For a general / basic / home network, this should be "good enough."
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="Drop Blacklisted Hosts" log-prefix="NOTICE: Dropped Attack Attempt" src-address-list=\
add chain=input connection-state=established,related
add chain=input src-address-list=ipSec
add chain=input src-address-list=PrivateIPs
add chain=input in-interface=lan1
add chain=input log-prefix=NOTICE protocol=icmp
add action=drop chain=input comment="Default Drop" log-prefix=<DEFAULT>
add action=drop chain=forward connection-state=invalid
add action=reject chain=forward dst-address-list=blacklist log=yes log-prefix="BL OUTBOUND" reject-with=icmp-admin-prohibited
add action=drop chain=forward src-address-list=blacklist
add chain=forward connection-state=established,related
add chain=forward src-address-list=PrivateIPs
add action=drop chain=forward comment="Default Drop" in-interface=wan1 log=yes log-prefix=<DEFAULT>
add action=drop chain=forward comment="Default Drop" in-interface=wan2 log=yes log-prefix=<DEFAULT>
If you have public servers that you are protecting, then you can do a lot more to try and stop DDOS and brute force attacks. But in general, this should be enough to keep you safe.
Oh, I have two address lists; "blacklist" and "Private IPs". The blacklist is generated by my server every morning using several publicly available lists, as well as lists generated by Fail2Ban on all of my servers. The PrivateIPs is just that, 10.0.0.0/8, 172.16.0.0/16, and 192.168.0.0/16. It's a simple (although maybe not entirely secure) way of making sure my VPN's all flow nicely.