I don't use Fiber, but VDSL with Airtel. I use beetel modem in bridge mode to
Mikrotik (hap ac2). Port 80 is not opened.
VPN works, though. I can connect to mikrotik through VPN, when I travel. I used "Quick set" method to setup most configurations and then fine-tuned from there. So, I configured VPN from "Quick Set" too. Then, I kept l2tp + ipsec for VPN, and disabled other VPN methods. In order to connect to VPN, there are a few more steps involved (after "Quick set").
1. L2tp server binding is created on-demand. Instead, create it manually in webfig at IP => Interface => "Add New" => l2tp server binding. You may need to enter the username of the VPN user. Ignore any warning such as it is not active (because you aren't connected to it).
2. Create a firewall rule to allow all connections via VPN interface that is just created in step #1 above. Again, ignore any warnings. You may also limit the ports to allow. I allowed all ports (including port 80) via VPN.
3. In webfig, IP => Cloud, make sure both "DDNS enabled" and "Update Time" options are checked. On the same page, you'd be provided with the
DNS name such as random1234.sn.mynetname.net . You may use it to connect to mikrotik using l2tp + ipsec VPN.
I hope that helps.