Add following firewall filter rules (this should be the order):
1. allow access (input chain) from interface l2tp-out1 for icmp (to get ping if you like)
2. allow access (input chain) from interface l2tp-out1 for tcp port 8291 (to get winbox)
3. drop all input (input chain) from interface l2tp-out1 (for added security - optional - you can skip it for the moment)
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.