list=discover
add interface=ether15 list=discover
add interface=ether16 list=discover
add interface=ether17 list=discover
add interface=ether18 list=discover
add interface=ether19 list=discover
add interface=ether20 list=discover
add interface=ether21 list=discover
add interface=ether22 list=discover
add interface=ether23 list=discover
add interface=sfp1 list=discover
/ip address
add address=xx.135.xx.168/24 interface=ether1-kabelnet network=xx.135.xx.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
/ip dhcp-server lease
add address=192.168.1.97 mac-address=xx:27:xx:51:xx:A8 server=dhcp1
add address=192.168.1.96 mac-address=9C:xx:99:C5:xx:CA server=dhcp1
add address=192.168.1.95 mac-address=00:xx:xx:xx:52:99 server=dhcp1
add address=192.168.1.2 comment=Herm mac-address=00:xx:67:xx:60:xx server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.97 comment=steamer list=maxnet
/ip firewall filter
add action=fasttrack-connection chain=forward connection-nat-state="" connection-state=established,related
add action=accept chain=forward connection-nat-state="" connection-state=established,related
/ip firewall mangle
add action=mark-connection chain=input in-interface=ether1-kabelnet new-connection-mark=kabelnet passthrough=no
add action=mark-connection chain=input in-interface=pppoe-out1 new-connection-mark=maxnet passthrough=no
add action=mark-routing chain=output connection-mark=kabelnet new-routing-mark=ruta-kabelnet passthrough=no
add action=mark-routing chain=output connection-mark=maxnet new-routing-mark=ruta-maxnet passthrough=no
add action=mark-routing chain=prerouting comment=maxnet new-routing-mark=ruta-maxnet passthrough=no src-address-list=maxnet
/ip firewall nat
add action=dst-nat chain=dstnat comment=moon dst-port=12000 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.95 to-ports=12000
add action=dst-nat chain=dstnat comment="hermes SSH" dst-port=1966 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.2 to-ports=22
add action=dst-nat chain=dstnat comment="IBM IMM" disabled=yes dst-port=4545 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.3 to-ports=443
add action=dst-nat chain=dstnat comment=udpxy dst-port=9566 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.2 to-ports=9566
add action=dst-nat chain=dstnat comment="astra web" dst-port=7000 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.2 to-ports=7000
add action=dst-nat chain=dstnat comment="astra http" dst-port=8818 protocol=tcp to-addresses=192.168.1.4 to-ports=8818
add action=dst-nat chain=dstnat dst-port=1954 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.95 to-ports=1954
add action=dst-nat chain=dstnat dst-port=2007 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.96 to-ports=2007
add action=dst-nat chain=dstnat dst-port=1719 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.96 to-ports=1719
add action=dst-nat chain=dstnat comment="Bhttp" dst-port=9544 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.97 to-ports=9544
add action=dst-nat chain=dstnat dst-port=1290 in-interface=ether1-kabelnet protocol=tcp to-addresses=192.168.1.97 to-ports=1290
add action=masquerade chain=srcnat src-address=192.168.1.0/24 src-address-list=""
/ip route
add check-gateway=ping distance=1 gateway=ether1-kabelnet routing-mark=ruta-kabelnet
add check-gateway=ping distance=2 gateway=pppoe-out1 routing-mark=ruta-maxnet
add check-gateway=ping distance=1 gateway=ether1-kabelnet
add check-gateway=ping distance=2 gateway=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=1985
set api-ssl disabled=yes
/ip socks
set port=4145
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
add interface=bridge1
/lcd interface pages
set 0 interfaces=ether1-kabelnet,bridge1,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12
set 1 interfaces=ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20,ether21,ether22,ether23,ether24
set 2 interfaces=sfp1
/system clock
set time-zone-name=Europe
/system identity
set name="Herm"
[admin@Helios doma] >

This is the port which is not accessible from "outside"

/ip firewall nat add action=dst-nat chain=dstnat comment="Bhttp" dst-port=9544 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.97 to-ports=9544

Thanks in advance.

hturkan · Mon Jan 28, 2019 7:16 pm

Hi, You can produce multiple Solutions for this topic,
Method 1 You can make the FastTrack rule more specific
for example;
dst-adress-list = !localtolocal src-adress-list =! localtolocal action fasttrack
2. Method No IP Firewall / mangle only ip route Rules and extra routing table
Good luck

stefki · Mon Jan 28, 2019 10:36 pm

Sounds good. Any example of your methods ?

sebastia · Mon Jan 28, 2019 11:14 pm

You can't do mangle based routing (to ensure response goes the same way out) and fast-track for all connections at the same time

The reason is that fasttrack bypasses mangling, and so the needed packet marks are not set.

add action=mark-connection chain=input in-interface=ether1-kabelnet new-connection-mark=kabelnet passthrough=no
add action=mark-connection chain=input in-interface=pppoe-out1 new-connection-mark=maxnet passthrough=no

What you can do is: choose which of the two you want to do with fast-track, and the other do with full processing

stefki · Tue Jan 29, 2019 11:44 am

Ok, I want to exclude this interface pppoe-out1 from fasttrack.

add action=mark-connection chain=input in-interface=pppoe-out1 new-connection-mark=maxnet passthrough=no

how to do that ?

sebastia · Tue Jan 29, 2019 12:17 pm

Do this (replace or modify existing)

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related out-interface=ether1-kabelnet

And you can remove any mangling for ether1-kabelnet, that will become your default.

fasttrack ignores marked packets and port forwarding [SOLVED]

fasttrack ignores marked packets and port forwarding

Re: fasttrack ignores marked packets and port forwarding

Re: fasttrack ignores marked packets and port forwarding

Re: fasttrack ignores marked packets and port forwarding

Re: fasttrack ignores marked packets and port forwarding

Re: fasttrack ignores marked packets and port forwarding [SOLVED]

Who is online