Hello! This is my firs post so please let me say hello to all!
I am Mikrotik user (two routers) for several years but I am no expert so please if someone can give me a sugeston.
I want to protect my local network from outside, especially form ISP side because this is exposed side if someone knows my local ip ranges.
I have pppoe connection to my ISP (dynamic IP adress that changes every day) and I have implemented filter rules chain:input action:drop for my two public interface eth connected to ADSL modem and pppoe-out interface.
But I think that this is not secure enough because if for example my ISP sets my public IP address as a gateway they can comunicate with my internal LAN machines. I know that filter rules chain:forward action:drop for public interfaces (eth and pppoe) is not an option because internet would then be unreachable.
Can someone provide some simple solution how to block possible internet traffic from my ISP to my internal LAN?
Many tnx in advance and I apologize for the question if the solution is evident but I tried to surf the forum and googling did not gave me a solution,
I think this still works:
/ip firewall filter
add chain=forward in-interface=ether1 connection-state=new action=drop
Change ether1 to your WAN interface. That will only drop new connection attempts from your ISP network.
Oh, many tnx!
I can not test this from ISP side but if you say so 
I hope it is going to work. So this is going to block all attempts to establish connection (this is that connection-state=new).
That is going to be ok for all public side connection attempts to my LAN (spoof…)?
If you want to check, you can add a “action=add-src-to-address-list” rule prior to that rule.
/ip firewall filter
add chain=forward in-interface=ether1 connection-state=new action=add-src-to-address-list address-list=hacker
The wait a while and check
/ip firewall address-list print
and see who’s ip is there. 
I tend to allow established, related and then drop everything else incoming
Not sure if that’s the best way to do it or if that opens up some potential holes
@SurferTim thank you once again, even on that extra know-how regarding caching hackers 
@dragon2611 yes, a saw around on wiki.mikrotik and googling around that this, what you are talking about, is widely implemented practice, but I wanted just 99% secure (100% is impossible when online ) and simple way to prevent intrusion in my local network from ISP side or any other malicious public side.
I have VPN server setup for my remote needs and I wanted everithing else to be blocked from outside, even ISP because pppoe connection (wan interface) with public IP is easily accessible from ISP side and to just block chain-input was not enough because chain-forward was exposing my LAN vulnerable, till now when SurferTim gave me a great solution. I really do not know is there any even better solution than this. This one seems great to me.
I’ve always wondered if the related rule allows the host you are exchanging traffic with open access through the firewall or it’s just to allow replies to your request
I see “related” used a lot with FTP traffic. If you do not allow related, FTP will stop functioning.
Interesting question, I can not provide any positive answer. It seems that difference between “established” vs “related” is in belonging to existing connection or not. Both are related with connection but only “established” one belongs to some existing connection. That is my understanding. Correct mi if I am wrong