I have a RB3011. I need to block any internet access to 16 IPs. They are CCTV cameras. I do not want access to the cameras out side the network. I need to set the 16 cameras as static ips and then block internet traffic to them. I basically do not want anyone to get into the cameras using the IP address outside the network. How do I do this?
one possible idea…
suggest putting them on their own VLAN
assign static IP leases on VLAN associated DHCP server.
ensure no firewall rules allow that VLAN to have internet access.
Assuming that you’ve assigned the cameras a continuous range of addresses, and that the default firewall rules of some recent RouterOS release are in place, it would be:
/ip firewall filter
add chain=forward action=drop src-address=camera.1.ip-camera.16.ip
However, as I’m not sure how default firewall configuration looks like in case of RB3011, better post the output of /ip firewall export (replacing all occurrences of any public address by some meaningful string like my.public.ip.1)
He could also just ensure that the IP range the cameras are on are not included in the NAT masquerade statement/policy.
Yes, but it would be no simpler (one rule vs. one rule) and I’ve suggested my solution because I prefer to use a screwdriver for screws and a hammer for nails 
I use a nail clipper for my nails and a bigger one for the ones on my feet. 
Normal people drink screwdrivers.
GDPR, bro?
+1 for Sindy’s solution. But if non continious the adress space of the camera-s, you can use adress list, where you put in the camera-s IP adddresses.
If it is not enough, I think (never tried) you can block by MAC address too, if the cameras and the RB-s LAN port is in the same Layer2 network.