In routerOS will be enabled fastpath then?
No, ROS firewall (/ip/firewall) does not work simply because packets never enter CPU.
If we set some rules on the INPUT chain just to protect the router, we lose the hardware feature?
The traffic to the router itself (packet destination IP = router IP; INPUT chain) is unaffected by the l3hw. The firewall stays fully functional here. The same applies to outgoing traffic (OUTPUT chain).
Regarding routed traffic (FORWARD chain, or PRE/POSTROUTING chains for forwarded packets), in the case of l3hw=yes, setting those rules does nothing because the firewall (/ip/firewall) does not get triggered. You need to set l3hw=no or l3hw=fw to make the stateful
firewall to work. However, a stateless
firewall still is an option via switch ACL rules. For example, you can allow/block specific IP addresses/prefixes or TCP/UDP ports. More info here: https://wiki.mikrotik.com/wiki/Manual:C ... _.28ACL.29
Is there a table? I have seen in the link at the first post, but it is not clear what the number means... 3750 connections, really? it is very low...
Yes, unfortunately, the number of hardware connections is limited. Actually, it is 4500 if used without MPLS. Mikrotik smart offloading algorithm picks the heaviest (traffic-wise) connections for offloading at any given time. Other (slower) connections get processed by the CPU. So the number of connections can be much greater. For instance, we tested CRS317 with 10k connections, and it worked fine.
Please take into account that CRS (Cloud Router Switch) series are more "switch" than a "router". Consider the ability to run an L4 hardware-accelerated firewall more like a bonus feature rather than a common use-case. For heavy routing, please look into the CCR series.
Currently, Mikrotik engineers are working on a "hybrid l3hw mode" which allows running both l3hw=yes + l3hw=fw on the same device. For example, it will allow hardware inter-VLAN routing (with an unlimited number of connections) while running Firewall/NAT on the upstream port(-s).