hello
when i use fasttrack
the pcc do not work
when i turn off the fasttrack
everything is ok
is this a bug ?
thank you very much
-
-
shiyiqiang08
Frequent Visitor
- Posts: 61
- Joined:
Re: the pcc dose not work when it works with fasttrack
PCC requires mangle and connection tracking to work.
Fast track removes all connection tracking in an effort to process packets faster.
No bug. No magic.
Fast track removes all connection tracking in an effort to process packets faster.
No bug. No magic.
Re: the pcc dose not work when it works with fasttrack
No, it is not a bug. It is actually mentioned somewhere in the wiki. Fasttrack bypasses some sections of the Firewall engine (part of which is mangle) and this makes it incompatible with some features that look inside packets, like pcc (which is based on source/destination addresses/ports).
-
-
shiyiqiang08
Frequent Visitor
- Posts: 61
- Joined:
Re: the pcc dose not work when it works with fasttrack
thank you very muchPCC requires mangle and connection tracking to work.
Fast track removes all connection tracking in an effort to process packets faster.
No bug. No magic.
-
-
shiyiqiang08
Frequent Visitor
- Posts: 61
- Joined:
Re: the pcc dose not work when it works with fasttrack
because i saw somebody use it with pcc in the forumPCC requires mangle and connection tracking to work.
Fast track removes all connection tracking in an effort to process packets faster.
No bug. No magic.
and works fine
so i am confused how it work
my english is poor ,i am from china ,but i am a fun of ros.
-
-
shiyiqiang08
Frequent Visitor
- Posts: 61
- Joined:
Re: the pcc dose not work when it works with fasttrack
thank you ,the issue confuses me so much timeNo, it is not a bug. It is actually mentioned somewhere in the wiki. Fasttrack bypasses some sections of the Firewall engine (part of which is mangle) and this makes it incompatible with some features that look inside packets, like pcc (which is based on source/destination addresses/ports).
it takes me so much time to find the reason
it is my fault
Re: the pcc dose not work when it works with fasttrack
Let's assume that there are a few subnets behind the router. Those subnets are separated on L2 (either physical ether ports or VLANs) and L3 (different network addresses). Which is proper / best way of excluding certain subnet from being fasttracked? For example because those subnets will be subject to PCC or simple queue or ...
-
-
shiyiqiang08
Frequent Visitor
- Posts: 61
- Joined:
Re: the pcc dose not work when it works with fasttrack
when you add fasttrack rule,you can define the rule of yourself and separate the ip that you do not want to fasttrackLet's assume that there are a few subnets behind the router. Those subnets are separated on L2 (either physical ether ports or VLANs) and L3 (different network addresses). Which is proper / best way of excluding certain subnet from being fasttracked? For example because those subnets will be subject to PCC or simple queue or ...
or you can make filter rule before the fasttrack rule and choose no passthrough
Re: the pcc dose not work when it works with fasttrack
.when you add fasttrack rule,you can define the rule of yourself and separate the ip that you do not want to fasttrack
or you can make filter rule before the fasttrack rule and choose no passthrough
I've created rule such as this:
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
and placed it just above the usual action=accept connection-state=established,related ... but it didn't work. I have a /queue simple targeting the same subnet. If fasttrack is disabled, queue works just fine, but it doesn't work with fasttrack rule as defined above.
Re: the pcc dose not work when it works with fasttrack
Hey
I've the following for selective fast-tracking and working fine:
So:
* only fast-track after iniital 8k, so that some other filtering like TLS can be applied
* only if it's explicitly marked for FT in mangling, that's on connection level so it's cheap
* catch rule for above for some of the packets which don't get fasttracked to keep the connection tracking alive
I've the following for selective fast-tracking and working fine:
Code: Select all
add action=fasttrack-connection chain=forward comment="FastTrack: established & related" connection-bytes=8000-0 \
connection-mark=FT connection-state=established,related
add action=accept chain=est_rel comment="Accept: established & related" connection-state=established,related
add action=drop chain=est_rel comment="Drop: invalid" connection-state=invalid
* only fast-track after iniital 8k, so that some other filtering like TLS can be applied
* only if it's explicitly marked for FT in mangling, that's on connection level so it's cheap
* catch rule for above for some of the packets which don't get fasttracked to keep the connection tracking alive
Re: the pcc dose not work when it works with fasttrack
That rule gets applied in both directions ... on the way back from internet to internal src-address exclude will not do the job...I've created rule such as this:Code: Select all/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
Fasttracking behaves like connection-marking, once set it's for both directions.
