First, the input rules.
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no src-address-list=!Trusted_Range
If packets are invalid they should be dropped. Even if they're from trusted IPs.
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop all that is not to local" disabled=no dst-address-type=!local dst-limit=0,5,dst-address/1m40s
That makes no sense - only packets that are to local addresses are even going to make it into the input chain. This rule does nothing. Also, why call it drop if you are going to leave some of them through?
add action=add-src-to-address-list address-list="Blocked Port Scans" address-list-timeout=1d chain=input comment="Detect and Log Port Scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=drop chain=input comment="Drop Port Scans" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all that is not from unicast" disabled=no src-address-type=!unicast
add action=drop chain=input comment="Drop Everything Else" disabled=no
Why waste CPU resources detecting port scans if you're just going to drop everything anyway?
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
Why jump somewhere BELOW the rule where you're dropping everything?
Your input rule set can be summarized to be functionally equivalent as below:
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop Everything Else" disabled=no
Now for the output rules.
/ip firewall filter
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
It makes no sense to police the output chain. Remove all those rules. They don't secure anything for you but have to be processed regardless.
Now let's deal with sub chains before going to forward.
/ip firewall filter
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no dst-limit=0,5,dst-address/1m40s protocol=icmp
add action=return chain=ICMP disabled=no
Nothing uses this ICMP chain. Remove the rules, they're just clutter.
/ip firewall filter
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
So far so good.
add action=log chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and email" connection-limit=100,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and add to list" connection-limit=100,32 disabled=no dst-port=25 protocol=tcp src-address-list=allowed_bulkmailers
These don't do anything. If they're exceeding 100 connections they also by definition exceeded 30 connections, so they already got caught above - the rules above don't have passthrough on, after all.
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
This is a repeat of the first rule in the subchain, so that does nothing.
add action=return chain=SMTP disabled=no
Your SMTP rule set can be summarized as this:
/ip firewall filter
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=return chain=SMTP disabled=no
And now the forward filters.
Mostly this can be made far more efficient by re-ordering the rules. Stateful permits for established and related traffic is going to catch 99% of the packets, so they should be the first in the set. Since you have a default allow set you also have absolutely no need to have a whole bunch of accept rules. The forward set below is functionally equivalent to what you have right now:
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"
add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
So, to sum it all up, here your current rule set:
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no src-address-list=!Trusted_Range
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop all that is not to local" disabled=no dst-address-type=!local dst-limit=0,5,dst-address/1m40s
add action=add-src-to-address-list address-list="Blocked Port Scans" address-list-timeout=1d chain=input comment="Detect and Log Port Scans" disabled=no protocol=tcp psd=20,3s,3,1
add action=drop chain=input comment="Drop Port Scans" disabled=no protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all that is not from unicast" disabled=no src-address-type=!unicast
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
add action=drop chain=input comment="Drop Everything Else" disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=accept chain=forward comment="Accept Altrix traffic" disabled=no src-address=10.33.0.0/16
add action=accept chain=forward comment="Allow Access to client webserver" disabled=no dst-address=x.x.x.22
add action=accept chain=forward comment="Allow Access to client webserver" disabled=no dst-address=x.x.x.23
add action=accept chain=forward comment="Allow Access to Backup server" disabled=no dst-address=x.x.x.5 src-address-list=Allow_Access_to-Backupserver
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=log chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and email" connection-limit=100,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect Excessive Allowed BulkMailers Connections and add to list" connection-limit=100,32 disabled=no dst-port=25 protocol=tcp src-address-list=allowed_bulkmailers
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=return chain=SMTP disabled=no
add action=drop chain=forward comment="Drop SMTP SPAMMER's" disabled=no dst-port=25 protocol=tcp src-address-list=smtp_spammers
add action=jump chain=input comment="Jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="Drop everything else" disabled=no dst-limit=0,5,dst-address/1m40s protocol=icmp
add action=return chain=ICMP disabled=no
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=yes
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=yes dst-limit=0,5,dst-address/1m40s src-address-list=!Trusted_Range
add action=accept chain=forward comment="Related connections" connection-state=related disabled=yes
add action=drop chain=forward comment="Drop all that is not from unicast" disabled=yes src-address-list=!Trusted_Range src-address-type=!unicast
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
add action=accept chain=output comment="Accept Established Packets" connection-state=established disabled=no
add action=accept chain=output comment="Accept Related Packets" connection-state=related disabled=no
add action=drop chain=output comment="Drop Invalid Packets" connection-state=invalid disabled=no
And here what it should be:
/ip firewall filter
add action=accept chain=input comment="Accept Established Connections" connection-state=established disabled=no
add action=accept chain=input comment="Accept Related Connections" connection-state=related disabled=no
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid
add action=accept chain=input comment="Allow Access from Trusted Range" disabled=no src-address-list=Trusted_Range
add action=drop chain=input comment="Drop Everything Else" disabled=no
add action=drop chain=SMTP comment="Drop SMTP Spammers" disabled=no src-address-list=smtp_spammers
add action=log chain=SMTP comment="Detect SMTP Spammers and email" connection-limit=30,32 disabled=no dst-port=25 log-prefix=_mail protocol=tcp src-address-list=!allowed_bulkmailers
add action=add-src-to-address-list address-list=smtp_spammers address-list-timeout=3h chain=SMTP comment="Detect SMTP Spammers and add to list" connection-limit=30,32 disabled=no dst-port=25 limit=30,15 protocol=tcp src-address-list=!allowed_bulkmailers
add action=accept chain=forward comment="Established Connections" connection-state=established disabled=no
add action=accept chain=forward comment="Related connections" connection-state=related disabled=no
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop GHS support from accessing Internet VIA Comtel" disabled=no dst-address-list=!Uncapped_Excludes src-address=172.21.0.24
add action=drop chain=forward comment="Drop remote access to Webservers" disabled=no dst-address=x.x.x.x/26 dst-port=22,222,3306,5900,10000 protocol=tcp src-address-list="!allows_access to servers"
add action=jump chain=forward comment="Check SMTP" disabled=no dst-address-list=!dst_mailserver_exclude dst-port=25 jump-target=SMTP protocol=tcp src-address-list=!mailserver_exclude
add action=accept chain=forward comment="Accept Everything Else" disabled=yes
That should significantly improve packet processing in the firewall filters.
You probably also want to optimize your mangle rules.
If you see the screen shot, between 15 & 20 % is being used for queuing, but we don't have any queue's on our RB.
You are probably seeing queuing because of inherent interface queues.