Community discussions

MikroTik App
 
fpawlak
just joined
Topic Author
Posts: 21
Joined: Wed Aug 26, 2020 2:49 pm

Is still ipsec fasttrack bypass rule needed in ROS7

Mon Mar 07, 2022 1:49 pm

Hi guys,
simple question about ipsec and fasttrack.
With ROS7+ do I still need to add 'bypass rule'?
eg.
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec
	
/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related
I have seen something similar on default config on my CAP ac after upgrade to ROS 7.1.3 so probably is still needed
 
g18c
Frequent Visitor
Frequent Visitor
Posts: 61
Joined: Sat May 26, 2012 11:11 pm

Re: Is still ipsec fasttrack bypass rule needed in ROS7

Thu Jun 30, 2022 7:38 am

Yes still needed.
 
Braddock
just joined
Posts: 12
Joined: Thu Oct 13, 2022 10:54 pm

Re: Is still ipsec fasttrack bypass rule needed in ROS7

Fri Oct 21, 2022 12:41 pm

I have a question regarding the mangle rules that mark ipsec connections to be skipped by fasttrack:
Do the mangle rules have to check every packet, or is it good enough to mark only packets with connection-state=new ?

Something like this:
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" connection-state=new ipsec-policy=in,ipsec new-connection-mark=ipsec
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Is still ipsec fasttrack bypass rule needed in ROS7

Mon Oct 24, 2022 12:27 am

New is enough. That's the point, connection tracking recognizes to what connection each packet belongs, so once you mark connection, you can use just connection-mark=XXX as condition, when you need do to something else with packets that belong to this connection. You don't have to test each packet against all other possibly complicated conditions.

Who is online

Users browsing this forum: apitsos, neki and 74 guests