/ip firewall filter
add action=accept chain=input comment=\
"Allow all established/related connections, input/forward" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment=\
"Accept traffic from VLAN subnets to WAN" out-interface=wan
add action=accept chain=forward comment=\
"Accept traffic from subnet 192.168.0.17 to subnet 10.10.10.0" \
dst-address=10.10.10.0/24 src-address=192.168.0.17
add action=drop chain=input comment="Drop invalid connections input/forward" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="Drop traffic from WAN connections input" \
in-interface=wan log-prefix=2
add action=drop chain=input comment="DROP DNS FLOOD" dst-port=53 protocol=udp
add action=drop chain=forward dst-port=53 protocol=udp
add action=drop chain=input comment="DROP WINBOX CONNECT WAN" dst-port=8291 \
in-interface=wan protocol=tcp
add action=drop chain=input comment="DROP ICMP" in-interface=wan protocol=\
icmp
add action=drop chain=forward in-interface=wan protocol=icmp
add action=drop chain=forward comment="DROP TO MAC" disabled=yes \
src-mac-address=74:46:A0:77:B4:E3
add action=drop chain=forward comment="Drop traffic from subnet 10.10.0.0/16" \
dst-address=10.10.0.0/16