Default firewall for RouterOS v6 and v7
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment=”defconf: masquerade” /ip firewall { filter add chain=input action=accept connection-state=established,related,untracked comment=”defconf: accept established,related,untracked” filter add chain=input action=drop connection-state=invalid comment=”defconf: drop invalid” filter add chain=input action=accept protocol=icmp comment=”defconf: accept ICMP” filter add chain=input action=accept dst-address=127.0.0.1 comment=”defconf: accept to local loopback (for CAPsMAN)” filter add chain=input action=drop in-interface-list=!LAN comment=”defconf: drop all not coming from …