Where in firewall rules the Fasttrack should be

meazz1 · Sun Oct 17, 2021 3:28 am

Back to Mikrotik after using Opnsense for while.
Newbie when it comes to firewall rules.
My understanding is, the fasttrack should be on top of the rules.
This is my firewall rules out of the box and the fasttrack is at number 8. Is this ok or I need to move it up? What else should be I be moving with it if I have to and does this need to be?

Sun Oct 17, 2021 12:26 pm

That's default configuration ?
It has to be there.

If you add input rules, put them above FastTrack.

anav · Sun Oct 17, 2021 4:24 pm

/export hide-sensitive file=anynameyouwish

mkx · Sun Oct 17, 2021 7:31 pm

Rules #1-#5 are chain=input and fast track doesn't apply. Then there is traffic which should not be fast tracked as it absolutely has to be processed before being router further, such as IPsec traffic. So your fattrack rule, being third in chain=forward, seems to be in the right spot.

meazz1 · Sun Oct 17, 2021 8:33 pm

Here's my firewall output.

# oct/17/2021 13:31:58 by RouterOS 6.49
# software id = 5MZ7-RL5B
#
# model = RB760iGS
# serial number = E1XXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.4.10-192.168.4.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.4.1/24 comment=defconf interface=bridge network=\
    192.168.4.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 comment=defconf dns-server=\
    192.168.4.209,192.168.4.208 domain=clubamgg.com gateway=192.168.4.1 \
    netmask=24
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.4.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=51820 in-interface=ether1 protocol=\
    udp to-addresses=192.168.4.8 to-ports=51820
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.4.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Router
/system note
set note="mehdi, clubamgg.com - Authorized administrators only. Access to this\
    \_device is monitored."
/system ntp client
set enabled=yes primary-ntp=38.229.71.1 secondary-ntp=199.180.133.100 \
    server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.or
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

anav · Sun Oct 17, 2021 9:09 pm

Looks good the only things I would change
are
/tool mac-server mac-winbox
set allowed-interface-list=non

list=LAN (so as to enable access via winbox to the router on the LAN).

and this one as well..........
/ip neighbor discovery-settings
set discover-interface-list=none

list=LAN

Where in firewall rules the Fasttrack should be [SOLVED]

Where in firewall rules the Fasttrack should be

Re: Where in firewall rules the Fasttrack should be

Re: Where in firewall rules the Fasttrack should be

Re: Where in firewall rules the Fasttrack should be

Re: Where in firewall rules the Fasttrack should be

Re: Where in firewall rules the Fasttrack should be [SOLVED]

Who is online