Community discussions

 
Yekver
just joined
Topic Author
Posts: 17
Joined: Fri Jan 31, 2014 9:47 pm

How disable fasttrack?

Sun Jun 12, 2016 2:39 am

Hi there!
I've enabled fastpath and decided to activate fasttrack for all connections except vlan47.
But this simply doesn't work! Fasttrack was continued to process all connections including vlan47!!
Is it my fault or it simply doesn't work like this?

ROS 6.34.4

Here is a part from my firewall filter (about forward connections process)
chain=forward action=fasttrack-connection connection-state=established,related in-interface=!vlan47 log=no log-prefix=""
chain=forward action=fasttrack-connection connection-state=established,related out-interface=!vlan47 log=no log-prefix=""
chain=forward action=accept connection-state=established,related log=no log-prefix=""
chain=forward action=drop connection-state=invalid log=no log-prefix=""
 
patrick7
Member Candidate
Member Candidate
Posts: 298
Joined: Sat Jul 20, 2013 2:40 pm

Re: How disable fasttrack?

Sun Jun 12, 2016 5:14 pm

With the 1st rule, you activate fasttrack for all traffic except in-interface vlan47. The second rule doesn't match to any traffic as fasttrack is already enabled by the 1st one.
You can either create an accept rules for in/out interface vlan47, and after that, fasttrack. Or you could mark packets from/to vlan47 in the mangle table and create a fasttrack rule which does not match this packet mark.
 
Yekver
just joined
Topic Author
Posts: 17
Joined: Fri Jan 31, 2014 9:47 pm

Re: How disable fasttrack?

Sun Jun 12, 2016 9:00 pm

If I understand you correctly my mistake can be corrected if I set Out Interface & In. Interface in pairs, to prevent incoming traffic from being fasttracked with the first rule?

All this methods are good only if I want to prevent from fasttrack only one vlan, but if there will be two or more interfaces, I can use only accept rules for this interfaces and place them before the fasttrack rule, is this correct?

Besides is it a bad idea to mart both - input and output traffic with one mark and match this mark in firewall filter, or this can have any side effects?

Who is online

Users browsing this forum: No registered users and 81 guests