Hello,
I’m, going to try BGP on CCR2116/CCR2216 with full table, with fastpath for performance reasons.
But here it comes - device also needs to be secured, but adding any entries for input chain in /ip/firewall/filter or prerouting chain in /ip/firewall/raw disables fastpath. Conntrack is disabled.
Some services like ssh can be protected in /ip/service menu, but this is not enough.
Also BGP,SNMP etc still needs to be filtered and those services can’t be protected.
So question for you guys - how do you protect router itself in that case?
Problem was discussed in another topic:
It figured out the only option left on table is /interface/ethernet/switch/rule/ to filter out access to administration ports, in my case it will require good planing ( 6 VLANs, 15 peers) or there are other options?
Or just use firewall filter/raw with minimal rules and see how it will impact performance/cpu usage with fastpath disabled?
Estimated traffic is 5/6Gb/s
Any recommended approach?