I noticed most of the default firewall rules allow LAN clients full access to the router. I understand that the router only has a handful of ports open (in my case 53/tcp, 53/udp, 67/udp, 68/udp, 123/udp and Winbox). For more restrictive VLANS (used for guest access or IOT devices), is there any added security provided by specifically allowing only these ports in the firewall rules?

firewall rules is very much a "personal" thing and is your to configure as you feel fit for your environment

Typically, one trusts the hosts in your LAN as they are under your administrative control, so allow full access out and related back in, but the hosts on the Internet (Evil) not so much

Thanks. Yes, definitely the full access out and related back in. I'm wondering more about the input chain. So if router has ports A, B and C open, is there a benefit to having the firewall restrict to just A, B and C also?

Default firewall has one LAN and you usually trust connected devices, so everything is allowed. But it makes sense to make other things more restricted. For example guests are not necessarily trusted, so they can get just port 53 for dns and that's enough (dhcp uses raw sockets, so it doesn't need to be allowed in IP firewall).

I prefer to allow few needed things and block everything else. It won't make any difference if nothing is listening on other ports. But if it does and you miss it, it won't be accidentally open without you knowing about it.

Thanks!