Community discussions

MikroTik App
 
jhbarrantes
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Wed Aug 21, 2019 2:56 pm

How to check if fasttrack is really working in V7

Wed Oct 20, 2021 10:57 am

I recently migrate one of my router's to RouterOS v7rc4 version. I notice fasttrack counters (either packages/bytes) are the same for this firewall rule and for the subsequence one that accept new traffic in forward. If I'm not wrong, these counters should be different when fasttrack is active, due to the fact that traffic related should be entering through the first rule, and not the second one, hence the first rule should receive much more traffic than the second one. Is my assumption wrong?

fasttrack.png

Attached my configuration, which is just a default config from default init script.
/interface bridge
add admin-mac=E4:8D:8C:50:A3:F0 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Madrid
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Thanks a lot in advance.
You do not have the required permissions to view the files attached to this post.
 
gabacho4
Member
Member
Posts: 329
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: How to check if fasttrack is really working in V7

Wed Oct 20, 2021 6:35 pm

If you navigate to IP -> Settings in Winbox, you see a section toward the bottom that will indicate if IPV4 fasttrack is active. It will also show you the number of bytes and packets that have been handled by fasttrack.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: How to check if fasttrack is really working in V7

Wed Oct 20, 2021 7:32 pm

I recently migrate one of my router's to RouterOS v7rc4 version. I notice fasttrack counters (either packages/bytes) are the same for this firewall rule and for the subsequence one that accept new traffic in forward. If I'm not wrong, these counters should be different when fasttrack is active, due to the fact that traffic related should be entering through the first rule, and not the second one, hence the first rule should receive much more traffic than the second one. Is my assumption wrong?
Yes, your assumption is wrong. Fasttracked connections don't hit the firewall anymore except for rule 0. If you look at your rule 0 in your firewall in your screenshot above you see 25.5MiB of data. That is the counter rule ("special dummy rule to show fasttrack counters") that shows how much is being fasttracked. So I can already see from your screenshot that fasttrack is working fine.
 
jhbarrantes
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Wed Aug 21, 2019 2:56 pm

Re: How to check if fasttrack is really working in V7

Wed Oct 20, 2021 7:48 pm

I recently migrate one of my router's to RouterOS v7rc4 version. I notice fasttrack counters (either packages/bytes) are the same for this firewall rule and for the subsequence one that accept new traffic in forward. If I'm not wrong, these counters should be different when fasttrack is active, due to the fact that traffic related should be entering through the first rule, and not the second one, hence the first rule should receive much more traffic than the second one. Is my assumption wrong?
Yes, your assumption is wrong. Fasttracked connections don't hit the firewall anymore except for rule 0. If you look at your rule 0 in your firewall in your screenshot above you see 25.5MiB of data. That is the counter rule ("special dummy rule to show fasttrack counters") that shows how much is being fasttracked. So I can already see from your screenshot that fasttrack is working fine.
You're absolutely right. I just reset another router with 6.49 and is working the same way. I don't know why I had the feeling these numbers were different before, but it might be the case I had it like this because I stopped some of the rules at some point, therefore the difference in counters.

Thanks both for the quick reply!
 
howdey57
Member Candidate
Member Candidate
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: How to check if fasttrack is really working in V7

Tue Aug 16, 2022 4:19 pm

Yes, your assumption is wrong. Fasttracked connections don't hit the firewall anymore except for rule 0. If you look at your rule 0 in your firewall in your screenshot above you see 25.5MiB of data. That is the counter rule ("special dummy rule to show fasttrack counters") that shows how much is being fasttracked. So I can already see from your screenshot that fasttrack is working fine.

If the Fasttracked connections don't hit the firewall anymore, why do we need the "fasttrack-connection" rule?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: How to check if fasttrack is really working in V7

Tue Aug 16, 2022 6:35 pm

If the Fasttracked connections don't hit the firewall anymore, why do we need the "fasttrack-connection" rule?

When certain connection matches selection critera of this rule, action of this rule "registers" the connection for fasttracking. And this applies to connections that are not fasttracked (yet). Without such rule fasttrack doesn't work at all. Sometimes it's good to exclude some connections from being fasttracked for various reasons and it's good to have possibility to fine tune selection process.

The top-most "rule" which shows meaningfull counters is a dummy rule (as noted by a comment for this rule) and doesn't affect actual packet flow of any packets.
 
howdey57
Member Candidate
Member Candidate
Posts: 122
Joined: Wed Dec 31, 2014 2:36 pm

Re: How to check if fasttrack is really working in V7

Tue Aug 16, 2022 10:59 pm

Thank you. That makes sense.

Who is online

Users browsing this forum: galp and 18 guests