Community discussions

MikroTik App
 
BOSS497
just joined
Topic Author
Posts: 7
Joined: Fri Mar 11, 2022 3:23 pm

hAP ax² 7.15.3 Wireguard and default fasttrack rule issue

Tue Aug 06, 2024 9:04 pm

Hi i replaced my hAP ac² to hAP ax² and now I have a strange problem with Cloudflare WARP VPN. Both devices have latest ROS 7.15.3, almost identical configuration, but when I use typical Mangle rule to route all trafic from 1 PC to WARP on hAP ax² I have very unstable download speed/mass packet loss/and upload speed near 0 kbps until i disable default fasttrack rule. On hAP ac² this works perfect without disabling fasttrack. Is there any way to elegantly and beautifully solve this problem and keep fasttrack working?
/interface wireguard
add listen-port=13231 mtu=1280 name=cloudflare-warp
add listen-port=13233 mtu=1420 name=test-vpn
add listen-port=13232 mtu=1420 name=to-zelenyeallei
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=162.159.193.2 endpoint-port=500 \
    interface=cloudflare-warp name=warp persistent-keepalive=25s public-key=\
    "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
add allowed-address=0.0.0.0/0 endpoint-port=13232 interface=to-zelenyeallei \
    is-responder=yes name=LittleZebra persistent-keepalive=25s public-key=\
    "1lkpiaTxjprVbBZ8MwvlSmmE4XH/wtL2BIEG6OPVjAE="
add allowed-address=0.0.0.0/0 endpoint-port=13233 interface=test-vpn is-responder=\
    yes name=TiFive persistent-keepalive=25s preshared-key=\
    "b8S4gs6HIVlQxbbgdGTlq9Zsz4vx560hzST6rXHK8OQ=" public-key=\
    "+UihIv7CZ3VtRe+RWhExNixp/yzbz1wASATTwTe+CyY="
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow wireguard from zelenyeallei" dst-port=\
    13232 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow wireguard from vpn users" dst-port=\
    13233 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox remote access" dst-port=8291 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes routing-mark=main
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "set proper mtu for cloudflare-warp interface" new-mss=clamp-to-pmtu \
    out-interface=cloudflare-warp passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting comment=\
    "BOSS-PC all traffic through warp" disabled=yes dst-address-type=!local \
    new-routing-mark=cloudflare-warp passthrough=no src-address=192.168.98.16
add action=mark-routing chain=prerouting comment=\
    "test-vpn users all traffic through warp" dst-address-type=!local \
    new-routing-mark=cloudflare-warp passthrough=yes src-address=172.22.0.0/24

