(1) Out of order input chain rules and they need work. FIXED!!! DOnt need connection state-new on your rules......
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp \
src-address-list=CroatiaIPList
add action=accept chain=input comment="Allow Router-ACCESS only for ADMIN" \
in-interface=bridge src-address-list="Home Users"
add action=accept chain=input comment=\
"Allow access to router dns services for all users" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=\
"Allow access to router dns services for all users" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="Drop everything else"
(2) However the second last rule is basically useless.
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
a. it contradicts previous rules where you only want the admin to access the router and this rule allows
anyone on the LAN to access the full router
b. you have the drop rule next so all traffic will be dropped at this point regardless...
(4) Forward chain order and dont need NEW.........
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes log-prefix=drop-invalid
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Internet Access" in-interface-list=\
LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop everything else
(5) Hairpin NAT rule is incomplete???
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
Hairpin-NAT
Can you explain again why you are attempting to mangle traffic for hairpin nat ???