i have search on this forum but cannot find a affirmative answer..
A few day ago we experience a DDOS (Syn Flood), our router, CCR1072, was during this DDOS total unreachable for management, we experienced some 4/5 Gbps DDOS traffic.
I already find we need to use Fastpath (or Fasttrack), without the router cannot handle a lot of traffic.
Wat is the best option? disable firewall and enable Fastpath or is Fastrack good enough to keep the mikrotik reachable for management during a DDOS.
We have 2 x 10GB uplink in LACP config.
The only reason we have firewall rules on this is for blocking/filtering SSH/Winbox traffic to this router.
The router only routes public subnet, so no NAT is needed.
fasttracking relies on connection tracking which itself is resource consuming. So if you don’t need to firewall any forward (interface to interface) traffic, and it is enough to firewall access to the router itself, you can use simple rules in input chain just to allow access to the required local services from a list of sources and not match on connection-state and/or connection-nat-state, nor can you use policy routing if it should depend on connection-mark.
Not referring to connection-whatever anywhere in the firewall should automatically deactivate connection tracking unless you’ve forced it on in configuration; if you have, you’l have to use ip firewall connection tracking set enabled=auto (or no if you prefer).