27 de Mayo de 2017, 11:45:45 pm
  • WPSdb - Base de Datos de Pines Online

Autor Tema: FastTrack: FW/NAT acelerado por hardware (RouterOS 6.29)  (Leído 1459 veces)

Desconectado D3M0N

  • Founder
  • Usuario
  • *
  • Mensajes: 3.075
  • Reputación: +244/-3
  • El Mate, La Netbook y Wi-Fi del Vecino!
  • awards Usuario con más de 2000 Posts! Miembro registrado desde 2010 Usuario Registrado
    • Arg-Wireless.com.ar
    • Awards
FastTrack: FW/NAT acelerado por hardware (RouterOS 6.29)
« en: 01 de Julio de 2015, 11:02:14 pm »
FastTrack: FW/NAT acelerado por hardware
RouterOS 6.29


Starting from v6.29rc9, we introduced new and existing feature - FastTrack. Easy way to make your Firewall/NAT router up to 5x faster.

Código: [Seleccionar]
*) ipv4 fasttrack fastpath - accelerates connection tracking and nat for marked connections (more than 5x performance improvement compared to regular slow path conntrack/nat) - currently limited to TCP/UDP only;
*) added ~fasttrack-connection~ firewall action in filter/mangle tables for marking connections as fasttrack;
*) added fastpath support for bridge interfaces - packets received and transmitted on bridge interface can go fastpath (previously only bridge forwarded packets could go fastpath);
*) packets now can go half-fastpath - if input interface supports fastpath and packet gets forwarded in fastpath but output interface does not support fastpath or has interface queue other than only-hw-queue packet gets converted to slow path only at the dst interface transmit time;
*) trafflow: add natted addrs/ports to ipv4 flow info.

http://www.mikrotik.com/download/share/FastTrack.pdf

testeado en la versión v6.29.1 y funcionando perfectamente:

Código: [Seleccionar]
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fasttrack established+related" connection-state=established,related
add chain=forward comment="enable established+related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid

/ip firewall mangle
add action=set-priority chain=prerouting new-priority=from-dscp-high-3-bits

otro ejemplo:

Código: [Seleccionar]
/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon

/ip firewall filter
add chain=input comment="Accept Established / Related Input" \
connection-state=established,related
add chain=input comment="Allow Management Input - 192.168.88.0/24" \
src-address=192.168.88.0/24
add action=drop chain=input comment="Drop Input" log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment=\
"FastTrack Established / Related Forward" connection-state=\
established,related
add chain=forward comment="Accept Established / Related Forward" \
connection-state=established,related
add chain=forward comment="Allow forward traffic LAN >> WAN" out-interface=\
ether1-gateway src-address=192.168.88.0/24
add action=drop chain=forward comment="Drop Bogon Forward >> Ether1" \
in-interface=ether1-gateway log=yes log-prefix="Bogon Forward Drop" \
src-address-list=Bogon
add action=drop chain=forward comment="Drop Forward"
« Última modificación: 01 de Julio de 2015, 11:05:20 pm por D3M0N »
  • Antenas: Antena Komarov (Prototype), Antena Belgrain (MOD), Antenas 4, 5, 9dBi (omnis)
  • Sistemas Operativos: Microsoft Windows 7 Enterprice (x64), Ubuntu 14.10.1 LTS Desktop Edition 64-bit
  • Sistemas Operativos que utilizo para Auditar: Ubuntu 14.10.1 LTS Desktop Edition 64-bit
  • Dispositivos Inalambricos: Alfa AWUS036H 1W (USB); TP-Link TL-WN722N (USB); Ubiquiti Nanostation M2; Mikrotik RB951Ui-2HnD