Yes, this is what I believe as well, all I am trying to do with the graphic is to provide a rough estimation of what would normally happen,
Maybe the actual data could be better approximated, (steepness may be 1% instead of 3%) but I don't believe that it can be represented as a flat, horizontal line, some - even minimal - increase with added rules must be shown.
@lurker888
I understand the form of the rules, what I was asking was different.
Starting from the DEFAULT firewall, this one :
Buying - RB1100AHx4 Dude Edition - Questions about Firewall - #4 by rextended
ONLY the part relative to FORWARD chain:
/ip firewall filter
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
# on next rule ADD hw-offload=yes if the version is 7.18 and up, but do not add for 7.21+
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop in-interface-list=WAN connection-nat-state=!dstnat connection-state=new comment="defconf: drop all from WAN not DSTNATed"
The FIRST rule (besides the dedicated IPSEC ones that can be removed) is the fasttrack connection one.
This can be EITHER disabled OR enabled.
Then you insert your:
add chain=forward action=drop src-address=127.0.0.100
add chain=forward action=drop src-address=127.0.0.101
...
rules right after that and before the following:
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
If this is accurate, then the graphic exemplifies (IMHO) this correctly.