I have just re-built the configuration for one of my ROS devices (replacing a RB750 with RB750Gr3) and as such I was working from the "new" default configuration.
I have not previously used the fasttrack functionality, but I read that by its nature, it bypasses certain things that may cause other parts of configuration to fail. Ones that would particularly affect me are:
- IPSec (The default accept rules for IPSec that might avoid this I have also disabled since I believe that would also allow undesired communication between VLANs/subnets locally.)
- Simple queue (rate limit) on 'Guest' VLAN with Hotspot
I considered enabling the rule with a src-address=!x.x.x.x (subnet associated with the 'Guest' VLAN), but that would not resolve the IPSec issue.
Thinking whilst typing this post, I suppose I could add a new address list, for example 'NoFasttrack' and add the source/destination addresses of the IPSec peers, as well as the 'Guest' subnet and apply that restriction to both src-address-list=!NoFasttrrack and dst-address-list=!NoFasttrack - would that work? Or do the LAN subnets involved in the IPSec policy also need to be excluded, which effectively means disabling fasttrack entirely, as is now?