/ip firewall raw
add action=??? chain=prerouting src-address=192.168.100.1 in-interface-list=WAN ;;; bypass the next rule and let usual filter to work on this IP
add action=drop chain=prerouting src-address=192.168.0.0/16 in-interface-list=WAN
/ip firewall filter
add chain=forward action=accept connection-state=established,related,untracked ;;; allow 192.168.100.1 <-> WAN <-> LAN when connection is initiated from the LAN
add chain=forward action=drop src-address=192.168.100.1 in-interface-list=WAN
add chain=input action=accept connection-state=established,related,untracked ;;; allow 192.168.100.1 <-> WAN <-> Self when connection is initiated from Self
add chain=input action=drop src-address=192.168.100.1 in-interface-list=WAN
Ah, you're right. I was not noticing it because my other, much more general, firewall rule for established,related was accepting it. I wish it was mentioned very early in the help pageAccept in raw firewall does not mean that packets will skip firewall filter rules, those are still evaluated and executed.
I'll gladly answer the questions in the corresponding thread.The rules you shown in previous post don't make much sense to me.