@jack14
Take what I write below with a pinch (or better two) of salt, as I am not at all an expert in firewall rules, so the following may well be completely wrong, still:
I don't think that the issue is with that default final drop rule.
That rule simply does what it is supposed to do. i.e. drop connections that match three "filters":
1) connection-nat-state=!dstnat
2) connection-state=new
3) in-interface-list=WAN
and it essentially prevents all connections originating from the WAN side of the router, it is the last one in the default firewall settings, and should remain as is.
In alternate firewall settings the last rule is "drop all else".
In theory you need,
before that rule, a new one that explicitly accepts the connections from your other site.
The questions are which matchers should this accept rule have to only allow your traffic from the other site and how does that traffic arrive.
A (completely wrong! ONLY for test!) accept rule could be *something like* (on Mikrotik A):
add action=accept chain=forward comment=this is wrong,only for test in-interface-list=WAN src-address=192.168.2.0/24 dst-address=10.0.1.0/24
that should allow connection from the net 10.0.2.0 that is natted by the devices on site B to either 192.168.2.1 or 192.168.2.10 (I think the latter).
If this is the case, and the above works, you can narrow it a little bit:
add action=accept chain=forward comment=this is wrong,only for test in-interface-list=WAN src-address=192.168.2.10 dst-address=10.0.1.0/24
But even this could be a huge hole in the firewall, there isn't AFAIK anything that can distinguish "your" 192.168.2.10 from anyone else's 192.168.2.10, unless your ISP router has a firewall that surely prevents any other connection with that source address.
So the "right" way should be to establish some kind of VPN tunnel between the two Mikrotiks (Wireguard? IPSEC? Something else? cannot say).
EDIT: oops, cross-posting. I now see you already found an (even wider than mine) accept rule (yours makes your whole LAN accessible for all the internet
unless it is stopped by your ISP router firewall, of course).