There are 2 local nets: 192.168.2.0/24 (special accounts) and 10.0.200.0/24 (common accounts)
Common accounts are forbidden to enter special accounts. I isolated nets for this purpose by adding RULES in ROUTE LIST:
192.168.2.0/24 is unreachable for 10.0.200.0/24
All was working good.
But now I should allow some IPs in 10.0.200.0/24 to get access for some IPs in 192.168.2.0/24.
I don't know how to do it.