If you trust all the devices in your home network, a firewall on the device connecting the home network to the internet is sufficient. If you don't trust all of them, and create multiple VLANs/SSIDs so that trusted devices would use one VLAN/SSID and non-trusted ones would use another, it may still be enough to have a firewall on the main router if the cAPs have no IP interfaces in the non-trusted VLANs. I have most of the client devices in "guest" network, so from these devices it is not only impossible to connect to the management interfaces of the Mikrotiks, but they even cannot exchange data with each other, only with servers in the internet.
NB: the proper name of a "public" address in the IPv6 vernacular is "global".
Thank you
what is your opinion for ipv6?
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" disabled=yes protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept linklocal" src-address=fe80::/10
add action=accept chain=input comment="defconf: accept multicast" src-address=fe00::/8
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all"
İs it enough?