Preamble and disclaimer:
The following is a set of Rules that are intended as advice useful to avoid the most common errors observed in configuration posted on this forum.
It is my personal take on the matter, and in no way approved, endorsed or recommended, officially or unofficially, by Mikrotik or their partners or by anyone else.
In other words you are perfectly free to ignore them, though they represent (IMHO) a sort of (good) cheat sheet/reminder for people starting to use these devices.
Experts already know all these issues (and many more) and they already have their own ways to avoid them.
The twelve Rules of the Mikrotik Club:
Corollaries:
[1] Really, you shouldn’t. VLAN1 is used internally in some parts of the RoS and it can also cause conflicts with other manufacturers devices.
[2] Ok, you can use VLAN1, but only if you understand the implications.
[3] No exceptions. This includes when performing netinstall. Disconnect ALL ports but the one you are using for netinstall AND make sure proper firewall rules are created BEFORE connecting to the internet. For LTE routers disconnect means remove SIM.
[4] You can actually use it, but only once and only starting from a reset configuration.
[5] It serves nothing, and it can create issues, just don’t use it.
[6] Strongly advised, it prevents the MAC address of the bridge to be changed in case of other configuration changes.
[7] Particularly if you are going to fiddle with VLANS and firewall, it is very, very easy to lock yourself out of the Mikrotik device you are working on. You should also allow mac-winbox, activate its server but only on LAN and/or on an added interface list “Trusted”. mac-winBox allows to access the device if you lock access with IP. Remember that most changes take effect immediately, “Safe mode” is your all time & forever friend. Use it.
[8] The firewall is your only defense against the bad guys out there, think twice before changing anything in the default one, which is good enough in most cases. Only some Mikrotik devices come with a default configuration including the firewall, and even on those in some cases of reset or netinstall it is possible that these firewall rules are deleted, so better check and double check their existence before connecting to the internet. Even if not strictly speaking part of the firewall, the default settings make use of the categorization of interfaces (WAN and LAN in /interface list and actually used interfaces in /interface list member) and these should be checked to be correct and reflecting the actual WAN and LAN status of the interfaces, failing to do so may result in exposing the network to the outside and/or preventing access to the device. For those devices shipped with no default configuration, the first step should be to copy to them the default configuration taken from one of the Soho devices and published on the forum: Buying - RB1100AHx4 Dude Edition - Questions about Firewall - #4 by rextended , such configuration will need of course to be adapted to the device number of interfaces and settings of the bridge(s) if any.
[9] Just do it.
[10] Translated from Mikrotikish, Beta means pre-alpha, RC means early Beta, stable means RC, rinse and repeat on a newer version, now you know. (if it ain’t broken, don’t fix it)
[11] Please, don’t. We already have enough of them.
[12] A set of rules without a small reference to Douglas Adams seemed inadequate, but really, Mikrotik settings are often spread in several places, snippets of configurations are often not enough to understand what the problem may be, or, if you prefer, there are reasons why people looking for help are asked to post their COMPLETE configuration (anonymized).
Obviously these 12 Rules are only the tip of the iceberg 
, Good Practice and Common Sense Advice, numbered from 13 onwards here 
:
