1. dstnat for output chain - i.e. to route Mikrotik's DNS requests to different DNS servers / interfaces
2. hardware ipsec acceleration for processors, which support it (i.e. RB3011) - maximum ipsec performance is the must for many modern configs, imho