返回列表 發帖

FastTrack with some VPN exceptions

本帖最後由 角色 於 2018-5-8 09:50 編輯

Since there are problem when your RouterOS is configured as VPN client to the remote VPN server, you need to disable the FastTrack function in the firewall filter section. The maximum speed for single TCP stream will be reduced by half. In order to overcome this issue, you need to add FastTrack exception rule.

The following link(s) to give me some idea to configure. You may get more using the key words "RouterOS FastTrack and VPN"

https://forum.mikrotik.com/viewt ... hilit=sindy#p659631

https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
https://forum.mikrotik.com/viewtopic.php?t=123251
https://forum.mikrotik.com/viewtopic.php?p=479776#p479776
https://forum.mikrotik.com/viewtopic.php?t=112235

https://schemen.me/mikrotik-fast-track-that-excludes-ipsec/
https://www.manitonetworks.com/m ... rack-firewall-rules
https://www.timigate.com/2018/01 ... ack-connection.html

现在又enabled fasttrack rules,但是有加了exclude rules 就是rules 7 and 8 (就是在Fasttrack rules之前先accept VPN的packets,走slow path),其他走fast path。
  1. 7    ;;; VPN HK
  2.       chain=forward action=accept connection-state=established,related in-interface=bridge-HK log=no log-prefix=""

  3. 8    chain=forward action=accept connection-state=established,related out-interface=bridge-HK log=no log-prefix=""

  4. 9    ;;; defconf: fasttrack
  5.       chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

  6. 10    ;;; defconf: accept established,related, untracked
  7.       chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
複製代碼
之前发现不能用VPN,需要disable fasttrack,但是平时的throughput减半,经过问MikroTik Support后,和看看下面的帖子

https://forum.mikrotik.com/viewtopic.php?t=107201#p532865

把interface bridge-HK放入fasttrack enable之前,不需要走fasttrack后,现在效果非常好!

VPN能正常使用,而平时的throughput都可以full speed 941Mbps。

加了以后,VPN能正常使用,而WAN->LAN有941Mbps。效果非常好!

哈哈!现在用得非常爽。

TOP

If fasttrack enabled and want to exclude something, please read

https://forum.mikrotik.com/viewtopic.php?t=107201#p532865

TOP

回復 5# 角色


    非常抱歉!!! 以上配置没有错误,是我测试错误.

TOP

你是否有Disabled FastTrack?

TOP

如有以下两网络需用vpn互联,
10.10.0.0/16—ROS软路由_a—61.132.118.68———internet——-61.177.7.1—ROS软路由_b—192.168.0.1/24
ROS软路由_a:
ip ipsec peer add address=61.177.7.1 secret=123

ip ipsec policy add src-address=10.10.0.0/16 dst-address=192.168.0.0/24 sa-src-address=61.132.118.68 sa-dst-address=61.177.7.1


ROS软路由_b:
ip ipsec peer add address=61.132.118.68 secret=123

ip ipsec policy add src-address=192.168.0.0/24 dst-address=10.10.0.0/16 sa-src-address=61.177.7.1 sa-dst-address=61.132.118.68
(注意为了方便这里对ipsec 相应一系列协议都使用了默认,但两边一定要一样。

这样你就会在两端在log和ipsec installed sas和remote peer中看到已联上的相关信息,但发现还不能互访对方端域网。

在ROS软路由_a加ip ipsec policy add src-address=10.10.0.0/16 dst-address=192.168.0.0/24 action=accept。
ROS软路由_b加ip ipsec policy add src-address=192.168.0.0/24 dst-address=10.10.0.0/16 action=accept。

以上内容参考网上的教程,全部做完后,还是不能互访对方端域网.

TOP

下面的帖子有关于FastTrack的信息,不错。

https://forum.mikrotik.com/viewtopic.php?f=2&t=133997

TOP

fasttrack基本上我是不會去開啟使用的.
因為開啟後是無法使用 路由標記/Queue/IPSec 這些進階功能 ,Vlan的設置也會有局限.
又加上IPSec與L2TP/IPIP/EOIP/Xauth/IKev2這些VPN相依...

TOP

返回列表