Re: the pcc dose not work when it works with fasttrack
Do I understand correctly that if the connection is initiated from 192.168.41.0/24 (src address matches), it should not be fasttracked? And that's true for both directions?That rule gets applied in both directions ... on the way back from internet to internal src-address exclude will not do the job...
Fasttracking behaves like connection-marking, once set it's for both directions.
Re: the pcc dose not work when it works with fasttrack
Yes
The rule
will do following
* LAN -> WAN
will not fasttrack if the src is .41. network.
* WAN -> LAN
will fasttrack ALL connections as none have src from .41. range
Result: all connections end up fasttracked
To correct:
The rule
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
* LAN -> WAN
will not fasttrack if the src is .41. network.
* WAN -> LAN
will fasttrack ALL connections as none have src from .41. range
Result: all connections end up fasttracked
To correct:
Code: Select all
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24 in-interface-list=LAN
# or similar
Re: the pcc dose not work when it works with fasttrack
.The rulewill do followingCode: Select all/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
* LAN -> WAN
will not fasttrack if the src is .41. network.
* WAN -> LAN
will fasttrack ALL connections as none have src from .41. range
Result: all connections end up fasttracked
But for the outgoing packets, shouldn't those be "non-fasttracked" with the original rule? They will have src-address matching, hence queues should work at least for UL (which they didn't)? What about un-fasttracking the returning packets (=DL)? It would need another fasttrack rule with dst-address=192.168.41.0/24 ... or?
And why do you think including in-interface-list=LAN should make any difference? For UL it won't make any difference as all packets enter RB through one of LAN interfaces ... and for DL it will un-fasttrack all packets regardless of the dst-address.
The thing is that I'm running a few VLANs and in-interface for .41 subnet is vlan-41 ... and if I created an accept rule with "connection-state=established,related in-interface=vlan-41 action=accept" and pushed it on top of FW rules, it still didn't work as expected (not even for UL). At the same time I'd need another similar rule for incoming packets (for those vlan-41 would be out-interface).
Re: the pcc dose not work when it works with fasttrack
Short answer: "FastTracked is a connection state".
For demonstration see list of connections, first column: "F" = fasttrack for the connection.
This means that a connection either is or isn't FT. Since connection exists of two parts, up & down, both share same status.
With the original rule this happens for outbound connection:
add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
1. packet from .41.2 to 1.1.1.1, state: new
state != est/rel => result: no FT, mangling / queue will work
2. packet from 1.1.1.1 to .41.2, state: established
src is not in .41. & state=est => result: FT => new state: established & FastTracked
3. packet from .41.2 to 1.1.1.1, state: established, FT
already FT -> mangling / simple queue is bypassed
with the change "in-interface-list=LAN"
1. packet from .41.2 to 1.1.1.1, state: new
state != est/rel => result: no FT, mangling / queue will work
2. packet from 1.1.1.1 to .41.2, state: established
src is not in .41 & state=est & in-interface!=LAN => result: no FT, mangling / queue will work
3. packet from .41.2 to 1.1.1.1, state: established
src is in exclude range => result: no FT, mangling / queue will work
from another source
1. packet from .40.2 to 1.1.1.1, state: new
state != est/rel => result: no FT, mangling / queue will work
2. packet from 1.1.1.1 to .40.2, state: established
src is not in .40. & state=est & in-interface!=LAN => result: no FT
3. packet from .40.2 to 1.1.1.1, state: established
state=est & in-int=Lan & src!=.41. => result: FT, new state: est, FT -> mangling / simple queue will be bypassed
4. packet from 1.1.1.1 to .40.2, state: est, FT
already FT -> bypassing mangling & simple queue
Edit: clarified which queue is by-passed => simple queue
For demonstration see list of connections, first column: "F" = fasttrack for the connection.
