Mikrotik Fasttrack configuration with L2TP / IPSEC VPN

If you have any experience whatsoever with mikrotik hardware, you have definitely heard about Fasttrack.

Fastrack was introduced back in April 2016, in v6.29 of router os, and in very simple terms allows packets for established connections to bypass the kernel, thus improving performance, and decreasing the overall cpu load.

However there are known issues which prevent Fasttrack properly to work when using IPSec on the mikrotik. You will find that if you leave the default Fasttrack rule enabled in your firewall filters rule, the L2TP Vpn will be very sluggish.

If you are already using your mikrotik as an IPSec client, you have most likely disabled your Fasttrack rule in your /Firewall filter, however we can workaround this problem by marking all IPSec connections, and effectively exclude them from the Fasttrack rule.

The solution to this problem is to mark all IPSec connections, and exlude them from the Fasttrack rule.

First, using firewall mangle we mark all IPsec connections :

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec 

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec

After adding the above, if you issue the command /ip firewall mangle print you should get something like this :

[[email protected]] /ip firewall mangle> /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=prerouting action=mark-routing new-routing-mark=Vlan100 src-address=192.168.9.0/24
4 ;;; mark ipsec connections to exclude them from fasttrack
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=out,ipsec
5 ;;; mark ipsec connections to exclude them from fasttrack
chain=forward action=mark-connection new-connection-mark=ipsec ipsec-policy=in,ipsec
[[email protected]] /ip firewall mangle>

Next we add a fasttrack rule to fasttrack all connections except those marked by the mangle rule above :

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec 

The rule we just added, must be added just where the original fasttrack rule was. Here it is in my case :

Or via command line rule number 9 in my case, just before

;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

This is a partial output of my /ip firewall filter print. We are interested in rule 9, just below the disabled original Fasttrack rule 8 ;;; defconf: fasttrack (Disabled due to ipsec issues) and above the original rule 10 ;;; defconf: accept established,related, untracked

6    ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 X ;;; defconf: fasttrack (Disabled due to ipsec issues)
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
9 ;;; ;Fast Track everything except IPSEC stuff
chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec log=no log-prefix=""
10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
11 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

And yes it’s as simple as that. You can now have your L2TP VPN working along with your LAN connections enjoying the benefits of Fasttrack.

Leave a reply:

Your email address will not be published.