We have 2 BGP routers and use In the forward <some special rules> then # Apply ICMP filter add chain=forward protocol=icmp action=jump comment="filter icmp" jump-target=ICMPFILTER add chain=forward comment="Allow ICMP" limit=50,100 protocol=icmp disabled=yes # Related add chain=forward comment="Allow Established connections" connection-state=established add chain=forward comment="Allow Related connections" connection-state=related # for asym traffic add chain=forward comment="allow SYN,ack tcp traffic" protocol=tcp tcp-flags=syn,ack add chain=forward comment="allow non SYN tcp traffic" protocol=tcp tcp-flags=!syn Alex -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser (SkyMesh) Sent: Wednesday, 30 March 2016 12:37 PM To: Stavros Patiniotis <stavros@staff.esc.net.au>; 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] DDoS Mitigation? Hi Stavros! I'd prefer to not to --- I have BGP load balancing in place and no way of sharing CT between 2 Router/OS machines. http://about.me/terry.sweetser On 30/03/16 10:58, Stavros Patiniotis wrote:
Hi Terry,
Have you tried adding a permit established at the top of the rules to help you reduce the number of rules to work through for the majority of your traffic?
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au