Sometime in the past few releases the default firewall rules where changed for the INPUT chain to block all access not coming from the LAN as the last INPUT rule. Previously the last INPUT chain rule was set to block all access coming from the gateway (WAN) port. This change means that, by default, management access to the router is block from VPN connections to the router. It took me a few hours to notice this and determine why I could not access the router from a VPN connection to the router. This seems to me like a mis-feature.

Was it ever clearly documented that VPN management would not work on a default configuration when VPN is simply enabled via QuickSet? Why is this a "good" idea?

Most likely the change was made for the Home Market where they are not using VPN for management. I can see also that VPN clients in an Enterprise Environment would not want their employees access to the management.

But it also blocks you from using the router as DNS on VPN by default, which I have helped someone with today.

MikroTik, Any answer as to why and when this change was made to the default configuration?

MikroTik, Any answer as to why and when this change was made to the default configuration?

Send it to support@mikrotik.com (a reference to the forum topic is sufficient). They don't react on every topic on the forum.