Mikrotik firewall always starts with "Input" chain. When the last rule of the input chain, Drop=All ends, continues with the Forward chain.
Its order is important, the rules are followed from top to bottom, otherwise there will be no correct traffic operation.
Please copy the entire firewall section from beginning to end. (without sensitive information)
It seems that the problem will be in your traffic configuration.
/ip firewall address-list
add address=192.168.88.0/24 list=Admin
/ip firewall filter
{Input Chain} +++++++
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input src-address-list=Admin comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
{forward chain} ++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN