If you have any experience whatsoever with mikrotik hardware, you have definitely heard about Fasttrack.
Fastrack was introduced back in April 2016, in v6.29 of router os, and in very simple terms allows packets for established connections to bypass the kernel, thus improving performance, and decreasing the overall cpu load.
However there are known issues which prevent Fasttrack properly to work when using IPSec on the mikrotik. You will find that if you leave the default Fasttrack rule enabled in your firewall filters rule, the L2TP Vpn will be very sluggish.
If you are already using your mikrotik as an IPSec client, you have most likely disabled your Fasttrack rule in your /Firewall filter, however we can workaround this problem by marking all IPSec connections, and effectively exclude them from the Fasttrack rule.
The solution to this problem is to mark all IPSec connections, and exlude them from the Fasttrack rule.
First, using firewall mangle we mark all IPsec connections :
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec
After adding the above, if you issue the command /ip firewall mangle print you should get something like this :
[[email protected]] /ip firewall mangle> /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=prerouting action=mark-routing new-routing-mark=Vlan100 src-address=192.168.9.0/24
4 ;;; mark ipsec connections to exclude them from fasttrack
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=out,ipsec
5 ;;; mark ipsec connections to exclude them from fasttrack
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=in,ipsec
[[email protected]] /ip firewall mangle>
Next we add a fasttrack rule to fasttrack all connections except those marked by the mangle rule above :
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
The rule we just added, must be added just where the original fasttrack rule was. Here it is in my case :
Or via command line rule number 9 in my case, just before
;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
This is a partial output of my /ip firewall filter print. We are interested in rule 9, just below the disabled original Fasttrack rule 8 ;;; defconf: fasttrack (Disabled due to ipsec issues) and above the original rule 10 ;;; defconf: accept established,related, untracked
6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 X ;;; defconf: fasttrack (Disabled due to ipsec issues)
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 ;;; ;Fast Track everything except IPSEC stuff
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec log=no log-prefix=""
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
And yes it’s as simple as that. You can now have your L2TP VPN working along with your LAN connections enjoying the benefits of Fasttrack.
Adam says
Hey, thanks for sharing this!
I don’t understand how is it possible but it doesn’t work for me 🙁 I’ve redone this at least a dozen times but from that picosecond when I enable the fasttrack filter rule (with the !ipsec mark condition of course) my VPN connection starts to be super-sluggish.
Worth mentioning that the VPN connection is made from the MikroTik router directly (site-to-site tunnel) and not from one of the client machines.
Would you mind sharing more from your configuration, I’d be especially interested in the VPN tunnel? I’m sharing mine:
/interface l2tp-client add connect-to=vpn.******.com disabled=no ipsec-secret=******* name=MyVPN password=****** use-ipsec=yes user=******
/ip firewall mangle add action=mark-routing chain=prerouting dst-address=xxx.xxx.xxx.xxx new-routing-mark=MyVPN-Routing-Mark passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=MyVPN
/ip route
add distance=1 gateway=MyVPN routing-mark=MyVPNVPN-Routing-Mark
Thanks!
Ivan Valkov says
thx mate.
It is working 🙂 also with IKEV2
René says
Hi. Thanks for the work around. I need the fastrack on my RB3011 so it can keep up with my 1 Gbit internet connection with out sweating
br René, Denmark
jimmyz says
7.1beta4 on a hAP ac^2 and this is still needed.
Brillinat thought, thank you!
Pawel says
I think that you can achieve the same with this two firewall filter rules (before fasttrack rule)
/ip firewall filter add action=accept chain=forward ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward ipsec-policy=out,ipsec