Hi! Thanks for your reply!
It seems that after creating a rule to block all from L2TP to Device, it prevents all the access to the router correctly!
What I don't understand is why this isn't the case by default? Because by default WAN inbound is blocking everything apart from the things you allow in the firewall. But for L2TP everything is open, unless you manually make rules to block things. This isn't clear anywhere in the documentation and by looking at Firewall > General Settings > Zone forwarding, it makes you believe that the default rule for inbound from L2TP is to Reject the traffic.
It seems to me it's either a bug or a feature left on purpose like this?
I understand some people who will have L2TP configured NOT as a default route will maybe want to have clear passage through the firewall (as they own the L2TP server as well and control the traffic that way?). But for people who configure L2TP as default route (me), it should behave the same way as WAN. Because i don't own the L2TP server I am connecting to, it's just a service I am paying for who are offering me a noNAT fixed IP address which the router gets so it's very much like WAN. But yet the rules are set in mind only for WAN, not L2TP. Maybe there should be a script that, when you're configuring L2TP client and tick "Use as default route", it creates a few rules in the firewall that work the same way as WAN rules, preventing access to the device, not leaving it open to the world.
Just a thought.
Thanks for everyone's help!