MikroTik

Should a routerboard device NOT directly exposed to internet (i.e. a LAN access point without any port forwarding from main router) be protected with a basic firewall set of rules , at least on input chain ?

Probably get some different opinions on this one.

I have Mikrotik switches on my LAN with no firewall rules. If I did use the firewall I'd just end up with an allow from LAN ports, so I can get into it, which is the only way to get to it anyway, so any further drop rules would never match anything. Some people may argue you could lock it down to the actual LAN IP range, so even if someone did happen to leave a port forward open to it, you wouldn't be able to access it from the Internet.

On bigger networks people often have management VLANs. In those cases the firewall would be locked down to allow input just from the vlan interface. When you have a building full of people including possible contractors, new employees, leaving employees, people who just like to mess, you don't really want everyone to be able to pull up a login to your network kit.

In environments where you have guests/public connecting to a network, such as a wifi hotspot, you really want to lock down access. It's common in these situations to see a management port, so an engineer will come in to do changes and connect directly to the device. The firewall will be closed entirely other from that port.

For switches, AP's, parts of wireless bridges, etc. a much better way to restrict access from inside the LAN would be to set up a management VLAN across the whole network, let managed devices have an IP address just inside that VLAN, and restrict access to mikrotik MAC services (winbox, mac telnet) to this VLAN as well. This way it would be really easy to control access, both on L2 - by making only specific ports on specific devices members of this VLAN, and on L3 - by using firewall on the router(s).