някой ако има опит - нека сподели ....


Its WORKING ....

/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid \
connections" disabled=no
add chain=input connection-state=established action=accept comment="Allow \
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input action=accept comment="Allow access to router from known \
network - change on 10 10 2006" disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop \
comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment="" \
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment="" \
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment="" \
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC \
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" \
disabled=yes
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" \
disabled=yes
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny \
NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" \
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" \
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" \
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC \
portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" \
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" \
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny \
BackOriffice" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop \
invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow \
established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow \
already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow \
source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow \
echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow \
time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow \
parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=forward protocol=tcp dst-port=135 action=drop comment="" disabled=no
add chain=input protocol=tcp dst-port=23 action=drop comment="To deny acces to \
the router via Telnet \(protocol TCP, port 23\), type the following \
command:" disabled=no
add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop \
comment="To only allow not more than 5 simultaneous connections from each \
of the clients, do the following:" disabled=yes
add chain=forward src-address=172.16.43.4 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.5 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.6 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.7 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.8 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.9 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.10 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.11 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.12 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.13 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.14 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.15 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.16 protocol=tcp dst-port=8000-9000 \
action=drop comment="online radio block" disabled=no
add chain=forward src-address=172.16.43.0/24 dst-address=87.120.40.151 \
protocol=tcp dst-port=80 action=drop comment="online radio block" \
disabled=no
add chain=tcp in-interface=pptp-in1 protocol=tcp dst-port=137-139 \
action=passthrough comment="deny NBT - mod1" disabled=no
add chain=tcp in-interface=pptp-in1 protocol=tcp dst-port=445 \
action=passthrough comment="deny cifs - mod2" disabled=no
add chain=tcp in-interface="pppoe-out1 - netsurf" protocol=tcp \
dst-port=137-139 action=drop comment="deny NBT - mod3" disabled=no
add chain=tcp in-interface="pppoe-out1 - netsurf" protocol=tcp dst-port=445 \
action=drop comment="deny cifs - mod4" disabled=no




/ ip firewall nat
add chain=srcnat out-interface="pppoe-out1" action=masquerade \
comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=tcp dst-port=0-49999 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-49999 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=icmp dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-65535 comment="ping via WAN enabled" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=gre dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-65535 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1 - netsurf" dst-address=85.x.x.x \
protocol=udp dst-port=515-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=515-65535 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=igmp dst-port=0-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat out-interface="pppoe-out1" \
src-address=172.16.43.0/24 protocol=igmp action=masquerade comment="" \
disabled=no
add chain=dstnat in-interface="pppoe-out1" src-address=62.x.x.x
dst-address=85.x.x.x protocol=udp dst-port=514 action=dst-nat \
to-addresses=172.x.x.x to-ports=514 comment="syslog via 62.x.x.x
to 172.x.x.x" disabled=no
add chain=dstnat dst-address=10.0.0.217 protocol=tcp dst-port=80 \
action=dst-nat to-addresses=192.168.0.4 to-ports=0-65535 comment="exsamle \
port forwarding" disabled=yes
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=tcp dst-port=50000 action=dst-nat to-addresses=172.x.x.x \
to-ports=50000 comment="torrents port forwarding - tcp port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x
protocol=udp dst-port=50000 action=dst-nat to-addresses=172.x.x.x \
to-ports=50000 comment="torrents port forwarding - udp port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=tcp dst-port=50001 action=dst-nat to-addresses=172.x.x.x \
to-ports=50001 comment="torrents port forwarding - TCP port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=udp dst-port=50001 action=dst-nat to-addresses=172.x.x.x \
to-ports=50001 comment="torrents port forwarding - UDP port 50000 for \
172.x.x.x" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=tcp dst-port=50002-65535 action=dst-nat to-addresses=172.16.43.1 \
to-ports=50002-65535 comment="" disabled=no
add chain=dstnat in-interface="pppoe-out1" dst-address=85.x.x.x \
protocol=udp dst-port=0-513 action=dst-nat to-addresses=172.16.43.1 \
to-ports=0-513 comment="" disabled=no


и на LAN интерфеиса - arp-proxy

съответно заменете моите 85.х.х.х и 172.х.х.х - с вашите такива