What are the recommended "IP/IP Settings" for normal "home router" usage?

I read http://wiki.mikrotik.com/wiki/Manual:IP/Settings but that seems outdated (some items are missing), and doesn't help me much, unfortunately...

Thanks!

kill redirects(very insecured/exploitable), bump icmp rate limitation a bit(to say 50-100-500), disable fast-path if you not use it(if you not ISP - you perhaps not), put RP filtering to "strict"(if you not use gear in corporate setup with (relatively)complex routing of multiple sub-networks, multinetting and other bogus, tricky stuff.

p.s.
latest research shows that icmp rate limits aside being violated by some apps(that in result lead to their connectivity issues. such as some online games, like say BF and CoD franchise, and early versions of Arma2/3)in recent kernel and netfilter - also contain code that make implementation very exploitable aswell and allow very neat "side-channel" attack on connections.
thats irrelevant for current ROS kernel/netfilter, but considering ROS7 future and chance that MT may backport frome code from, including affected - mean to take that with serious consideration.

tcp-syncookies: yes

kill redirects(very insecured/exploitable), bump icmp rate limitation a bit(to say 50-100-500), disable fast-path if you not use it(if you not ISP - you perhaps not), put RP filtering to "strict"(if you not use gear in corporate setup with (relatively)complex routing of multiple sub-networks, multinetting and other bogus, tricky stuff.

p.s.
latest research shows that icmp rate limits aside being violated by some apps(that in result lead to their connectivity issues. such as some online games, like say BF and CoD franchise, and early versions of Arma2/3)in recent kernel and netfilter - also contain code that make implementation very exploitable aswell and allow very neat "side-channel" attack on connections.
thats irrelevant for current ROS kernel/netfilter, but considering ROS7 future and chance that MT may backport frome code from, including affected - mean to take that with serious consideration.

when i put RP filtering to "strict" PPTP start to not working.

Interesting. Never touched setting here. Good advice!
Just to confirm RP filtering set to Strict does not effect my PPTP client

RP filtering has to be set to loose for my load-balance to work, as suggested in the wiki

Zorro
In my box, Send Redirects and Secure Redirects are checked, and Accept Redirects is NOT checked.
Are you stating all the Redirect options should be UNCHECKED??

Do you also recommend tcp-syn cookies should be Checked?
Also being a newbie I am assuming fast path and fasttrack are not the same so not using fastpath is totally okay?


Somewhere I also read to add these drop forward rules........ any comments as to whether they are worthwhile or are they a waste of CPU time........

add action=drop chain=forward comment="Non RFC Packets" protocol=tcp \
tcp-flags=fin,syn
add action=drop chain=forward protocol=tcp tcp-flags=fin,urg
add action=drop chain=forward protocol=tcp tcp-flags=fin,!ack
add action=drop chain=forward protocol=tcp tcp-flags=syn,rst
add action=drop chain=forward protocol=tcp tcp-flags=rst,urg
add action=drop chain=forward protocol=tcp src-port=0
add action=drop chain=forward dst-port=0 protocol=tcp
add action=drop chain=forward protocol=udp src-port=0
add action=drop chain=forward dst-port=0 protocol=udp