Mikrotik Fast Track that excludes IPSec

Hi Network Engineers!

So, Fast Track is a new feature introduced in RouterOS 6.29. Its quite nice! With that, you can forward packages in a way that they are not handled by the Linux Kernel which greatly improves the throughput of your router.

You can activate Fast Track with that:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related

This will allow all packages that have the state Established or Related to bypass the Kernel and be directly forwarded to the Target. So, once a connection is marked as established or related, it won’t go through any firewalling or processing and will directly forwarded to the target. Of course – a connection gains the state of established or related once it went through the firewall so it will still be secure.

BUT! It has a disadvantage: IPsec connections will not be processed as well, which will result in a rather wonky experience and very unstable IPsec connection. I’m not sure if this is a feature or a bug though.

Connection marker

Now, with RouterOS 6.30 you can add markers to certain connections and packages! What we can do now is simply modify the rule above a little to exclude a certain marked connection from Fast Track.

Mark IPsec packages

To mark an IPsec connection, you can use the mangle option in the firewall submenu:

/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=in,ipsec new-connection-mark=ipsec

This will add a mark to all in- and outgoing IPsec packages.

Modify Fast Track rule

You can delete the old rule and now add the rule to exclude connections/packages that are marked with the connection-mark “ipsec”

/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-mark=!ipsec connection-state=established,related

simply add the “connection-mark=!ipsec” and with that, you exclude all IPsec packages.

End note

I do not guarantee that this is the best solution, though it is one I found to be working. I wish you great fun and better Internet! We can definetly use MOAR speeeeed >:D




If you have any comments or corrections, don’t hesitate to contact me =)

10 thoughts on “Mikrotik Fast Track that excludes IPSec

  1. vladimir says:

    it works:

    Mark IPsec
    chain=output action=mark-connection new-connection-mark=ipsec
    passthrough=yes log=no log-prefix=”” ipsec-policy=out,ipsec

    9 ;;; Mark IPsec
    chain=input action=mark-connection new-connection-mark=ipsec
    passthrough=yes log=no log-prefix=”” ipsec-policy=in,ipsec

  2. Armonds says:


    Your post really helped me out!

    This information should be in Mikrotik wiki, if it’s not there already.

  3. Krauf says:

    i have a rb2011

    running a l2tp ipsec server

    It seems to work when connecting from a windows 10 pc but from my Galaxy S8 i cannot get a connection with the above info. Any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *