Here is my basic starting point....
The GIST.... block EVERYTHING from the internet not related.... .... allow EVERYTHING from the LAN. Allow DHCP/DNS from Guest Network. Allow IPSec/L2TP... Allow anything in the WANAllow list... I also don't take credit for this.... this is what I pieced together from the forums etc....
/ip firewall address-list
add address=10.0.0.0/24 list=LocalRanges ## YOUR LAN
add address=10.0.1.0/24 list=GuestRanges ## YOUR GUEST NETWORK
add address=8.8.8.8/32 list=WANAllow ## ADD INTERNET ADDRESSES YOU WANT TO ALLOW HERE
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogon
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A" list=Bogon
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=Bogon
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogon
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B" list=Bogon
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C" list=Bogon
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogon
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=Bogon
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogon
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogon
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogon
add address=224.0.0.0/4 comment="MC, Class D, IANA" list=Bogon
/ip firewall filter
add action=accept chain=input comment="Connection State - Established" connection-state=established
add action=accept chain=input comment="Connection State - Related" connection-state=related
add action=drop chain=input comment="Connection State - Invalid" connection-state=invalid
add action=drop chain=input comment="Bogon via Ether01" in-interface=ether01-gateway src-address-list=Bogon
add action=jump chain=input comment="Invalid TCP" in-interface=ether01-gateway jump-target=invalid_tcp protocol=tcp
add action=jump chain=input comment="Invalid UDP" in-interface=ether01-gateway jump-target=invalid_udp protocol=udp
add action=jump chain=input comment="ICMP - From Internet - Jump" in-interface=ether01-gateway jump-target=ICMP protocol=icmp
add action=accept chain=input comment="ICMP - From Local" in-interface=!ether01-gateway protocol=icmp
add action=drop chain=input comment="TCP - Syn Flood Suppression - Drop SynFlood" src-address-list=SynFlood
add action=add-src-to-address-list address-list=SynFloodaddress-list-timeout=30m chain=input comment="TCP - Syn Flood Detection -Add To SynFlood (30 Connections Per IP Address)" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="TCP - Port Scan Detection - Drop Port Scans (21,3s,3,1)" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="TCP - DoS Attack Supression - Tarpit BlackList (3 Connections Per IP Address)" connection-limit=3,32 protocol=tcp src-address-list=BlackList
add action=add-src-to-address-list address-list=BlackListaddress-list-timeout=1d chain=input comment="TCP - DoS Attack Detection -Add to BlackList for 1d (10 Connections per IP Address)"connection-limit=10,32 protocol=tcp
add action=accept chain=input comment="Local Ranges" in-interface=!ether01-gateway src-address-list=LocalRanges
add action=accept chain=input comment=IPSecRange in-interface=ether01-gateway src-address-list=IPSecRange
add action=jump chain=input comment="Guest Traffic Jump" in-interface=bridge-guest jump-target=guest
add action=accept chain=input comment=WANAllow in-interface=ether01-gateway src-address-list=WANAllow
add action=jump chain=input comment=IPSec in-interface=ether01-gateway jump-target=ipsec
add action=drop chain=input comment="Default Drop"
add action=fasttrack-connection chain=forward comment="Connection State - FastTrack Established/Related" connection-state=established,related
add action=accept chain=forward comment="Connection State - Established/Related" connection-state=established,related
add action=drop chain=forward comment="Connection State - Invalid" connection-state=invalid
add action=drop chain=forward comment="Bogon via Ether01" in-interface=ether01-gateway src-address-list=Bogon
add action=jump chain=forward comment="Invalid TCP" jump-target=invalid_tcp protocol=tcp
add action=jump chain=forward comment="Invalid UDP" jump-target=invalid_udp protocol=udp
