Manual:Fast Path: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 86: Line 86:


* [[M:IP/Firewall | firewal rules]] are not configured;
* [[M:IP/Firewall | firewal rules]] are not configured;
<del>* Traffic flow is disabled <code>/ip traffic-flow enabled=no</code></del> restriction removed in 6.33;
* <del>Traffic flow is disabled <code>/ip traffic-flow enabled=no</code></del> restriction removed in 6.33;
* Simple and [[Manual:Queue| queue]] trees with parent=global are not configured;
* Simple and [[Manual:Queue| queue]] trees with parent=global are not configured;
* no [[M:Interface/HWMPplus | mesh]], [[M:Metarouter | metarouter]] interface configuration;
* no [[M:Interface/HWMPplus | mesh]], [[M:Metarouter | metarouter]] interface configuration;
Line 95: Line 95:
* Hotspot is not used (/ip hostspot has no interfaces);
* Hotspot is not used (/ip hostspot has no interfaces);
* IpSec policies are not configured (ROS v6.8);
* IpSec policies are not configured (ROS v6.8);
<del>* no active mac-ping, mac-telnet or mac-winbox sessions</del> restriction removed in 6.33;
* <del>no active mac-ping, mac-telnet or mac-winbox sessions</del> restriction removed in 6.33;
* /tool mac-scan is not actively used;
* /tool mac-scan is not actively used;
* /tool ip-scan is not actively used;
* /tool ip-scan is not actively used;
Line 111: Line 111:
* no [[M:Interface/HWMPplus | mesh]], [[M:Metarouter | metarouter]] interface configuration;
* no [[M:Interface/HWMPplus | mesh]], [[M:Metarouter | metarouter]] interface configuration;
* [[M:Tools/Packet_Sniffer | sniffer]], [[M:Troubleshooting_tools#Torch_.28.2Ftool_torch.29 | torch]] and [[M:Tools/Traffic_Generator | traffic generator]] is not running;
* [[M:Tools/Packet_Sniffer | sniffer]], [[M:Troubleshooting_tools#Torch_.28.2Ftool_torch.29 | torch]] and [[M:Tools/Traffic_Generator | traffic generator]] is not running;
<del>* no active mac-ping, mac-telnet or mac-winbox sessions</del> restriction removed in 6.33;
* <del>no active mac-ping, mac-telnet or mac-winbox sessions</del> restriction removed in 6.33;
* /tool mac-scan is not actively used;
* /tool mac-scan is not actively used;
* /tool ip-scan is not actively used;
* /tool ip-scan is not actively used;

Revision as of 14:53, 25 September 2015

Version.png

Applies to RouterOS: v6.0rc2 +

Summary

Fast path allows to forward packets without additional processing in the Linux kernel. It improves forwarding speeds significantly.

For fast path to work, interface support and specific configuration conditions are required.

List of devices with FastPath support

Interface FastPath support can be checked by doing "/interface print detail" and seeing fast-path property value.


RouterBoard Interfaces
RB6xx series ether1,2
RB7xx series all ethernets
RB800 ether1,2
RB9xx series all ethernets
RB1000 all ethernets
RB1100 series ether1-10,11
RB2011 series all ethernets and sfp
CCR series routers all ethernets and sfps
All devices wireless interfaces, if wireless-fp or wireless-cm2 package used
bridge interfaces (since 6.29)
vlan, vrrp interfaces (since 6.30)
bonding interfaces - rx only (since 6.30)

FastPath Handlers

Currently RouterOS has following fast path handlers:

  • ipv4
  • ipv4 fasttrack
  • traffic generator
  • mpls
  • bridge
Icon-note.png

Note: Packet can be forwarded by fast path handler only if at least source interface support fast path. For complete fast path forwarding destination interface support is also required. See the list of supported interfaces.


IPv4 handler

IPv4 fast path is automatically used if following conditions are met:

  • firewal rules are not configured;
  • Traffic flow is disabled /ip traffic-flow enabled=no restriction removed in 6.33;
  • Simple and queue trees with parent=global are not configured;
  • no mesh, metarouter interface configuration;
  • sniffer, torch and traffic generator is not running;
  • connection tracking is not active;
  • ip accounting is disabled (/ip accounting enabled=no);
  • VRFs are not set (/ip route vrf is empty);
  • Hotspot is not used (/ip hostspot has no interfaces);
  • IpSec policies are not configured (ROS v6.8);
  • no active mac-ping, mac-telnet or mac-winbox sessions restriction removed in 6.33;
  • /tool mac-scan is not actively used;
  • /tool ip-scan is not actively used;

/ip firewall connection tracking set enabled parameter has new auto value Which means that connection tracking is disabled by default until firewall rules are added.

IPv4 FastTrack handler

IPv4 FastTrack handler is automatically used for marked connections. Use firewall action "fasttrack-connection" to mark connections for fasttrack. Currently only TCP and UDP connections can be actually fasttracked (even though any connection can be marked for fasttrack). IPv4 FastTrack handler supports NAT (SNAT, DNAT or both).

Note that not all packets in a connection can be fasttracked, so it is likely to see some packets going through slow path even though connection is marked for fasttrack. Fasttracked packets bypass firewall, simple queues, queue tree with parent=global, ip traffic-flow(restriction removed in 6.33), ip accounting, ipsec, hotspot universal client, vrf assignment, so it is up to administrator to make sure fasttrack does not interfere with other configuration;

IPv4 FastTrack is active if following conditions are met:

  • no mesh, metarouter interface configuration;
  • sniffer, torch and traffic generator is not running;
  • no active mac-ping, mac-telnet or mac-winbox sessions restriction removed in 6.33;
  • /tool mac-scan is not actively used;
  • /tool ip-scan is not actively used;

For example, in home routers with factory default configuration, you could Fasttrack all LAN traffic with this one rule placed at the top of the Firewall Filter:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related

Note, that this will break any filtering and Queues you apply for LAN traffic, you will have to mark traffic first, if you want to only fasttrack specific traffic.

This is how a default configuration looks with fastpath rule added on top (and auto-added dummy rule above it):

Fasttrack.png

Traffic Generator handler

Traffic Generator fast path is automatically used for interfaces that support this feature.

MPLS handler

MPLS fast path is automatically used for interfaces that support this feature.

Currently MPLS fast-path applies only to MPLS switched traffic (frames that enter router as MPLS and must leave router as MPLS) - MPLS ingress and egress (including VPLS tunnel endpoints that do VPLS encap/decap) will operate as before.


Bridge handler

Bridge fast path is automatically used if following conditions are met:

  • no bridge firewall rules (/interface bridge filter, /interface bridge nat) are configured,
  • /interface bridge settings use-ip-firwall=no,
  • destination interface queue is set to only-hw-queue,
  • no mesh, metarouter interface configuration,
  • sniffer, torch and traffic generator is not running,
  • if wireless is configured, then wireless-fp or wireless-cm2 package must be used in order to use FastPath
Icon-note.png

Note: Currently PPP interfaces does not support FastPath


Icon-note.png

Note: Starting from v6.1 added VRRP interface no longer disables fast path globally. Ipv4 and bridge fast path handlers will not work only if source interface is vrrp slave interface.


[ Top | Back to Content ]