• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
RANTS.TECH

RANTS.TECH

My Rants and Experiences Shared

You are here: Home / MikroTik / Fasttrack / Mikrotik Fasttrack configuration with L2TP / IPSEC VPN

Mikrotik Fasttrack configuration with L2TP / IPSEC VPN

6th January 2019 by Johann 5 Comments

If you have any experience whatsoever with mikrotik hardware, you have definitely heard about Fasttrack.

Fastrack was introduced back in April 2016, in v6.29 of router os, and in very simple terms allows packets for established connections to bypass the kernel, thus improving performance, and decreasing the overall cpu load.

However there are known issues which prevent Fasttrack properly to work when using IPSec on the mikrotik. You will find that if you leave the default Fasttrack rule enabled in your firewall filters rule, the L2TP Vpn will be very sluggish.

If you are already using your mikrotik as an IPSec client, you have most likely disabled your Fasttrack rule in your /Firewall filter, however we can workaround this problem by marking all IPSec connections, and effectively exclude them from the Fasttrack rule.

The solution to this problem is to mark all IPSec connections, and exlude them from the Fasttrack rule.

First, using firewall mangle we mark all IPsec connections :

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec 

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec

After adding the above, if you issue the command /ip firewall mangle print you should get something like this :

[[email protected]] /ip firewall mangle> /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=prerouting action=mark-routing new-routing-mark=Vlan100 src-address=192.168.9.0/24
4 ;;; mark ipsec connections to exclude them from fasttrack
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=out,ipsec
5 ;;; mark ipsec connections to exclude them from fasttrack
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=in,ipsec
[[email protected]] /ip firewall mangle>

Next we add a fasttrack rule to fasttrack all connections except those marked by the mangle rule above :

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec 

The rule we just added, must be added just where the original fasttrack rule was. Here it is in my case :

Or via command line rule number 9 in my case, just before

;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

This is a partial output of my /ip firewall filter print. We are interested in rule 9, just below the disabled original Fasttrack rule 8 ;;; defconf: fasttrack (Disabled due to ipsec issues) and above the original rule 10 ;;; defconf: accept established,related, untracked

6    ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 X ;;; defconf: fasttrack (Disabled due to ipsec issues)
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 ;;; ;Fast Track everything except IPSEC stuff
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec log=no log-prefix=""
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

And yes it’s as simple as that. You can now have your L2TP VPN working along with your LAN connections enjoying the benefits of Fasttrack.

Share this:

  • Twitter
  • Facebook

Filed Under: Fasttrack, MikroTik, Uncategorized, VPN Tagged With: fasttrack, IPSEC, L2TP, MikrotTik, VPN

Reader Interactions

Comments

  1. Adam says

    14th January 2020 at 18:31

    Hey, thanks for sharing this!

    I don’t understand how is it possible but it doesn’t work for me 🙁 I’ve redone this at least a dozen times but from that picosecond when I enable the fasttrack filter rule (with the !ipsec mark condition of course) my VPN connection starts to be super-sluggish.

    Worth mentioning that the VPN connection is made from the MikroTik router directly (site-to-site tunnel) and not from one of the client machines.

    Would you mind sharing more from your configuration, I’d be especially interested in the VPN tunnel? I’m sharing mine:

    /interface l2tp-client add connect-to=vpn.******.com disabled=no ipsec-secret=******* name=MyVPN password=****** use-ipsec=yes user=******

    /ip firewall mangle add action=mark-routing chain=prerouting dst-address=xxx.xxx.xxx.xxx new-routing-mark=MyVPN-Routing-Mark passthrough=yes

    /ip firewall nat
    add action=masquerade chain=srcnat out-interface=MyVPN

    /ip route
    add distance=1 gateway=MyVPN routing-mark=MyVPNVPN-Routing-Mark

    Thanks!

    Reply
  2. Ivan Valkov says

    29th April 2020 at 12:25

    thx mate.
    It is working 🙂 also with IKEV2

    Reply
  3. René says

    12th May 2020 at 14:34

    Hi. Thanks for the work around. I need the fastrack on my RB3011 so it can keep up with my 1 Gbit internet connection with out sweating

    br René, Denmark

    Reply
  4. jimmyz says

    16th February 2021 at 07:37

    7.1beta4 on a hAP ac^2 and this is still needed.
    Brillinat thought, thank you!

    Reply
  5. Pawel says

    30th October 2021 at 17:18

    I think that you can achieve the same with this two firewall filter rules (before fasttrack rule)

    /ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec
    /ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Search

More to See

Ubiquiti AP Led Schedule

8th April 2021 By Johann

How to dockerise a python application (Properly)

25th February 2021 By Johann

Tags

3d printer 3d printing arduino atmega 2560 automation Conditional Forwarding development DNS docker fasttrack geeetech IPSEC k8s kubernetes L2TP linux-monitoring marlin Migration MikrotTik python security Server Migration Shared Hosting Backup Simple Digital Clock ssh tunnel touchscreen ubiquity ubuntu VPN VPS VPS Backup Web Hosting webmin Web Server Backup wifi Windows 10 Windows 2003 Windows 2008 Windows 2016 Windows subsystem for Linux zabbix Zimbra

Footer

Recent Posts

  • Ubiquiti AP Led Schedule
  • How to dockerise a python application (Properly)
  • A Zero Component, Super Simple Minimalist Arduino Digital Clock
  • Upgrading a Creality Ender 3 / Ender 5 to Marlin 2.x

Search

Social

  • LinkedIn
  • Twitter