I notice that connection tracking entries for NAT sessions are often deleted too quickly.
At the end of a connection, when a FIN has been detected in both directions, the tracking entry is immediately deleted.
However, it can happen that the other side has not received the ACK FIN, and it is being retried until it
is answered with an ACK or RST.
However, the tracking entry is already gone and will not be re-made because the traffic is not considered NEW.

Result: traffic with local source address (normally from RFC1918 range) is sent into the network untranslated.
It is not really a MikroTik specific problem, I think it is a problem in Linux. I see the same behaviour from
other Linux systems used as NAT routers.

Still, it may be that MikroTik is in the position to do something about it and have the fix accepted into
the mainline kernel.

Sounds like the same issue as described in viewtopic.php?f=2&t=127838&p=628464#p628464.

If you're seeing untranslated packets make it onto the network then you must have modified the default config, as this is considered "invalid" by netfilter and the defconf rules drop it.