A hint: firewall filter rule order matters. It is essential that you have a rule that accepts packets which should not be fasttracked and this rule has to be above the (general) fasttrack rule. (The other possibility being overloading fasttrack rule with all the exceptions whish is sometimes hard or impossible to do.)
At the same time you have to be aware that when a connection gets fasttracked, it can not be un-fasttracked. Hence whenever you change some rules which might affect fasttracking of a connection, you have to test it by initiating a completely new connection.
You may need to reboot the router ftom time to time to clear connection tracking state just to be sure it's not way off.
i finally have time to go back to this issue. here's a snippet of one of my most simplistic mtik setup.
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec log=yes log-prefix=ipsecIN
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec log=yes log-prefix=ipsecOUT
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
so i moved the ipsec in/out portion of the forward on top. these are the ones that i don't want fasttracked.
even after i reboot, i still get missing packets, sign of fasttrack. when i disable fasttrack rule, it works flawlessly.
what am i missing?