In another post I mentioned that I am exeriancing extreme ping times on my RB333 but only on my SR9 cards with 32 clients. All wireless parameters are good but I can't solve this issue. Is there a way for my to block all P2P or UDP traffic except for port 53. Will doing this block messenger too?

I would like to do this on a specific AP for a test only on WLAN2 (Which is the SR9 card). I would like to do this with some sort of QUEUE on the AP itself. The only reason I'm asking is my network expert is at the Poland MUM.

Any help is appreciated. BTW. All my clients run a P2P Queue, but I'm suspecting some sort of an issue with the queues since I mass upgraded my clients and AP to 3.2.

Thanks in advance!

To block ALL P2P:
/ip firewall filter> /ip firewall filter add action=drop p2p=all-p2p chain=forward

To block all udp except port 53:
/ip firewall filter add action=drop protocol=udp port=!53 chain=forward

My core router is getting 70Mbps UDP traffic. 

Is it bad ?

And I just applied this, 

/ip firewall filter add action=drop protocol=udp port=!53 chain=forward

Yes, very bad!
You are probably being used as a DDoS reflector because of inappropriate firewalling of your internal DNS resolver.

Yes, very bad!
You are probably being used as a DDoS reflector because of inappropriate firewalling of your internal DNS resolver.

But my DNS is only open for my own internal network, means my 5 blocks of /22 , not for outside world. 

If your router is enabled for DNS ("Allow remote requests"), your router is vulnerable for DOS attacks from all sides, UNLESS you have a deliberate firewall rule to drop all TCP and UDP pot 53 traffic on your external interface(s).

On all my routers, especially ones exposed to the Internet, I have two firewall,filter rules, one to block UDP:53 and one for TCP:53.

I would go further and advise you block all ports, except ones you really want. You could accomplish this by creating ALLOW rules for all the valid ports, and finally a REJECT ALL INBOUND (NOTE: for the external interface) traffic.

If your router is enabled for DNS ("Allow remote requests"), your router is vulnerable for DOS attacks from all sides, UNLESS you have a deliberate firewall rule to drop all TCP and UDP pot 53 traffic on your external interface(s).

On all my routers, especially ones exposed to the Internet, I have two firewall,filter rules, one to block UDP:53 and one for TCP:53.

I would go further and advise you block all ports, except ones you really want. You could accomplish this by creating ALLOW rules for all the valid ports, and finally a REJECT ALL INBOUND (NOTE: for the external interface) traffic.

I did yesterday and almost 100+ tickets started coming in asking for internet blocked, website not working, game not working, IPSEC not working, bla bla.

Did you block chain:INPUT and in-interface:<your external interface>? Make sure you don't apply these rules on your internal interfaces.

You're welcome to post your firewall, filter rules so we could have a look

Did you block chain:INPUT and in-interface:<your external interface>? Make sure you don't apply these rules on your internal interfaces.

You're welcome to post your firewall, filter rules so we could have a look

My network is :
3 upstreams, so 3 border routers > Then 2 core router in VRRP > Then PPPoE routers. 
So where shall it be ?