MikroTik community:
I have one example that I would like to get your opinion about. I'm using upnp on my routerboard to deal with p2p and IM applications. Basically what it does, it creates dynamic NAT rules. However it does not do anything with forward chain. That is the thing I need to configure manually. Usually what I do in any mikrotik setup, I use a rule in forward chain to block all incoming packets from interface that is connected to my ISP. One of the reasons to do that is, if it's not set, it allows other hosts being on the same subnet and using my mikrotik IP address as gateway access all private IP addresses that I use behind firewall. This also blocks packets that have NAT rules set up and also because forward chain processes packets after their destination address has been changed I cannot add a safe rule to allow packets to be forwarded. Right now the only safe single rule way that I have found is using mangle rule in prerouting chain to mark packets whose destination IP address is my Internet IP address used on mikrotik and then in forward chain another rule checks for that packet mark to allow it to be forwarded. This way it only allows to forward packets that have NAT rules set up and not directly to internal network IPs.
I would be glad if somebody could share their practice of setting forwarding rules in similar setup, where dynamic NAT rules are used.
grg