The default DSTNATed firewall rule keeps traffic from the WAN accessing LAN side IP addresses.

More info here

Printing the rules on a router with the default config should show the following.

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1

If you are wanting to add the rule to a router, you can copy and past the following command. Replace in-interface=ether with your in interface.

/ip firewall add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface=ether1