I am considering replacing my tik with something else because the issues I am having. I wanted to see how these routers were working for others.

Our upstream provider called us complaining about port 25 spam. So created a rule to simply block or filter port 25 on the mikrotik router. Years went on traffic volume has increased. We have been from 100, 250 , 500 and now 1000 mbps fiber. Peak hours we are running at 500 - 700 mbps. I have random dropped packets all over the network. I worked all day today to discover the firewall filter rule was the culprit of my issues. So at the moment I had to disable the port 25 rule. Is anyone else seeing any bottle necks like this. We bought what we thought was a better router the have a CCR model. I was only able to get 150 mbps on the router with the rule enabled now I can max out my pipe with is disabled.

I assume this rule forces every packet on my network through it. Are their other ways to block port 25 that is less CPU intensive?

What was the exact smtp rule you had in place according to export?

Sent using Tapatalk

So many questions here.

What is the router you are using?

What is the filter rule?

With it enabled, how many hits is it getting (open it up and you will see the packets per second rate on the rule)

Why are you just blocking it rather than finding and fixing the offending machine(s)? (Or is this ISP/home users?)

Generally, if a rule is a very busy rule, it will create a lot more processing, depending on the router you have it may be filling your CPU (are you at 100% CPU usage with the rule enabled?) YOu could do a few things, you could have an address-list that only blocks the offending people, and some kind of brute force / connections per second catcher to add to that list, this way you dont quite process every source IP in the one rule, but with 1gbit and peak usage up to 700mbit and not having changed router since you had 50 or 100mbit, you're likely at the point of needing a beefier router.

When running any kind of firewall filter rules, it is important to enable fast track. Without it all packets will be processed against whatever firewall rules and performance will hurt. And it doesn't matter if it's mAP or CCR1072 or CHR on a super-duper PC, fast track should be enabled unless it breaks some required functionality (such as mangle rules) and even there some traffic might be selectively fasttracked.

Sorry I did not put enough information before guys I was limited on time. The router is a CCR1009-8G-1S-1S+ We have a 1 gbps wholesale fiber connect for resale. We are a WISP. We have a single public ip on the wan side and a 2 /24 public subnets on the lan side. This is our gateway router for my WISP.

options selected are:

enabled yes

chain forward
protocol tcp
dst port 25
action drop

Try use src-address or src-address-list to limit the rule only to certain IPs or just your LAN ips so its only checking outgoing connections and not incoming as well.

With it enabled, how many hits is it getting (open it up and you will see the packets per second rate on the rule)

Why are you just blocking it rather than finding and fixing the offending machine(s)? (Or is this ISP/home users?)