Community discussions

 
tubituba
just joined
Topic Author
Posts: 6
Joined: Sun Apr 17, 2016 3:36 pm

Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Sat Nov 19, 2016 1:19 pm

I searched Raw examples but there are no examples yet.

Just wonder which one is faster.

Thanks.
 
asghari
Trainer
Trainer
Posts: 41
Joined: Thu Feb 07, 2013 4:49 pm
Contact:

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Mon Nov 21, 2016 10:29 pm

as you know raw is feature to drop packets before connection tracking it means that we can drop packets before the packets process by router.
fast track (FastPath+contrack=fasttrack)
actually usage of fast track and raw dependence based on scenario and solution.(fast track use mange facility and work on tcp/udp packets.
finally raw and fast track are two subjects separate each other.
Hasan Asghari
Mikrotik Trainer
Mikrotik Academy Trainer
Mikrotik Consultant.
http://www.Hasghari.ir
 
User avatar
lapsio
Member
Member
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Wed Jan 11, 2017 5:45 pm

as you know raw is feature to drop packets before connection tracking it means that we can drop packets before the packets process by router.
fast track (FastPath+contrack=fasttrack)
actually usage of fast track and raw dependence based on scenario and solution.(fast track use mange facility and work on tcp/udp packets.
finally raw and fast track are two subjects separate each other.
I think I don't understand your answer. Lets say we have 2 machines that can transfer storage using some port (we need lowest latency and highest bandwidth on this certain port between those 2 IPs) Is it better idea to put 2 rules in RAW table or add 2 rules adding connection to fasttrack?

I know fasttrack is significantly more advanced bc it's stateful, raw is stateless so everything suggests that RAW table should be absolutely fastest. But just to be sure - is my logic correct? Is raw really faster than fasttracked connection? (after establishing ofc we don't care about initial firewall matching penalty that happens before adding connection to fasttrack list)
MTCNA, MTCRE, MTCINE
 
teamer
just joined
Posts: 21
Joined: Mon Sep 12, 2016 9:18 am

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Wed Jan 11, 2017 6:34 pm

JFYI: accept action in raw table does not mean to bypass all others.
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1721
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Wed Jan 11, 2017 6:45 pm

IP RAW - feature that allows traffic to skip Connection tracking
fasttrack-connection - feature that allows traffic to skip everything else except Connection tracking.

No - you can't have both at the same time :)

Biggest minus of connection tracking is that if it captures packet fragments in NEEDS to de-fragment them - very time and resource consuming process, to account that packet properly

There are 2 ways to use it:

1) connection-tracking enabled=yes and use action="no-track" for some specific traffic to SKIP connection tracking for some traffic.
2) connection-tracking enabled=no and use action="accept" for some specific traffic to SEND it to connection tracking (yes, even if conntrack is off)

So fasttrack and raw is 2 excluding features really :)

My mind is busy with other question - what firewall filter chain=input/forward rules should i move to ip raw chain=prerouting?? :)
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
lapsio
Member
Member
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Wed Jan 11, 2017 10:36 pm

JFYI: accept action in raw table does not mean to bypass all others.
Oh. So action accept in RAW just ends packet processing in RAW table? I thought it maybe stops all tables processing as in skips NAT, filtering, mangling etc. In case it doesn't i guess it makes sense how those 2 things can't be used in the same way for boosting valid traffic.

Then the question is - is there a way to achieve faster accept than fasttrack? I mean something like skip all tables AND connection tracking? Take packet, intantly take routing decision and push to output without NAT, without conntrack, without filter, without anything? I know some of those are pretty important like NAT but lets say i know those IP addresses don't need NAT or anything and there's nothing to do with those packets apart from dumb switch-like pipe basing on IP and port.
MTCNA, MTCRE, MTCINE
 
User avatar
macgaiver
Forum Guru
Forum Guru
Posts: 1721
Joined: Wed May 18, 2005 5:57 pm
Location: Sol III, Sol system, Sector 001, Alpha Quadrant

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Thu Jan 12, 2017 7:58 am

fastest way to get packet through - FASTPATH

if you need connection tracking (NAT in most cases) , and nothing else - FASTTRACK.

If you need to use other features, but some traffic doesn't require connection tracking - RAW table
With great knowledge comes great responsibility, because of ability to recognize id... incompetent people much faster.
 
User avatar
lapsio
Member
Member
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: Raw Accept vs IP Firewall FastTrack, which one is faster and light weight?

Thu Jan 12, 2017 4:21 pm

fastest way to get packet through - FASTPATH

if you need connection tracking (NAT in most cases) , and nothing else - FASTTRACK.

If you need to use other features, but some traffic doesn't require connection tracking - RAW table
Can I use FASTPATH on RouterOS?

Edit: nvm found it. There's quite a lot of restrictions which are pretty much global and can't be applied only to certain traffic.
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 80 guests