Requirements:
DHCP Server for LAN
DHCP Client from ISP on WAN
DNS Server for LAN
DNS Client from WAN
NTP Server for LAN
NTP Client from WAN
L2TP/IPsec VPN server for Android client. Remote access to LAN and router admin.
Router admin access from the LAN DHCP pool (3 cellphones and a laptop on the wifi).
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow L2TP VPN" dst-port=500,1701,4500 in-interface-list=WAN \
protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="Allow DNS, UDP" dst-port=53 protocol=udp
add action=accept chain=input comment="Allow DNS, TCP" dst-port=53 protocol=tcp
add action=accept chain=input comment="Allow NTP" dst-port=123 protocol=udp
add action=accept chain=input comment="Accept management from DHCP" dst-port=8291,443 protocol=tcp \
src-address-list="DHCP Devices"
add action=accept chain=input comment="Allow Remote Admin, L2TP VPN" dst-port=8291,443 protocol=tcp \
src-address-list="VPN Local IP Range"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="Drop all else"