about the firewall filter to prevent Ddos

Hi my best community ,

When i add this to firewall then my internal ip always get ban from the address-list . How can i solve it . The internal IP seem act as ddoser? Thank you!



/ip firewall filter
add action=jump chain=forward comment=Detect-Ddos connection-state=new
disabled=no in-interface=ether1-gateway-gateway jump-target=detect-ddos
add action=return chain=detect-ddos comment=Detect-Ddos disabled=no
dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=
1d chain=detect-ddos comment=Detect-Ddos disabled=no
add action=add-src-to-address-list address-list=ddoser address-list-timeout=
1d chain=detect-ddos comment=Detect-Ddos disabled=no
add action=drop chain=forward comment=Detect-Ddos connection-state=new
disabled=no dst-address-list=ddosed src-address-list=ddoser

You could place a forward rule before those detect-ddos rules you have allowing your internal IP address. Also create a forward rule that allows established and related connection. Place the 2 rules on the top of the firewall list.

ip firewall filter chain=forward src-address="Internal IP addresses" action=accept
ip firewall filter chain=forward connection-state=established,related action=accept

this way the Internal IP address are allowed to go through and the return traffic is permitted.