Community discussions

MikroTik App
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Firewall Rules Fast-Track

Fri May 12, 2023 2:11 pm

I deleted my fastforward rule instead of dissabling it when I started using QOS. I am having a bit of a problem with QOS at the moment and would like to disable that and re-instate the fastforward firewall rule. Can anybody give me a leg-up please. firewalls arn't my strong point! hAP-ax
Last edited by ToTheFull on Fri May 12, 2023 2:17 pm, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Firewall Rules Fast-Forward

Fri May 12, 2023 2:13 pm

Did you mean Fast-Track?
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Forward

Fri May 12, 2023 2:15 pm

Yes that :)
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 2:24 pm

Don't worry I've reset the device!
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Firewall Rules Fast-Forward  [SOLVED]

Fri May 12, 2023 2:24 pm

There is not much to it. Reboot after applying these rules. If you Marked your QOS, you could also use connection-mark=no-mark in the Fast-track rule.
add action=accept chain=input comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 2:27 pm

Thanks for that much appreciated
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Firewall Rules Fast-Track

Fri May 12, 2023 2:30 pm

<3.
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 2:51 pm

I'm reloading my config and forcing myself to DO it!
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:14 pm

Their we go, does it matter that the rule is at the bottom ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:28 pm

The order does matter. export all of your /ip firewall filter and share them.
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:32 pm

I'm having masive problems here, I've downgraded to 7.9 now.

Edit: Also using simple queues with that stock firewall

Rules:
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 1    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 2 X  ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 3    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 4    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

 5    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 6    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 7    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

 8    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

 9    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:38 pm

In the screenshot, you have at least 13 filter rules. Now you have less than that. What is going on?

/ip firewall filter

add action=accept chain=input comment="Established, Related, Untracked" connection-state=established,related,untracked

add chain=input action=drop connection-state=invalid 

add chain=input action=accept protocol=icmp log=no log-prefix="" 

add chain=input action=accept dst-address=127.0.0.1 

add chain=input action=drop in-interface-list=!LAN 

add chain=forward action=accept ipsec-policy=in,ipsec 

add chain=forward action=accept ipsec-policy=out,ipsec 

add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related

add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked

add chain=forward action=drop connection-state=invalid 

add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:43 pm

Yes I've downdraged to 7.9 from 7,10 and reloaded my working config again hence less rules, My queues were are a mess since I updated to 7.10 yesterday I was just wanting to try FastTrack to see if that was working ok. WFH is arriving back soon so I only have a short window to play so i need to move fast
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:48 pm

I see, so the order in post #12 is okay if you wish to use it.
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 3:52 pm

In the screenshot, you have at least 13 filter rules. Now you have less than that. What is going on?

/ip firewall filter

add action=accept chain=input comment="Established, Related, Untracked" connection-state=established,related,untracked

add chain=input action=drop connection-state=invalid 

add chain=input action=accept protocol=icmp log=no log-prefix="" 

add chain=input action=accept dst-address=127.0.0.1 

add chain=input action=drop in-interface-list=!LAN 

add chain=forward action=accept ipsec-policy=in,ipsec 

add chain=forward action=accept ipsec-policy=out,ipsec 

add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related

add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked

add chain=forward action=drop connection-state=invalid 

add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Thankyou so much @own3r1138 I will add those fresh next chance i get.
I'm out of time! arrrrrrrrrrgghh WFH is back.

I feel I need to add WFH is Work From Home, not the wife!
 
ToTheFull
Member Candidate
Member Candidate
Topic Author
Posts: 227
Joined: Fri Mar 24, 2023 3:24 pm

Re: Firewall Rules Fast-Track

Fri May 12, 2023 4:11 pm

I see, so the order in post #12 is okay if you wish to use it.
I think the best thing to do now is export my config and add those.

Edit:
So this is the same but i just wanted to keep the format the same as whats in the .rsc file before uploading when next able.
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

Who is online

Users browsing this forum: No registered users and 48 guests