Recently I’ve made changes on my setup.
I’ve the following scenario:
(AS cloud) → [CCR 1036 2S+ *1] → [SW] → [RB1100 *2] ---- pppoe — /GPON or Radio/ — Customer router
As you can see, *1 it’s to do routing and CGNAT and *2 is doing only PPPoE and queueing with RADIUS to authenticate.
I always use connection tracking set as auto, but to relieve the CPU of 1100 I’ve made a change. In firewall raw, now all non local traffic is marked to no-track.
/ip firewall connection tracking
set enabled=yes
/ip firewall raw
add action=accept chain=prerouting dst-address=10.0.0.0/8
add action=accept chain=output dst-address=10.0.0.0/8
add action=accept chain=prerouting src-address=10.0.0.0/8
add action=accept chain=output src-address=10.0.0.0/8
add action=notrack chain=prerouting
add action=notrack chain=output
So, what’s bothering me it’s the change tcp mss on pppoe. It’ll work appropriate with no tracking on customer traffic? Should I make a mangle rule into the CCR1036 to deal with that and turn off in pppoe profile? 
/ppp profile
add change-tcp-mss=yes dns-server=*.*.*.*,*.*.*.* local-address=192.168.255.1 name=pppoe_profile queue-type=ethernet-default remote-address=\
cgnat_sas4 use-compression=no use-encryption=no use-upnp=yes
Thanks