The point of the exercise was to demonstrate to you that you dont know what you are doing yet.
The right answer is that the second rule does the same thing as the first rule (allows vlan_lan to the router) but also allows all lan subnets to the router plus also stops wan to router traffic
Hence a decent default rule for startup. However it can be improved as seen below.
In other words the first rule is redundant and not required because you allow the full LAN to your router already in the second rule. (every subnet identified as a LAN interface member).
What you should aim for is the following
add chain=input action=accept in-interface=MGMT (and optional source-address-list=adminaccess)
Where
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan_cameras list=LAN
add interface=vlan_guest list=LAN
add interface=vlan_lan list=LAN
add interface=vlan_lan list MGMT
Thus only those on the interface vlan_lan will have full access to the router.
The optional use of the firewall address list can be used to further reduce access by IP addresses of admin devices (desktop pc, laptop, ipad, smartphone).
If you go this route ensure you change mac server winbox server interface from LAN to MGMT.
After you put this rule in place then as the last rule in the input chain put:
add chain=input action=drop; (drop all else)
This blocks all other WAN/LAN to router and router to WAN/LAN
So whats missing… If you know how MT OS works one will realize that LAN users still need access but limited access and that is to the services the router provides, typically this is only
DNS (some also have NTP servers running)
ex (AND PLACE THese JUST BEFORE THE LAST DROP ALL RULE)
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
Okay lets get to other issues
and I QUOTE
“Seems you can’t port forward and masquerade at the same time.”
BULL PUCKY! A very incorrect statement and the two functionalities are separate
Sourcenat or masquerade ( a source nat variant) instruct the router to perform NAT on the outgoing traffic, that ORIGINATES, behind the router, on the particular WAN interface. Be careful here, it does not tell the router to send the traffic out a specific WAN interface, that is done by your IP routing rules.
A on a LAN initiates a session, the router knows that the session which is going out that interface should leave the router with the public IP of that interface but will keep track of which LANIP sent the outgoing traffic so upon the return traffic the router can send that traffic back to the right LANIP.
Destination NAT (or portforwarding) in your case tells the router what to do for TRAFFIC originating OUTSIDE the router and hitting your public IP with a specific port it wants to connect to.