This means that a connection either is or isn't FT. Since connection exists of two parts, up & down, both share same status.
With the original rule this happens for outbound connection:
add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
1. packet from .41.2 to 1.1.1.1, state: new
state != est/rel => result: no FT, mangling / queue will work
2. packet from 1.1.1.1 to .41.2, state: established
src is not in .41. & state=est => result: FT => new state: established & FastTracked
3. packet from .41.2 to 1.1.1.1, state: established, FT
already FT -> mangling / simple queue is bypassed
with the change "in-interface-list=LAN"
1. packet from .41.2 to 1.1.1.1, state: new
state != est/rel => result: no FT, mangling / queue will work
2. packet from 1.1.1.1 to .41.2, state: established
src is not in .41 & state=est & in-interface!=LAN => result: no FT, mangling / queue will work
3. packet from .41.2 to 1.1.1.1, state: established
src is in exclude range => result: no FT, mangling / queue will work
from another source
1. packet from .40.2 to 1.1.1.1, state: new
state != est/rel => result: no FT, mangling / queue will work
2. packet from 1.1.1.1 to .40.2, state: established
src is not in .40. & state=est & in-interface!=LAN => result: no FT
3. packet from .40.2 to 1.1.1.1, state: established
state=est & in-int=Lan & src!=.41. => result: FT, new state: est, FT -> mangling / simple queue will be bypassed
4. packet from 1.1.1.1 to .40.2, state: est, FT
already FT -> bypassing mangling & simple queue
Edit: clarified which queue is by-passed => simple queue
Last edited by sebastia on Sun Dec 09, 2018 1:39 pm, edited 1 time in total.
Re: the pcc dose not work when it works with fasttrack
@sebastia: I really appreciate your effort to explain things to me.
So if I understand things correctly, a connection can get fasttracked at any time (even after a few packets exchanged) if any packet passes the rule criteria. However, when a connection is fasttracked, it won't get un-fasttracked until it lasts?
So if I understand things correctly, a connection can get fasttracked at any time (even after a few packets exchanged) if any packet passes the rule criteria. However, when a connection is fasttracked, it won't get un-fasttracked until it lasts?
Re: the pcc dose not work when it works with fasttrack
I tried to keep a queue functional by excluding [!] the IP's, similar to above ^, but it would not work. I had to put accept rules with that traffic before the fasttrack rule then the queue started working again --> viewtopic.php?f=2&t=139341#p702303The ruleCode: Select all/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related src-address=!192.168.41.0/24
Re: the pcc dose not work when it works with fasttrack
.I tried to keep a queue functional by excluding [!] the IP's, similar to above ^, but it would not work.
That was my problem as well, hence my question here. I also had a similar rule, but instead of src-address I used in-interface, but that didn't work as well. I'll probably try to do as @sebastia explained nicely above in some not-so-distant future.
I solved the problem so far by marking connections in mangle rule and having fasttracked non-marked connections (I got this idea somewhere on this forum, quite probably it was described by either @sindy or @CZfan):
Code: Select all
/ip firewall mangle
add action=mark-connection chain=forward comment="Guest VLAN" connection-state=new in-interface=vlan-41\
new-connection-mark=vlan41 passthrough=yes
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack ... everything that is not marked (see mangle rules)"\
connection-mark=no-mark connection-state=established,related
# after that comes the normal accept established,related rule
As I wrote before, all my traffic that should be limited by simple queues, comes from vlan-41 interface.
I have yet to decide which approach I like better. The now-working approach is slightly complicated as it needs configuration in two distinct config sections. It wouldn't work nicely if connection marks were needed for anything else (e.g. for selective routing or some such). The approach explained by @sebastia is better as all rules are kept together. But (at least to me) it is not as understandable as it is the other one. I assume that both approaches are more or less equally resource-friendly.
Who is online
Users browsing this forum: No registered users and 16 guests