Community discussions

 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Default fasttrack rule

Sun Jan 27, 2019 12:34 pm

I have just re-built the configuration for one of my ROS devices (replacing a RB750 with RB750Gr3) and as such I was working from the "new" default configuration.

I have not previously used the fasttrack functionality, but I read that by its nature, it bypasses certain things that may cause other parts of configuration to fail. Ones that would particularly affect me are:

- IPSec (The default accept rules for IPSec that might avoid this I have also disabled since I believe that would also allow undesired communication between VLANs/subnets locally.)
- Simple queue (rate limit) on 'Guest' VLAN with Hotspot

I considered enabling the rule with a src-address=!x.x.x.x (subnet associated with the 'Guest' VLAN), but that would not resolve the IPSec issue.

Thinking whilst typing this post, I suppose I could add a new address list, for example 'NoFasttrack' and add the source/destination addresses of the IPSec peers, as well as the 'Guest' subnet and apply that restriction to both src-address-list=!NoFasttrrack and dst-address-list=!NoFasttrack - would that work? Or do the LAN subnets involved in the IPSec policy also need to be excluded, which effectively means disabling fasttrack entirely, as is now?
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
User avatar
sjoram
Member Candidate
Member Candidate
Topic Author
Posts: 103
Joined: Sun Feb 10, 2013 8:47 pm
Location: Essex, UK

Re: Default fasttrack rule

Sun Jan 27, 2019 12:44 pm

Here are some of the rules that I think the default IPSec accept may cause problems with:

IPSec Policy:
add dst-address=10.5.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \
    tunnel=yes
add dst-address=10.6.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \
    tunnel=yes
add dst-address=10.7.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \
    tunnel=yes
add dst-address=10.8.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \
    tunnel=yes
add dst-address=10.9.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \
    tunnel=yes
add dst-address=10.6.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.1.0.0/16 \
    tunnel=yes
add dst-address=10.7.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.2.0.0/16 \
    tunnel=yes
add dst-address=10.8.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.3.0.0/16 \
    tunnel=yes
add dst-address=10.9.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.4.0.0/16 \
    tunnel=yes
add disabled=yes dst-address=10.5.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=\
    192.168.2.0/24 tunnel=yes
add dst-address=10.5.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=192.168.0.0/24 \
    tunnel=yes
add dst-address=192.168.5.0/30 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \
    tunnel=yes
  
IP Firewall Filter:
add action=accept chain=forward comment="Allow specified traffic between VLANs" dst-address=10.0.6.0/24 src-address=\
    10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.0/8 src-address=10.0.6.0/24
add action=accept chain=forward dst-address=10.1.6.0/24 src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.0/8 src-address=10.1.6.0/24
add action=accept chain=forward dst-address=10.0.0.0/8 dst-port=67-68 protocol=udp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.0/24 protocol=icmp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.0/24 dst-port=80 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.0/24 dst-port=443 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.0/24 dst-port=23 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=9326 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=9443 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=6245 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=6443 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=8080 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=143 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=993 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=25 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=2525 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=8530 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=8531 protocol=tcp src-address=10.0.0.0/8
add action=accept chain=forward dst-address=10.0.0.5 dst-port=3389 protocol=tcp src-address=10.1.1.0/24
add action=accept chain=forward dst-address=10.0.0.0/16 src-address=10.10.0.0/16
add action=accept chain=forward dst-address=10.0.0.0/16 src-address=10.5.0.0/16
add action=accept chain=forward dst-address=10.1.0.0/16 src-address=10.6.0.0/16
add action=accept chain=forward dst-address=10.2.0.0/16 src-address=10.7.0.0/16
add action=accept chain=forward dst-address=10.3.0.0/16 src-address=10.8.0.0/16
add action=accept chain=forward dst-address=10.4.0.0/16 src-address=10.9.0.0/16
add action=accept chain=forward dst-address=192.168.0.1 src-address=10.0.0.0/16
add action=accept chain=forward dst-address=10.0.0.0/16 src-address=192.168.0.1
add action=accept chain=forward dst-address=192.168.0.1 src-address=10.5.0.0/16
add action=accept chain=forward dst-address=10.5.0.0/16 src-address=192.168.0.1
add action=accept chain=forward dst-address=10.0.0.0/8 src-address=192.168.5.0/30
add action=accept chain=forward dst-address=192.168.5.0/30 src-address=10.0.0.0/8
add action=drop chain=forward dst-address=10.0.0.5 dst-port=137 protocol=udp src-address=10.1.1.0/24
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.1.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.2.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.3.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.4.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.6.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.7.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.8.0.0/16
add action=drop chain=forward dst-address=10.0.0.0/8 src-address=10.9.0.0/16
RouterBOARD RB750 - Xilo ADSL2+ (Annex M)
RouterBOARD RB750GL - Xilo FTTC (VDSL)
 
mkx
Forum Guru
Forum Guru
Posts: 2601
Joined: Thu Mar 03, 2016 10:23 pm

Re: Default fasttrack rule

Sun Jan 27, 2019 3:18 pm

The trick is that fasttrack marks connection to be fasttracked (and they can't be un-fasttracked). From performance point of view it does not hurt much if there are number of more specific rules before it. On the other hand there can be more than one fasttrack filter rule so they can be quite specific not to fasttrack too much.
BR,
Metod

Who is online

Users browsing this forum: No registered users and 69 guests