add action=accept chain=forward comment="Forward to Ether1-Gateway" out-interface=ether01-gateway
add action=accept chain=forward comment=LocalRanges dst-address-list=LocalRanges in-interface=!ether01-gateway out-interface=!ether01-gateway src-address-list=LocalRanges
add action=accept chain=forward comment=IPSecRange in-interface=ether01-gateway src-address-list=IPSecRange
add action=accept chain=forward comment=DST-NAT connection-nat-state=dstnat
add action=drop chain=forward comment="Default Drop"
add action=accept chain=ipsec comment=IPSec protocol=ipsec-esp
add action=accept chain=ipsec comment=IPSec protocol=ipsec-ah
add action=accept chain=ipsec comment=IPSec dst-port=500 protocol=udp
add action=accept chain=ipsec comment=IPSec dst-port=4500 protocol=udp
add action=accept chain=ipsec comment="L2TP for L2TPAllowed" dst-port=1701 protocol=udp src-address-list=L2TP_Allowed
add action=accept chain=guest comment="Guest Allow DNS via TCP" dst-port=53 protocol=tcp src-address-list=GuestRanges
add action=accept chain=guest comment="Guest Allow DNS via UDP" dst-port=53 protocol=udp src-address-list=GuestRanges
add action=accept chain=guest comment="Guest Allow DHCP via UDP" dst-port=67 protocol=udp src-address-list=GuestRanges
add action=accept chain=guest comment="Guest Allow DHCP via UDP" dst-port=68 protocol=udp src-address-list=GuestRanges
add action=accept chain=ICMP comment="Allow Echo Reply (0:0-255), Limit 5pps"icmp-options=0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Destination Unreachable (3:0-255), Limit 5pps" icmp-options=3:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Source Quench (4:0), Limit 5pps" icmp-options=4:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Echo Request (8:0), Limit 5pps" icmp-options=8:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Time Exceeded (11:0), Limit 5pps" icmp-options=11:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=ICMP comment="ICMP - Allow Parameter Bar (12:0), Limit 5pps" icmp-options=12:0-255 limit=5,5:packet protocol=icmp
add action=drop chain=ICMP comment="ICMP - Drop All Others" protocol=icmp
add action=drop chain=invalid_tcp comment="Invalid TCP - !(FIN/SYN/RST/ACK)"protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/SYN" protocol=tcp tcp-flags=fin,syn
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/RST" protocol=tcp tcp-flags=fin,rst
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/!ACK" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=invalid_tcp comment="Invalid TCP - FIN/URG" protocol=tcp tcp-flags=fin,urg
add action=drop chain=invalid_tcp comment="Invalid TCP - SYN/RST" protocol=tcp tcp-flags=syn,rst
add action=drop chain=invalid_tcp comment="Invalid TCP - RST/URG" protocol=tcp tcp-flags=rst,urg
add action=drop chain=invalid_tcp comment="Invalid TCP - Source Port 0"protocol=tcp src-port=0
add action=drop chain=invalid_tcp comment="Invalid TCP - Destination Port 0"dst-port=0 protocol=tcp
add action=drop chain=invalid_udp comment="Invalid UDP - Source Port 0"protocol=udp src-port=0
add action=drop chain=invalid_udp comment="Invalid UDP - Destination Port 0"dst-port=0 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=ether01-gateway to-addresses=0.0.0.0
This is a script to allow access to the L2TP server for those people connected via IPSec (from Greg Sewell I think... )
#
# Variables
#
:local listName "L2TP_Allowed"
#
# Script
#
:local inAddressList false
:local inRemotePeers false
:local currentAddress 0
# Add New Peers Not Already In List
/ip ipsec remote-peers {
:foreach i in [find] do={
:set currentAddress [get $i remote-address]
/ip firewall address-list {
:foreach j in [find list=$listName address=$currentAddress] do={
:set inAddressList true
}
:if (!$inAddressList) do={
add list=$listName address=$currentAddress
}
}
:set inAddressList false
}
}
# Remove Old Peers From List
/ip firewall address-list {
:foreach i in [find list=$listName] do={
:set currentAddress [get $i address]
:foreach j in [/ip ipsec remote-peers find remote-address=$currentAddress] do={
:set inRemotePeers true
}
:if (!$inRemotePeers) do={
remove [find list=$listName address=$currentAddress]
}
:set inRemotePeers false
}
}