Dual routing/DMZ?

So, I have on my router IP /30. Behind this IP in intranet exist two networks separated by VLANs with some DNAT:

add chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443 protocol=tcp dst-port=443
add chain=dstnat action=dst-nat to-addresses=192.168.10.20 to-ports=3389 protocol=tcp dst-port=3389
add chain=srcnat action=masquerade src-address=192.168.10.0/24 out-interface-list=WAN

add chain=dstnat action=dst-nat to-addresses=192.168.11.10 to-ports=80 protocol=tcp dst-port=80
add chain=srcnat action=masquerade src-address=192.168.11.0/24 out-interface-list=WAN

Current schema

                   INTERNET
                       |
              150.160.170.180/30
               /             \
VLAN 10                     VLAN 11
192.168.10.0/24	            192.168.11.0/24

Future schema I want to get:

                   INTERNET
                       |
              150.160.170.180/30
               /             \
150.160.165.185/29	    150.160.165.186/29
VLAN 10                     VLAN 11
192.168.10.0/24	            192.168.11.0/24

How it should look in config, if I want go on website to 192.168.10.10 via 150.160.165.185 for example?
Provider will make my /30 IP as routable peer for /29 so it should be like what? Some kind of double routing and double DMZ?

It’s not exactly clear.

First, if those NAT rules you posted is all you have there, it can’t work well, because any request to ports 80 and 443 from anywhere is redirected to your internal servers, so web browsing from your LANs can’t work.

Second, I’m not sure I understand “make my /30 IP as routable peer for /29”. Does it mean that whole /29 will be routed to you via 150.x.x.180? If so, you can either keep them on router too and stick with src/dstnat, or you can give them directly to internal devices (either route individual addresses to them, or assign two /30 subnets to VLANs, but that would be terribly wasteful, because instead of eight addresses you’d have only two).

You are right. To be more precise, rules should be like this:
add action=dst-nat chain=dstnat dst-address=192.168.10.10 dst-port=443 protocol=tcp to-addresses=192.168.10.10 to-ports=443

Yes, /29 will be routed via .180/30, but /30 will be configured as main IP on my router for routing /29 and as management IP if I need to access router actually.
I do not want them directly configure on each virtual machine, because there will be a lot of VMs on host which is connected to router.

So what exactly is the problem? Aside from wrong address in last rule, you seem to have some idea about what you need. Or not?

Something like:

/ip firewall nat
add chain=dstnat dst-address=150.x.x.185 protocol=tcp dst-port=80,443 action=dst-nat to-addresses=192.168.10.10
add chain=dstnat dst-address=150.x.x.186 protocol=tcp dst-port=22 action=dst-nat to-addresses=192.168.10.20
add chain=dstnat dst-address=150.x.x.187 protocol=tcp dst-port=25,465,587 action=dst-nat to-addresses=192.168.11.30
...
add chain=srcnat src-address=192.168.10.10 action=src-nat to-addresses=150.x.x.185
add chain=srcnat src-address=192.168.10.20 action=src-nat to-addresses=150.x.x.186
add chain=srcnat src-address=192.168.11.30 action=src-nat to-addresses=150.x.x.187
...

Your examples look helpful for me)
And second (last) question about routable /30 IP
It will be configured on ISP side or should I make some additional routing on Mikrotik side for /29?

If it’s routed subnet, then ISP will do this on their router:

/ip route
add dst-address=x.x.x.184/29 gateway=x.x.x.180

And all eight addresses from /29 will be going to you. You don’t need to do anything special. If you’re not going to route them further, it’s good idea to assign them to router. It doesn’t matter where, it could be WAN interface, or empty bridge serving as loopback interface. It would mostly work even if you didn’t, but packets to ports that won’t be forwarded to internal devices would bounce back to ISP (and then back to you, ISP, you, ISP, … until their TTL expires) and that wouldn’t be good.

Thank you for help and clarification!