I found this out the hard way. I've set up several Mikrotik Routers over the years starting with the RouterOS default config and then modifying and adding what I needed. I then set VPN access using L2TP-IPSec, following one of the many helpful guides posted here, placing the VPN access rules high up in the firewall list. I've always successfully accessed these routers remotely, and modified them using Winbox, and accessed other devices on the LAN.
Recently, I started with an RB3011 and ROS 47.9. I set the network up locally and set up L2TP-IPSec access as I've described above. I found I could log onto the router using my VPN tunnel, but I could not access the router via Winbox, and could not access any other devices on the LAN. After much checking the forums, for folks with this same problem, I found the issue. The older routers I set up had a default firewall rule to "Drop all traffic not coming from the WAN". The latest default confiuration has a default rule "Drop all traffic that's !LAN == NOT LAN " These are, apparently, not the same. I changed the !LAN to WAN, and averything was OK, with full VPN remote access to Winbox and LAN devices. I'm making this post to:
1) Possibly help another ROS amateur like me,
2) Ask a ROS expert to explain why !LAN is not equal to WAN
3) Am I still adequately protected on my RB3011 after I changed !LAN to WAN in my firewall rules??
Thanks to all the forum posters that have helped me in the past.
Regards,
Dave