需要执行两条命令来开启FastTrack:
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related
描述
IPv4 FastTrack处理程序自动用于标记的连接。使用防火墙操作“ fasttrack-connection”来标记FastTrack的连接。当前,只有TCP和UDP连接实际上可以被快速跟踪(即使可以将任何连接标记为快速跟踪)。IPv4 FastTrack处理程序支持NAT(SNAT和/或DNAT)。
请注意,并非连接中的所有数据包都可以被FastTracked,因此即使将连接标记为FastTrack,也有可能看到某些数据包通过慢速路径。这就是为什么快速跟踪连接通常遵循相同的action = accept规则的原因。FastTracked数据包绕过防火墙,连接跟踪,简单队列,parent = global的队列树,IP流量(在6.33中取消了限制),IP accounting,IPSec,热点通用客户端,VRF分配,因此管理员应确保FastTrack不干扰其他配置;
要求
如果满足以下条件,则IPv4 FastTrack处于活动状态:
- 没有网状,元路由器接口配置;
- sniffer, torch and traffic generator is not running;
- 没有活动的mac-ping,mac-telnet或mac-winbox会话 限制已在6.33中删除;
- / tool mac-scan没有被积极使用;
- / tool ip-scan没有被积极使用;
- 在IP /Settings 下启用了FastPath和路由缓存
| RouterBoard | Interfaces |
|---|---|
| RB6xx series | ether1,2 |
| RB7xx series | all ports |
| RB800 | ether1,2 |
| RB9xx series | all ports |
| RB1000 | all ports |
| RB1100, RB1000AHx2 | ether1-11 |
| RB1000AHx2 | all ports |
| RB2011 series | all ports |
| RB3011 series | all ports |
| RB4011 series | all ports |
| CRS series routers | all ports except management interface (if the device has one) |
| CCR series routers | all ports except management interface (if the device has one) |
| All devices | wireless interfaces, if wireless-fp, wireless-cm2, wireless-rep or wireless (starting from 6.37) package used |
/ip firewall filter
/ip firewall mangle