"So either add an interface-list=LAN item to the /ppp profile"
This looks like a cleaner way to do it. Should I add the interface-list=LAN to both the default and default-encryption profile? To test, I added it to the default-encryption profile and it worked. I did not realize you could dynamically add to an interface list - even thought it was right in front of me.... Very neat feature.
"ipsec-policy are irrelevant because IPsec is only used to encrypt the transport packets of the L2TP"
To be honest I left these rules as they came in MTs default firewall rules. I did not have a clear understanding of when they would match. Now I mostly do...
.
"remove the last-but-one and last-but-two action=drop rules because they are useless in the current setup."
The last drop rule needs to stay - it is these two that are useless?
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop packets from LAN interface-list th\
at do not come from the LAN interface-list" in-interface-list=LAN \
out-interface-list=!LAN
Would the first rule be more effective (match) earlier in the chain? I assume it simply does not matter as it will hit the last rule and drop anyway. So perhaps there is no advantage to it.
Last Question - Is it a best practice to have one catch all Masq rule, or to use multiple Masq rules for each network? I can be more granular with a rule for each, but is not as clean. What is your preference?
Thank you again for all your help.