When I fasttrack all established, related traffic on the forward chain, traffic out my primary ISP VZ works as expected, but traffic marked by mangle rules out NW or SP either intermittently times out, or goes out VZ. ICMP traffic routes as expected which was deceiving at first until I realized Fasttrack ignores ICMP traffic and only processes TCP/UDP. We quickly turned Fasttrack off because of the intermittent connections.
But then I tried something, and it appears to be working. I only fasttrack the forward chain on established, related and define the inbound interface as ether1-VZFios (VZ, our primary ISP) and the outbound interface as sfp-sfpplus1-LAN (our LAN interface). This appears to Fasttrack all established, related connections on our primary ISP VZ while still allowing connections out VZ and SP to be processed by the mangle rules and ignored by Fasttrack. This should work for us since 90% of our traffic goes out VZ.
I wanted to share this possible solution, but also to get confirmation: is this the right way to do this?
Code: Select all
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; Allow Established & Related
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
in-interface=ether1-VZFios out-interface=sfp-sfpplus1-LAN log=no log-prefix=""
2 ;;; Allow Established & Related
chain=input action=accept connection-state=established,related log=no log-prefix=""
3 ;;; Established, Related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
Code: Select all
;;; Mobile Devices Through NW
chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes
src-address-list=Mobile_Devices_IPv4 in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
;;; Streaming Media Devices Through SP
chain=prerouting action=mark-routing new-routing-mark=to_SP passthrough=yes
src-address-list=Streaming_Media_Devices_IPv4 in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
;;; Youtube & Google Through NW
chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes
dst-address-list=Youtube_Google_IPv4 in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
;;; Apple Through NW
chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes dst-address-list=Apple_IPv4
in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
chain=prerouting action=mark-connection new-connection-mark=VZ_conn passthrough=yes connection-mark=no-mark
in-interface=ether1-VZFios log=no log-prefix=""
chain=prerouting action=mark-connection new-connection-mark=NW_conn passthrough=yes connection-mark=no-mark
in-interface=ether2-NW log=no log-prefix=""
chain=prerouting action=mark-connection new-connection-mark=SP_conn passthrough=yes connection-mark=no-mark
in-interface=ether3-Spectrum log=no log-prefix=""
chain=prerouting action=mark-routing new-routing-mark=to_VZ passthrough=yes connection-mark=VZ_conn
in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
chain=prerouting action=mark-routing new-routing-mark=to_NW passthrough=yes connection-mark=NW_conn
in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
chain=prerouting action=mark-routing new-routing-mark=to_SP passthrough=yes connection-mark=SP_conn
in-interface=sfp-sfpplus1-LAN log=no log-prefix=""
chain=output action=mark-routing new-routing-mark=to_VZ passthrough=yes connection-mark=VZ_conn log=no
log-prefix=""
chain=output action=mark-routing new-routing-mark=to_NW passthrough=yes connection-mark=NW_conn log=no
log-prefix=""
chain=output action=mark-routing new-routing-mark=to_SP passthrough=yes connection-mark=SP_conn log=no
log-prefix=""
chain=forward action=mark-connection new-connection-mark=VZ_conn passthrough=yes connection-state=new
in-interface=ether1-VZFios log=no log-prefix=""
chain=forward action=mark-connection new-connection-mark=NW_conn passthrough=yes connection-state=new
in-interface=ether2-NW log=no log-prefix=""
chain=forward action=mark-connection new-connection-mark=SP_conn passthrough=yes connection-state=new
in-interface=ether3-Spectrum log=no log-prefix=""
Code: Select all
chain=srcnat action=masquerade out-interface=ether1-VZFios log=no log-prefix=""
chain=srcnat action=masquerade out-interface=ether2-NW log=no log-prefix=""
chain=srcnat action=masquerade out-interface=ether3-Spectrum log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=10.0.10.1 to-ports=80 protocol=tcp in-interface=ether1-VZFios
dst-port=80 log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=10.0.10.1 to-ports=80 protocol=tcp in-interface=ether2-NW dst-port=80
log=no log-prefix=""
chain=dstnat action=dst-nat to-addresses=10.0.10.1 to-ports=80 protocol=tcp in-interface=ether3-Spectrum
dst-port=80 log=no log-prefix=""