I'm wondering how to place DDos Attack filter rules when Connection Tracking is Off on Mikrotik CCR-1036 as I'm using this router for Routing only and my rest of traffic is forwarding to CGNAT CCR-1009.

Anyone can help on it

Well, first, why don't you want to place those rules on your CGNAT device? :)

I think I didn't elaborate my network completely, let me tell you everything

I'm working as Mini ISP having 1500 users, I have 2 publics pools of /24 which are routed by main ISP through my these IPs 14.x.x.x/29 assigned by my ISP to my Mikrotik router (my router IPs are /29).
So, my Edge router is CCR1036 is connected to my user interface (and my user are pppoe clients).

CCR-1036 EDGE ROUTER:- This router has these functions (pppoe server, Routing /24 directly by giving real IP to defined users & forward private 172.16.x.x/16 users to my CGNAT router) as this router has connection tracking is OFF (the reason why connection tracking off becoz when one of my area electric goes off my mikroitk does get any load due CONNECETION TRACKING IS DISABLED) If I put on connection tracking ON at this router then on reconnecting of 100s of users at same time CPU load goes to 100% and Mikrotik start dropping packets for few seconds.

So, I used another router for CGNATing.
Please see below link what I want to elaborate you.
https://aacable.wordpress.com/2018/03/2 ... -mikrotik/

DO you have another solution??

I don't know what those 'DDoS Rules' are, but you can use the Raw table to do filtering without connection tracking enabled.

When connection tracking is off, RAW tab rules won't work

DDoS protection at ISP level shouldn't be relying on "drop" rules, that's what we do at home.

ISPs should use more pro-grade solutions: https://security.stackexchange.com/a/134770

Please see below link what I want to elaborate you.
https://aacable.wordpress.com/2018/03/2 ... -mikrotik/

Your link provides the correct information:
"When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect.".
=> Use srcnat instead of masquerade to eliminate extra load on pppoe (dis)connects.

When connection tracking is off, RAW tab rules won't work

Raw works fine without connection tracking.. raw is applied before tracking (if enabled)

Dear Chupaka (Sorry using yr short name)

How to rectify a user (whose IP is DDoS attackers list in mikrotik)??

So again, why don't you filter on CGNAT devices? They already have Connection Tracking on, and those rules use "connection-state=new", so CPU load should not be noticable.

What do you mean by "rectify"?..