The default firewall rules are safe to start with.
All you need to do is add dst-nat rules for port forwarding and perhaps specific VPN ports on the input chain.
Without seeing your config hard to say but chances are you may have made a mess of things.
Please post your config
/export hide-sensitive file=anynameyouwish
viewtopic.php?t=182373
/ip firewall filter
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=tcp
add action=accept chain=forward comment="allow dns" dst-port=53 protocol=udp
add action=accept chain=forward comment="allow http" dst-port=80 protocol=tcp
add action=accept chain=forward comment="allow http" dst-port=80 protocol=udp
add action=accept chain=forward comment="allow https" dst-port=443 protocol=\
tcp
add action=accept chain=forward comment="allow https" dst-port=443 protocol=\
udp
add action=accept chain=forward comment="allow ntp" dst-port=123 protocol=tcp
add action=accept chain=forward comment="allow ntp" dst-port=123 protocol=udp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=input comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=output comment="blocked to internet" dst-port=0-65535 \
protocol=tcp
add action=drop chain=output comment="blocked to internet" dst-port=0-65535 \
protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=444-65535 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=444-65535 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=0-52 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=0-52 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=54-79 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=54-79 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=81-122 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=81-122 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=124-442 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=124-442 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=442-443 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=442-443 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=4445-8189 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=4445-8189 protocol=udp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=8191 protocol=tcp
add action=drop chain=forward comment="blocked thru router" disabled=yes \
dst-port=8191 protocol=udp
add action=drop chain=forward protocol=ggp
add action=drop chain=forward protocol=st
add action=drop chain=forward protocol=icmp
add action=drop chain=forward protocol=igmp
add action=drop chain=forward protocol=egp
add action=drop chain=forward protocol=ipencap
add action=drop chain=forward protocol=pup
add action=drop chain=forward protocol=hmp
add action=drop chain=forward protocol=xns-idp
add action=drop chain=forward protocol=rdp
add action=drop chain=forward protocol=iso-tp4
add action=drop chain=forward protocol=dccp
add action=drop chain=forward protocol=xtp
add action=drop chain=forward protocol=ddp
add action=drop chain=forward protocol=idpr-cmtp
add action=drop chain=forward protocol=rsvp
add action=drop chain=forward protocol=ipv6-encap
add action=drop chain=forward protocol=gre
add action=drop chain=forward protocol=ipsec-esp
add action=drop chain=forward protocol=ipsec-ah
add action=drop chain=forward protocol=rspf
add action=drop chain=forward protocol=vmtp
add action=drop chain=forward protocol=ospf
add action=drop chain=forward protocol=ipip
add action=drop chain=forward protocol=etherip
add action=drop chain=forward protocol=encap
add action=drop chain=forward protocol=pim
add action=drop chain=forward protocol=vrrp
add action=drop chain=forward protocol=l2tp
add action=drop chain=forward protocol=sctp
add action=drop chain=forward protocol=udp-lite
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN