I've just ditched our constantly freezing TP-link router and replaced it with a Mikrotik RB951G-2HnD, connected on eth1 to a Draytek Vigor 120 ADSL modem running in PPPoE passthrough mode.

Everything seems to be working smoothly (and with much stronger wifi signal too), but I'm not quite sure whether I've set up the firewall rules correctly. The PPPoE client is running on the eth1 interface, and I've changed the default firewall rules in-interface from "eth1" to "pppoe-out1". Is this correct, or should the rules be on eth1? Any other criticisms gratefully accepted too - I'm new to the networking side of things, and it's interesting to learn, but the Mikrotik certainly exposes a scary number of options.

Current settings are below (hopefully with all the passwords removed). The Draytek modem is at 192.168.1.1, and I've managed to set things up so that I can still log in to it at that address, although I may have done that in a less than perfect way too...

/interface bridge
add admin-mac=xxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=user@xtra.co.nz
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name="WLAN profile" supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="new zealand" \
disabled=no distance=indoors frequency-mode=regulatory-domain mode=\
ap-bridge security-profile="WLAN profile" ssid=test \
wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=2h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
add address=192.168.1.0 interface=ether1 network=192.168.1.1
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 out-interface=\
ether1
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Pacific/Auckland
/system clock manual
set time-zone=+12:00
/system leds

set 0 interface=wlan1
/system routerboard settings
set init-delay=0s protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge