This leaves me with a functional connection, except that TCP connections seem to take a very long time to initialize and begin transferring data. This can be seen in Firefox's network monitor as a very long wait period (5 - 50 seconds) before receiving data. That said, once data reception starts everything is snappy and usually downloads in a few milliseconds.
I was able to solve this by disabling the FastTrack rule in the forward chain. What has me confused is why this wasn't working in the first place.
Consider the following firewall rules:
Code: Select all
[admin@MikroTik] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; FastTrack
chain=forward action=fasttrack-connection hw-offload=no connection-state=established,related
2 ;;; Established, Related
chain=forward action=accept connection-state=established,related
<truncated for brevity>
[admin@MikroTik] > /ip/firewall/mangle/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=prerouting action=mark-connection new-connection-mark=pia_wireguard_conn src-address=192.168.0.0/16 dst-address=!192.168.0.0/16 connection-mark=no-mark
4 chain=prerouting action=mark-routing new-routing-mark=routes-pia src-address=192.168.0.0/16 connection-mark=pia_wireguard_conn
5 chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp routing-mark=routes-pia
Now, according to the official documentation (here):
Code: Select all
3. The packet enters forward process;
a. check TTL value;
b. process packet through Mangle forward chain;
c. process packet through Filter forward chain;
d. send the packet to accounting processes;
Now, if I disable the FastTrack rule in the forward chain (via `/ip/firewall/filter/set disabled=yes 1`), everything works exactly as expected without delay.
In short, why is this? Where is my understanding in this process going off the rails?