I have for some time had an idea I have thought of, and would like to share it here..
For starters I know VPN are much prefered over my idea, but I would still like to share it 
I have Customers who have RDP Servers running, and I have for them changed from port 3389 to say 23111 - To avoid netscanners to stumble over these RDP Servers.
My idea would be to have a list of approved IP Address’ which can go through this NAT rule - Which I have no problems making lists manually
What I would like, and here comes my thoughts:
If a client comes on a totally unknown network that are not allowed to open port 23111, I would like for them to just have a link that could click on, and Mikrotik inserted their public IP into an approved list..
Like they went to http://11.22.33.44:11080/secretlink1212secretmorelink - and this was provided by webserver in Mikrotik
it would also be easy to block portscanners long before their scan came to this port, so I wouldnt be afraid of bruteforce, first on Mikrotik to open a port, and then afterwards RDP Server
Does this sound like a really really stupid idea ?
Or anyone have other ideas on how to block access to a port, which could be easily opened on need ?