Hello,
I’ve made a small configuration script to get a default configuration for new devices. I have tried to make it as compatible as possible to all devices. Maybe someone would like to test it or give some more ideas to make it better or add more secure firewall rules.
the original (most recent version) of the script is here: https://it-wiki.eu/hardware/netzwerkkomponenten/mikrotik/grundconfig
The Website is not in full English yet, but its on the road map. There are some Scripts for QoS and VPN (IPSec for Android/Windows/Iphone) too.
Be aware that i am not a Mikrotik expert with years of experience, so please revisit the firewallrules before copy&past from a forumthread like this 
#V1.3c
##Important notes to this configuration:
#Firewallrules for VPN and external DNSblocking are prepared but disabled
#Only Winboxaccess is allowed to configure the Mikrotik after import.
#Bogonrules deny Forwarding of Private-IPs from WAN. These Bogonrules may block VPN Access. Change them, if you get problem with VPN.
#NTPServers are not configured
#Script uses Interfacelist "wan" and add the waninterface with name "wan1" to it. Then Firewallrules will added for the Interfacelist not for the Interface itself.
#For LAN a bridge "bridge-lan" is used which gets the $LanIP"
#There are two examplescripts (disabled) for scheduled reboot and scheduled PPPoE reconnection.
# Known issues:
# Only 2,4Ghz Wifi will be configured if Wifi is selected.
# Maybe with some packageconfigurations the script will not work, because of missing commands. Let me know if you run into such problems.
#Howto:
#1. Login to your Mikrotik and check/update the RouterOS version. At least v6.36.3 is required (interfacelists)
#2. Name the script "defaultconfig.rsc" (Don't use a Microsoft texteditor!) and drag and drop it into the winbox-window. Check "Files" and make sure that the file is in the "flash" folder if there is one.
#3. Click on "New Terminal" and enter "/system reset-configuration no-defaults=yes" Your Mikrotik will lose his config!
#4. After reboot, click on "New Terminal" again and execute "import defaultconfig.rsc". Hope there will no error. You will kicked out of Winbox and need to relogin.
#If you used a special configurationport, you now need to switch the port to a port inside you new LAN-Bridge before relogin.
#If you don't expect any errors, its much more secure to reset and import in one step: "/system reset-configuration no-defaults=yes run-after-reset=defaultconfig.rsc"
#5. SET A PASSWORD !
#define local variables (DON'T CHANGE ANYTHING HERE)
:local lanIP;
:local configureDHCPServer;
:local DHCPsrvPool;
:local DHCPsrvNetwork;
:local DHCPsrvGateway;
:local DHCPsrvDNSsrv;
:local wan1;
:local configurePPPOE;
:local pppoeUser;
:local pppoePassword;
:local configureWIFI;
:local wifiSSID;
:local wifiPSK;
:local configureDHCPonWan1;
:local timezone;
#define variable END
#BEGIN YOUR CONFIGURATION HERE:
#TIMEZONE:
#:set timezone "Europe/Berlin";
#LAN
:set lanIP "192.168.166.254/24";
#Enable DHCP-Server for LAN (Bridge) ?
:set configureDHCPServer false; #true if you want a DHCP-Server
:set DHCPsrvPool "192.168.166.100-192.168.166.150";
:set DHCPsrvNetwork "192.168.166.0/24";
:set DHCPsrvGateway "$lanIP";
:set DHCPsrvDNSsrv "$lanIP";
#Choose your WAN-Interface
:set wan1 "ether4";
#Configure PPPOE ?
:set configurePPPOE false;
:set pppoeUser "H1und1/testexample@online.de";
:set pppoePassword "Password";
#Configure DHCP-Client on WAN ?
:set configureDHCPonWan1 true;
#Configure Wifi ?
:set configureWIFI false;
:set wifiSSID "mySSID";
:set wifiPSK "myPSK";
#Enable dynamic DNS (Mikrotik Cloudservcie) ? - uncomment lines if needed
#/ip cloud;
#set ddns-enabled=yes;
#disable LCD ?
#/lcd
#set enabled=no touch-screen=disabled
#INTERFACE CONFIGURATION - Enter the Interfaces of your Mikrotikdevice. .
#Every switch-chip should have one master-port where all other Ports of the Chip are slaveports
#DON'T ADD YOUR WAN PORT HERE (ether4 in this scriptexample) !
#If you want to import this script with the Mikrotik Terminal you should spare your configurationport too, otherwise you can lose connection while importing (if i made a mistake ;)!
:put "configure ports..."
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master
set [ find default-name=ether2 ] master-port=ether1-master
set [ find default-name=ether3 ] master-port=ether1-master
#spared out ether4, because i want to use this as wanport.
set [ find default-name=ether5 ] master-port=ether1-master
#set [ find default-name=ether6 ] name=ether6-master
#set [ find default-name=ether7 ] master-port=ether6-master
#set [ find default-name=ether8 ] master-port=ether6-master
#set [ find default-name=ether9 ] master-port=ether6-master
#set [ find default-name=ether10 ] master-port=ether6-master
:put "adding bridge..."
/interface bridge
add arp=proxy-arp name=bridge-lan
/interface bridge port
#Add all masterports into the lan-bridge (if all Ports should be added to your LAN)
add bridge=bridge-lan interface=ether1-master
#add bridge=bridge-lan interface=ether6-master
#CONFIGURATION END
#You dont need to change anything after this line, but fell free to change the firewall rules and other settings after this line.
/interface ethernet
set [ find default-name="$wan1" ] comment="$wan1" name="wan1";
:put "adding ip $lanIP to bridge-lan..."
/ip address
add address=$lanIP interface=bridge-lan
/interface list
add name=wan
/ip neighbor discovery
set wan1 discover=no
/interface list member
add interface=wan1 list=wan
#PPPOE
:if ($configurePPPOE=true) do={
:put "creating PPPoE config on new interface wan1-PPPOE..."
/interface pppoe-client
add add-default-route=yes disabled=no interface=wan1 max-mru=1492 max-mtu=1492 \
name=wan1-PPPOE password=$pppoePassword use-peer-dns=yes user=\
$pppoeUser
/ip neighbor discovery
set wan1-PPPOE discover=no
/interface list member
add interface=wan1-PPPOE list=wan
}
:if ($configureDHCPonWan1=true) do={
:put "enabling DHCP-Client on $wan1 interface..."
/ip dhcp-client;
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=wan1;
}
#DHCPSERVER
/ip pool
add name=dhcp_pool_bridge-lan ranges="$DHCPsrvPool"
/ip dhcp-server network
add address="$DHCPsrvNetwork" dns-server="$DHCPsrvDNSsrv" gateway="$DHCPsrvGateway"
/ip dhcp-server
add address-pool=dhcp_pool_bridge-lan disabled=no interface=bridge-lan lease-time=7d1h10m name=dhcp-bridge-lan
#WIFI
:if ($configureWIFI=true) do={
:put "configuring basic WIFI..."
/interface bridge port;
add bridge=bridge-lan interface=wlan1;
#A workaround follows, as otherwise with no wirelesspackages installed the script will not be executed.
/file print file=wificonfig; /file set [find name="wificonfig"] contents="\
/interface bridge port;\
add bridge=bridge-lan interface=wlan1;\
/interface wireless security-profiles;\
add authentication-types=wpa2-psk eap-methods=\"\" management-protection=allowed mode=dynamic-keys name=WPA2 supplicant-identity=\"\" wpa2-pre-shared-key=\"$wifiPSK\";\
/interface wireless;\
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=germany disabled=no frequency=auto frequency-mode=regulatory-domain\ mode=ap-bridge security-profile=WPA2 ssid=\"$wifiSSID\" wireless-protocol=802.11 wps-mode=disabled;";
/import wificonfig.txt
}
:put "allow remote DNS-requests..."
/ip dns
set allow-remote-requests=yes;
#Disable Mikrotik services
:put "disable mirktotik services (only winbox access left)";
/ip service;
set telnet disabled=yes;
set ftp disabled=yes;
set www disabled=yes;
set ssh disabled=yes;
set api disabled=yes;
set api-ssl disabled=yes;
/system clock;
set time-zone-name="$timezone";
/system script;
add name=Reboot owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/system reboot"
add name=pppoe_reconnect source={/interface pppoe-client disable [find name="wan1-PPPOE"];
:delay 10;
/interface pppoe-client enable [find name="wan1-PPPOE"];
:log info "Script pppoe_reconnect - scheduled wan1-PPPOE-disconnect executed.";
};
:put "configure Firewall..."
/ip firewall address-list;
add address=192.168.0.0/16 list=Bogon;
add address=10.0.0.0/8 list=Bogon;
add address=172.16.0.0/12 list=Bogon;
add address=127.0.0.0/8 list=Bogon;
add address=0.0.0.0/8 list=Bogon;
add address=169.254.0.0/16 list=Bogon;
/ip firewall nat;
add action=masquerade chain=srcnat log-prefix="masq_" out-interface-list=wan;
/ip firewall filter;
add action=reject chain=forward comment="Reject other DNS Servers" dst-port=53 log=yes log-prefix=DNS_53 protocol=udp reject-with=icmp-network-unreachable disabled=yes;
add action=drop chain=forward comment="Drop Bogon Forward << Internet (could block vpntraffic too)" in-interface-list=wan log-prefix="Bogon Forward Drop" src-address-list=Bogon;
add action=drop chain=input comment="detect and drop port scan connections" log-prefix="" protocol=tcp psd=21,3s,3,1;
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 log-prefix="" protocol=tcp;
add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 log-prefix="" protocol=tcp src-address-list=black_list;
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid log-prefix="";
add action=accept chain=input log-prefix="" protocol=icmp;
add action=accept chain=input comment="Allow L2TP and IPSEC" disabled=yes log=yes log-prefix="" dst-port=1701,500,4500 protocol=udp;
add action=accept chain=input comment="allow ESP-IPSEC" disabled=yes log-prefix="" protocol=ipsec-esp
add action=accept chain=input comment=SSTP dst-port=443 log-prefix="" protocol=tcp disabled=yes;
add action=fasttrack-connection chain=forward comment="established and related - place after VPN and antiDDos" connection-mark=!connection_surfen connection-state=established,related log-prefix="";
add action=accept chain=forward comment="Accept Established / Related Forward" connection-state=established,related log-prefix="";
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" in-interface=bridge-lan log-prefix="" out-interface-list=wan;
add action=accept chain=forward comment="Allow forward traffic PPP(VPN) >> WAN" in-interface=all-ppp log-prefix="" out-interface-list=wan disabled=yes;
add action=accept chain=input comment="Accept Established / Related Input" connection-state=established,related log-prefix="";
add action=accept chain=input comment="Allow Input - from bridge-lan" in-interface=bridge-lan log-prefix="" ;
add action=drop chain=forward comment="Drop all other Forward packets" log=yes log-prefix="drop forward";
add action=drop chain=input comment="Drop all other Input" log=yes log-prefix="Input Drop";
#DON'T ADD ANYTHING AFTER THIS LINE. DROP-RULE WILL THROW YOU OUT BEFORE IT IS EXECUTED, IF YOU USE THE TERMINAL COPYPASTE TO IMPORT THE SCRIPT