Just a cautionary tale for all of you out there. When the 'detnet' and dynamic interface lists were implemented a while back, I just removed them from the default configs because I didn't trust them yet, and didn't want to bother with the hassle of something trying to automate what I typically didn't need automated.
Over the intervening time I have grown less wary of it, and I don't always delete it entirely anymore.
Today I setup IPIP-over-IPSec tunnel between two locations. I could ping just fine from LAN1 to Router2 over the tunnel between Router1 and Router2. But I could not Winbox or Webfig from LAN1 to Router2. It was driving me insane.
Finally I found that I had a high-precedence firewall filter to allow ICMP with source of "! WAN" but then my lower precedence catch-all was to drop with source of "! LAN". Apparently the IPIP tunnel interface is not included in "LAN" so I had to change that rule to drop with a source of "WAN" instead.
Spent a good bit of time scratching my head on that one.