Community discussions

MikroTik App
 
icsterm
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Sun Mar 11, 2018 11:11 pm

Fasttracking using filter vs mangle

Sat Nov 16, 2019 9:35 pm

Hi,

Can someone tell me what is the difference between:
/ip firewall mangle chain=prerouting action=fasttrack-connection log=no log-prefix=""
vs
/ip firewall filter chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

Also, I can mangle all 4 chains using fasttrack-connection action:
 > /ip firewall mangle print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    chain=prerouting action=fasttrack-connection log=no log-prefix="" 

 4    chain=input action=fasttrack-connection log=no log-prefix="" 

 5    chain=output action=fasttrack-connection log=no log-prefix="" 

 6    chain=postrouting action=fasttrack-connection log=no log-prefix="" 

Is there any benefit of fasttracking input/output/postrouting chains ?

Should I also include "established,related' states if using mangle instead of filter ?

There is little info to be found on this topic.


According to the wiki:

ip firewall mangle:
"fasttrack-connection - shows fasttrack counters, useful for statistics"
ip firewall filter:
"fasttrack-connection - process packets from a connection using FastPath by enabling FastTrack for the connection"

The mangle part is not true, because my fasttrack packet counters increase while using mangle action fasttrack (without using filter action fasttrack).
 
fragtion
Member Candidate
Member Candidate
Posts: 257
Joined: Fri Nov 13, 2009 10:08 pm
Location: Johannesburg, South Africa

Re: Fasttracking using filter vs mangle

Mon Nov 01, 2021 8:04 pm

Great question, with sadly no answer .... I'm looking for these answers too.
 
esipoko
just joined
Posts: 21
Joined: Sat Dec 04, 2021 7:25 am

Re: Fasttracking using filter vs mangle

Fri Mar 31, 2023 8:35 pm

The difference is in the position of marking.
Look at the packet flow diagram, I attached.
Fast tracking in prerouting chain of mangling occures sooner than input chain of filter or forward so I think that prevents some unnecessary process.
You do not have the required permissions to view the files attached to this post.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Fasttracking using filter vs mangle

Sat Apr 01, 2023 4:34 am

i think maybe it's not so relevant

once the connection is marked for fasttrack, most of the subsequent packets of that connection are fast-tracked avoiding processing overhead, placement of fast-track rule does not change anything for those packet (most of them)

Fast track rule placement only impact first packets of a connection before that connection is marked for fast-track
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Fasttracking using filter vs mangle

Sat Apr 01, 2023 1:21 pm

Indeed.

Description of packet flow in new help page mentions briefly how fast track fits in packet flow. Text mentions that fast tracked packets skip connection tracking while graphics indicates some logic inside connection tracking parallelogram.

In any case, packets only enter prerouting chain but seemingly exit it before hitting mangle prerouting. And they definitely don't enter forward (or input) chains. So they bypass all mangle and firewall (both raw and filter).

When it comes to marking fir fasttrack (tgere are only a small number of packets hitting those rules), my personal opinion is tgat full firewall rule is better choice simply because there are more matching criteria available to make a good matcher. Performance wise it doesn't matter much.

Who is online

Users browsing this forum: Amazon [Bot] and 23 guests