FastPath Overview

MUM Moldova, 2015 1

4
 “SlowPath”
● “Slow Path” is the regular way packets are
processed in RouterOS
● For each packet RouterOS has to check the
whole path of the packet
● In some cases it is a considerable number of
steps

5
Bridge Forwarding

6
Bridge Forwarding

7
MPLS Forwarding

8
Routing Forwarding

9
Routing Forwarding

10
Routing Forwarding

11
 Initial FastPath Implementation
● FastPath is interface driver extension, that
allows to receive/process/send traffic without
unnecessary processing
● Interface driver now can talk directly to specific
RouterOS processes skipping all other
● FastPath requirements
– Interface driver support
– FastPath should be allowed in configuration
– No configuration in specific facilities.

12
 Driver Support
● CCR, CRS, RB7xx, RB9xx, hEX, hAP, wAP,
cAP, mAP, SXT, Metal, Groove, DynaDish,
OmniTIK series - all ports
● RB1100 series - ether1-11
● RB6xx series and RB800 - ether1,2
● RB1000, RB3011, RB2011 - all ports
● All Wireless interfaces, if wireless-fp or
wireless-cm2 package used

13
Allow FastPath

14
Bridge Forwarding FastPath

NO

15
 Routing Forwarding FastPath

NO

16
Routing Forwarding FastPath

NO

17
 SlowPath vs FastPath
● What are the performance benefits of regular
FastPath?

18
 Half-FastPath
● What if an interface driver doesn't have
FastPath support?

19
 FastPath for Logical Interfaces
FastPath is supported for these logical interfaces
● Bridge interfaces (since v6.29)
● VLAN interfaces (since v6.30)
● VRRP interfaces (since v6.30)
● Bonding interfaces - RX only (since v6.30)
●EOIP, GRE, IPIP interfaces – without IPSec
encryption and without fragmentation (since v6.33)
● PPPoE client interface – without encryption and
fragmentation (coming soon)

20
Logical Interfaces in RouterOS

21
 EOIP, GRE, IPIP and FastPath
● Per interface "allow-fast-path" setting
● Packet fragments and encrypted traffic can't be
received in FastPath
● Traffic traveling in FastPath will be invisible to
other router facilities (firewall, queues, etc)
● It is important to prepare your configuration
(firewall, queues) for SlowPath part of tunnel
traffic.

22
 FastPath for Features
● Traffic Generator (since v6.0) - the only way to
simulate FastPath speeds.
● MAC-Winbox (since v6.33) – doesn't disable
FastPath anymore
● MAC-Telnet (since v6.33) – doesn't disable
FastPath anymore
● Traffic Flow (since v6.33) – can see FastPath
traffic also
● Connection Tracking (since v6.29)*
23
 FastPath + Conntrack
● Conntrack entries now have “Fasttracked” flag
● Implemented as “fasttrack-connection” action
for firewall filter/mangle
● Packets from “Fasttracked” connections are
allowed to travel in FastPath
● Works only with IPv4/TCP and IPv4/UDP
● Traffic traveling in FastPath will be invisible to
other router facilities (firewall, queues, etc)
● Some packets still will go the regular path to
maintain conntrack entries
24
FastPath + Conntrack = FastTrack

25
Routing Forwarding FastPath

YES

26
Fasttrack-Connection

27
Without Fasttrack
● Board:
RB2011UiAS-2HnD
● Configuration:
default Home AP
● Throughput:
358Mbps
● CPU load:
100%
● Firewall CPU load:
44%

28
With Fasttrack
● Board:
RB2011UiAS-2HnD
● Configuration:
default Home AP
● Throughput:
890Mbps
● CPU load:
86%
● Firewall CPU load:
6%

29
 Fasttrack-connection
● “fasttrack-connection” action works similar to
“mark-connection” action
● “fasttrack-connection” rule is usually followed by
identical “accept” rule
● Most common Fasttrack implementations :
– Fasttrack if connection reach connection-
state=established and related
– Fasttrack to exclude some specific connections
from the queues
– Fasttrack all local connections

30
Special Dummy Rules

31
 Special Dummy Rule
● This is not an actual rule, it is for visual
information only
● Dummy rule shows user that some traffic
traveling in FastPath and will not reach their
firewall rules
● Rule will show up as soon as there are at least
one “Fasttracked” connection tracking entry.
● Rule will disappear only after last “Fasttracked”
connection tracking table are fully timed out
● Dummy simple queue possible in future. 32
 Interface Queue and FastPath

● Only interface queue that guarantees FastPath

“Interface HTB” is the last step in the packet flow

●
IP forwarding FastPath allowed
● TCP “FastTraked” connection

●
Simple queues

34
● ether1 and ether2 have FastPath support
● IPIP1 "allow-fast-path" setting enabled

●
IP forwarding FastPath allowed
● ICMP traffic
● NAT

35
● ether1 and ether2-out have
FastPath support
● IP forwarding FastPath allowed

●
“FastTracked” TCP connection

36
● ether1 and ether2-out have
FastPath support
● IP forwarding FastPath allowed

●
“FastTracked” TCP connection

37
 Bottom Line
●FastPath is a feature that allows you to reduce
CPU load in specific configurations
●You trade some RouterOS functionality for
performance
●Packet fragments can't use FastPath, so plan
your network's MTU/MSS carefully
●Core thing needed for FastPath is interface
driver support, without it there is no FastPath, no
FastTracked conenctions ect.
38
Questions!!!

39