hAP ax² full config
# 2024-08-06 20:57:09 by RouterOS 7.15.3
# software id = VV6B-EA5P
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add admin-mac=48:A9:8A:8B:99:95 arp=proxy-arp auto-mac=no comment=defconf name=\
    bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=78:B2:13:A6:41:59
/interface wireguard
add listen-port=13231 mtu=1280 name=cloudflare-warp
add listen-port=13233 mtu=1420 name=test-vpn
add listen-port=13232 mtu=1420 name=to-zelenyeallei
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412-2442 name=2.4GHz width=20/40mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5745 name=5GHz width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=bridge-local
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=\
    mzn-security
/interface wifi configuration
add channel=2.4GHz country=Russia datapath=bridge-local disabled=no mode=ap name=\
    mzn-2.4GHz security=mzn-security ssid=MZN
add channel=5GHz country=Russia datapath=bridge-local disabled=no mode=ap name=\
    mzn-5GHz security=mzn-security ssid=MZN
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/routing table
add disabled=no fib name=cloudflare-warp
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=*7
add bridge=bridge comment=defconf interface=*8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=to-zelenyeallei list=LAN
add interface=cloudflare-warp list=WAN
/interface wifi provisioning
add action=create-dynamic-enabled comment=2.4GHz-rule disabled=no \
    master-configuration=mzn-2.4GHz supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=5GHz-rule disabled=no \
    master-configuration=mzn-5GHz supported-bands=5ghz-ax
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=162.159.193.2 endpoint-port=500 \
    interface=cloudflare-warp name=warp persistent-keepalive=25s public-key=\
    "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
add allowed-address=0.0.0.0/0 endpoint-port=13232 interface=to-zelenyeallei \
    is-responder=yes name=LittleZebra persistent-keepalive=25s public-key=\
    "1lkpiaTxjprVbBZ8MwvlSmmE4XH/wtL2BIEG6OPVjAE="
add allowed-address=0.0.0.0/0 endpoint-port=13233 interface=test-vpn is-responder=\
    yes name=TiFive persistent-keepalive=25s preshared-key=\
    "b8S4gs6HIVlQxbbgdGTlq9Zsz4vx560hzST6rXHK8OQ=" public-key=\
    "+UihIv7CZ3VtRe+RWhExNixp/yzbz1wASATTwTe+CyY="
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=192.168.98.0
add address=172.16.0.2 interface=cloudflare-warp network=172.16.0.2
add address=10.0.0.1/30 interface=to-zelenyeallei network=10.0.0.0
add address=172.22.0.1/24 interface=test-vpn network=172.22.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.98.100 client-id=1:10:7b:44:90:2e:52 comment=MZN-PC mac-address=\
    10:7B:44:90:2E:52 server=defconf
add address=192.168.98.16 client-id=1:4:92:26:da:13:47 comment=BOSS-PC mac-address=\
    04:92:26:DA:13:47 server=defconf
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=94.140.14.14,94.140.15.15 \
    gateway=192.168.98.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.0.0.1,1.1.1.1
/ip dns static
add address=192.168.98.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow wireguard from zelenyeallei" dst-port=\
    13232 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow wireguard from vpn users" dst-port=\
    13233 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox remote access" dst-port=8291 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes routing-mark=main
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "set proper mtu for cloudflare-warp interface" new-mss=clamp-to-pmtu \
    out-interface=cloudflare-warp passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting comment="BOSS-PC all traffic through warp" \
    disabled=yes dst-address-type=!local new-routing-mark=cloudflare-warp \
    passthrough=no src-address=192.168.98.16
add action=mark-routing chain=prerouting comment=\
    "test-vpn users all traffic through warp" dst-address-type=!local \
    new-routing-mark=cloudflare-warp passthrough=yes src-address=172.22.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=cloudflare-warp routing-table=\
    cloudflare-warp suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=to-zelenyeallei \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=8.8.8.8/32 gateway=cloudflare-warp routing-table=main \
    suppress-hw-offload=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=\
    equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=PLK15k2
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
hAP ac² full config
# 2024-08-06 21:00:23 by RouterOS 7.15.3
# software id = ZDDP-EXRW
#
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=74:4D:28:E0:8C:DE arp=proxy-arp auto-mac=no comment=defconf mtu=\
    1500 name=bridge port-cost-mode=short
/interface eoip
add mac-address=02:B9:50:D3:CC:DA mtu=1500 name=to-masku remote-address=\
    masku.keenetic.pro tunnel-id=1
add allow-fast-path=no disabled=yes mac-address=02:B7:99:BF:FA:84 mtu=1500 \
    name=to-raduzhnaya remote-address=b4a00b07c004.sn.mynetname.net tunnel-id=0
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=cloudflare-warp
add listen-port=13233 mtu=1420 name=test-vpn
add listen-port=13232 mtu=1420 name=to-zelenyeallei
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-n disabled=no frequency=2412-2442 name=2.4G-N width=20/40mhz
add band=5ghz-ac disabled=no frequency=5180,5260,5745 name=5G-AC width=\
    20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=mzn-local
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=mzn-main
/interface wifi configuration
add channel=2.4G-N country=Russia datapath=mzn-local disabled=no mode=ap name=\
    mzn-2.4 security=mzn-main ssid=MZN
add channel=5G-AC country=Russia datapath=mzn-local disabled=no mode=ap name=\
    mzn-5G-AC security=mzn-main ssid=MZN
/ip dhcp-server option
add code=3 name=gateway value="'192.168.2.1'"
/ip ipsec mode-config
add connection-mark=fuck-rkn name=surfshark responder=no
/ip ipsec policy group
add name=surfshark
/ip ipsec profile
add name=surfshark
/ip ipsec peer
add address=ua-iev.prod.surfshark.com disabled=yes exchange-mode=ike2 name=\
    surfshark profile=surfshark
/ip ipsec proposal
add name=surfshark pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.127
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=192.168.1.1 name=pptp remote-address=dhcp
add local-address=192.168.1.1 name=sstp remote-address=dhcp
set *FFFFFFFE use-ipv6=no
/routing table
add disabled=no fib name=cloudflare-warp
add disabled=no fib name=vpngate
add disabled=no fib name=zelenyeallei
/interface bridge filter
add action=drop chain=forward dst-port=67-68 ip-protocol=udp mac-protocol=ip \
    out-interface=to-raduzhnaya
add action=drop chain=forward dst-port=67-68 ip-protocol=udp mac-protocol=ip \
    out-interface=to-masku
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=*1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=*2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=*32 internal-path-cost=10 \
    path-cost=10
add bridge=bridge ingress-filtering=no interface=*C internal-path-cost=10 \
    path-cost=10
add bridge=bridge ingress-filtering=no interface=to-raduzhnaya \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=to-masku internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=cloudflare-warp list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN
 protocol instead
set authentication=mschap2 enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=plk-sstp default-profile=sstp enabled=\
    yes pfs=yes tls-version=only-1.2
/interface wifi cap
set caps-man-addresses=127.0.0.1 certificate=WiFi-CAPsMAN-CA-744D28E08CDD \
    discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi configuration
add channel=*2 country=Russia datapath=mzn-local disabled=yes mode=ap name=\
    mzn-5G-N security=mzn-main ssid=MZN
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=mzn-2.4 \
    name-format=cap-%I-N- supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=mzn-5G-AC \
    name-format=cap-%I-AC- supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=yes master-configuration=mzn-5G-N \
    name-format=cap-%I-5G-N- supported-bands=5ghz-n
/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=162.159.193.1 \
    endpoint-port=500 interface=cloudflare-warp name=warp persistent-keepalive=\
    25s public-key="bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
add allowed-address=0.0.0.0/0 endpoint-port=13232 interface=to-zelenyeallei \
    is-responder=yes name=LittleZebra persistent-keepalive=25m public-key=\
    "1lkpiaTxjprVbBZ8MwvlSmmE4XH/wtL2BIEG6OPVjAE="
add allowed-address=0.0.0.0/0 endpoint-port=13233 interface=test-vpn \
    is-responder=yes name=TiFive preshared-key=\
    "b8S4gs6HIVlQxbbgdGTlq9Zsz4vx560hzST6rXHK8OQ=" public-key=\
    "+UihIv7CZ3VtRe+RWhExNixp/yzbz1wASATTwTe+CyY="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
add address=172.16.0.2 interface=cloudflare-warp network=172.16.0.2
add address=10.0.0.1/30 interface=to-zelenyeallei network=10.0.0.0
add address=172.22.0.1/24 comment="Wireguard Interface" interface=test-vpn \
    network=172.22.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.16 client-id=1:4:92:26:da:13:47 mac-address=\
    04:92:26:DA:13:47 server=defconf
add address=192.168.1.14 client-id=1:d0:50:99:49:5d:43 mac-address=\
    D0:50:99:49:5D:43 server=defconf
add address=192.168.1.15 client-id=1:d2:50:99:3:aa:47 mac-address=\
    D2:50:99:03:AA:47 server=defconf
add address=192.168.1.100 client-id=1:10:7b:44:90:2e:52 mac-address=\
    10:7B:44:90:2E:52 server=defconf
add address=192.168.1.35 client-id=1:d4:5e:ec:b0:e8:ca mac-address=\
    D4:5E:EC:B0:E8:CA server=defconf
add address=192.168.1.17 client-id=1:46:fc:6d:bf:e3:cb mac-address=\
    46:FC:6D:BF:E3:CB server=defconf
add address=192.168.1.47 client-id=1:b6:c5:15:d8:b5:77 mac-address=\
    B6:C5:15:D8:B5:77 server=defconf
add address=192.168.1.52 client-id=1:d2:d4:4a:94:2e:50 mac-address=\
    D2:D4:4A:94:2E:50 server=defconf
add address=192.168.1.10 client-id=1:44:23:7c:8d:a9:cd comment=BOSS-TV \
    mac-address=44:23:7C:8D:A9:CD server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=94.140.14.14,94.140.15.15 \
    gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    162.252.172.57,149.154.159.92,1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
add address=192.168.1.14 name=truenas
add address=192.168.1.16 name=test.local
add address=192.168.0.18 disabled=yes name=vsphere.belanta.vet
/ip firewall address-list
add address=www.intel.com list=intel
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard test rule" dst-port=13232 \
    in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment="Allow Wireguard from All" dst-port=13233 \
    protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" \
    dst-port=53 in-interface=test-vpn protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="disable TV internet" disabled=yes \
    src-address=192.168.1.35
add action=drop chain=forward comment="disable Valya phone internet" disabled=\
    yes src-address=192.168.1.47
add action=drop chain=forward comment="disable Masha tablet internet" disabled=\
    yes src-address=192.168.1.17
add action=accept chain=input comment="web server" dst-port=8443 protocol=tcp
add action=accept chain=input comment="web server" disabled=yes dst-port=443 \
    protocol=tcp
add action=accept chain=input comment="allow l2tp" protocol=l2tp
add action=accept chain=input comment="allow l2tp udp" disabled=yes protocol=\
    udp
add action=accept chain=input comment="allow sstp incoming connections" \
    dst-port=443 protocol=tcp
add action=accept chain=input comment="allow pptp incoming connections" \
    dst-port=1723 in-interface-list=WAN protocol=tcp
add action=accept chain=input in-interface-list=WAN protocol=gre
add action=accept chain=input comment="allow winbox remote access" dst-port=\
    8291 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
    "TiFive all traffic through warp" dst-address-type=!local new-routing-mark=\
    cloudflare-warp passthrough=no src-address=172.22.0.0/24
add action=mark-routing chain=prerouting comment=\
    "BOSS-PC all traffic through warp" disabled=yes dst-address-type=!local \
    new-routing-mark=cloudflare-warp passthrough=no src-address=192.168.1.16
add action=mark-routing chain=prerouting comment=\
    "BOSS-PC all traffic zelenyeallei" disabled=yes dst-address-type=!local \
    new-routing-mark=zelenyeallei passthrough=no src-address=192.168.1.16
/ip firewall nat
add action=dst-nat chain=dstnat comment="web server" dst-port=8443 protocol=tcp \
    to-addresses=192.168.1.100 to-ports=8443
add action=dst-nat chain=dstnat comment="web server" disabled=yes dst-port=443 \
    protocol=tcp to-addresses=192.168.1.100 to-ports=443
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="source sdk port forwarding" dst-port=\
    27010-27030 protocol=tcp to-addresses=192.168.1.100
add action=dst-nat chain=dstnat dst-port=27010-27030 protocol=udp to-addresses=\
    192.168.1.100
add action=dst-nat chain=dstnat comment="Soldat 2D" dst-port=23073 protocol=udp \
    to-addresses=192.168.1.100
add action=masquerade chain=srcnat src-address=192.168.88.0/24
/ip firewall service-port
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add auth-method=eap certificate=surfshark_ikev2.crt_0 eap-methods=eap-mschapv2 \
    generate-policy=port-strict mode-config=surfshark peer=surfshark \
    policy-template-group=surfshark username=uEjyHyzxnscrQwL6uXZuuy4r
/ip ipsec policy
add dst-address=0.0.0.0/0 group=surfshark proposal=surfshark src-address=\
    0.0.0.0/0 template=yes
/ip route
add disabled=no distance=1 dst-address=1.1.1.1/32 gateway=cloudflare-warp \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=cloudflare-warp routing-table=\
    cloudflare-warp suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=to-zelenyeallei routing-table=\
    zelenyeallei suppress-hw-offload=no
add disabled=no dst-address=192.168.10.0/24 gateway=to-zelenyeallei \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=8.8.8.8/32 gateway=cloudflare-warp routing-table=\
    main suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=snoopdog profile=pptp service=pptp
add name=daniyar profile=pptp service=pptp
add name=Urik profile=pptp service=pptp
add name=MASKu profile=pptp service=pptp
add name=tfive profile=pptp
add name=vlad profile=pptp
add name=chev profile=pptp
add name=ggn profile=pptp
/routing bgp connection
add as=64516 disabled=yes hold-time=4m input.filter=bgp_in keepalive-time=1m \
    local.address=10.14.0.2 .role=ebgp multihop=yes name=antifilter_bgp \
    remote.address=45.154.73.71/32 .as=65432 routing-table=main use-bfd=no
/routing filter rule
add chain=bgp_in disabled=no rule="set gw-interface *30; accept"
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=PLK15k2
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add disabled=yes interval=1d name="update antifilter script" on-event=\
    "/system script run fuck-rkn" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2020-08-03 start-time=05:00:00
/system script
add dont-require-permissions=no name=fuck-rkn owner=ggn policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":do\
    \_{\r\
    \n      :do {\r\
    \n            /file remove \"/allyouneed.rsc\";\r\
    \n       } on-error={}\r\
    \n\r\
    \n      :put \"Downloading allyouneed.rsc...\";\r\
    \n\r\
    \n      :do {\r\
    \n            /tool fetch url=\"https://antifilter.download/list/allyouneed.\
    rsc\" dst-path=\"/allyouneed.rsc\"\r\
    \n       } on-error={:put \"Error. Download failed\";}\r\
    \n   \r\
    \n       /ip firewall address-list remove [/ip firewall address-list find li\
    st=rkn] \r\
    \n\r\
    \n       :put \"Importing allyouneed.rsc...\";\r\
    \n       :do {\r\
    \n              /import \"/allyouneed.rsc\";\r\
    \n        } on-error={ :put \"import failed. unknown error.\";}\r\
    \n\r\
    \n        :put \"Update Complete.\";\r\
    \n\r\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by BOSS497 on Wed Aug 07, 2024 8:34 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: hAP ax² 7.15.3 Wireguard and default fasttrack rule issue

Tue Aug 06, 2024 9:15 pm

You may wish to try this mangle rule instead.
From:
/ip firewall mangle
add action=change-mss chain=forward comment=\
"set proper mtu for cloudflare-warp interface" new-mss=clamp-to-pmtu \
out-interface=cloudflare-warp passthrough=yes protocol=tcp tcp-flags=syn

TO:
add action=change-mss chain=forward new-mss=1380 out-interface=cloudflare-warp protocol=tcp tcp-flags=syn tcp-mss=1381-65535
 
BOSS497
just joined
Topic Author
Posts: 7
Joined: Fri Mar 11, 2022 3:23 pm

Re: hAP ax² 7.15.3 Wireguard and default fasttrack rule issue

Tue Aug 06, 2024 9:37 pm

You may wish to try this mangle rule instead.
From:
/ip firewall mangle
add action=change-mss chain=forward comment=\
"set proper mtu for cloudflare-warp interface" new-mss=clamp-to-pmtu \
out-interface=cloudflare-warp passthrough=yes protocol=tcp tcp-flags=syn

TO:
add action=change-mss chain=forward new-mss=1380 out-interface=cloudflare-warp protocol=tcp tcp-flags=syn tcp-mss=1381-65535
Yeah I know this trick, but its not MTU problem, in my case it have same result as "clamp-to-pmtu", before this speed was 35-40Mbps download/200+Mbps upload, if I use "new-mss=1380" or "clamp-to-pmtu" speed become 200+/200+. But if fasttrack enabled on hAP ax² I always have 3-5/0Mbps speed. Its look like a strange bug for me. I know that earlier was problems with ipsec and fasttrack, but now its fixed with defalult "accept in/out ipsec policy" rules before fasttrack.

Who is online

Users browsing this forum: No registered users and 54 guests