Here is a decent set of default firewall rules to use on Mikrotik:
/ip firewall filter
add action=accept chain=input comment="DEF: accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="DEF: drop invalid" connection-state=invalid
add action=accept chain=input comment="DEF: accept icmp" protocol=icmp
add action=accept chain=input comment="DEF: accept trusted ssh" port=22 protocol=tcp src-address-list=\
trusted
add action=accept chain=input comment="DEF: accept trusted api" port=8728-8729 protocol=tcp \
src-address-list=trusted
add action=accept chain=input comment="DEF: accept trusted winbox" port=8291 protocol=tcp \
src-address-list=trusted
add chain=forward comment="DEF: accept established, related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Block WLAN-Guests from General" connection-state=established,new \
dst-address-list=vl10 src-address-list=vl31
add action=drop chain=forward comment="Block Security from General" connection-state=established,new \
dst-address-list=vl10 src-address-list=vl50
add action=drop chain=forward comment="Block WLAN-Public from Security" connection-state=\
established,new dst-address-list=vl50 src-address-list=vl31
add action=drop chain=forward comment="DEF: drop invalid" connection-state=invalid
add action=drop chain=input comment="DEF: drop everything else not from LAN" connection-nat-state=\
!dstnat connection-state=new in-interface-list=!LAN
There are some specific VLAN rules in there to give you an example of how to block traffic between VLANs if you need. These rules also require you have two interface lists -- "LAN" and "WAN" which you can create.
As @lippavisual said -- make sure you are running the latest STABLE firmware and have changed default passwords, etc. Check to make sure your router isn't acting as an open DNS resolver and that it doesn't have a proxy enabled.