Hi,
Love using Mikrotik defaults however I'm not a fan of this default DROP rule (below) - I am thinking of separating the rule out such that I can have an explicit DROP at the end to provide more clarity.

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

Into
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="drop all other forward"

Just looking for a sanity check on this . . .


/ip firewall filter
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="drop all other forward"
add action=drop chain=input comment="drop all other input"

Ending with a "drop all" is a very nice approach: it will force you to think about what you want to allow.

In regards to your firewall rules: I prefer to first set all rules on the input chain and then on the forward chain. Just for readability (is that correct English?).

The order is of importance, therefor you should place the underneath rules on top of their chain: Hopefully these rules will be hit most.