I found this method is the best way to prevent DDoS Attack from your users to attacked resources and drop DDoS directed to your clients.
First, we catch all new connections and send them to dedicated firewall chain:
/ip firewall filter
add chain=forward connection-state=new action=jump...
Easy Guide on how to setup MikroTik Site-to-Site IPsec Tunnel
If one of MikroTik’s WAN IP address is dynamic, set up the router as the initiator (i.e. dial-out)
If you are working from WAN, don’t forget to enable Safe Mode.
Let’s go to Winbox -> IP -> IPsec -> Proposals, and this is the...