Hello everybody
We have a PC as Server With Windows Server 2012 as Domain Controller, DNS, DHCP like below map

I Have these problems:
1.the DNS in section network in resource monitor send(upload) a lots of data to unknown IPs and my internet traffic finish quickly. I can stop this with block public DNS connection in antivirus firewall.
2.the Lsass.exe program in section network in resource monitor send(upload) a lots of data to unknown IPs and my internet traffic finish quickly.

3.I want to control my client (user) internet Usage by IP Or Mac( for example in address list on mickrotik firewall) like below Map

What basic wireless mikrotik model is nessesery . Can anyone help me to config it step by step and write Codes?

Your problem is quite not clear. You have to know what unwanted data are going out and why. Then remove the reason and implement corresponding firewall rules. Regarding the device selection. All mikrotik devices work the same as they share the same operating system. So choose by physical configuration and performance data to fit your needs.

Thank You for response. How should I Know What data are going out? I googled lsass.exe. that is “Local Security Authority Subsystem Service” and I Guess because of remote desktop connection that I Use to remote server. and I guess the other reason following the first map is that Internet directly connected to server so could it be a brute-force attack? I want to just make my network security better like change default port , … but I don’t Know How? so whats your suggestion?

I think you have DNS attack on your router.
please describe more about your network problem.
monitor real time traffic with torch tool.
I send some security rules that protect your router.

/ip firewall filter
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="NMAP FIN Stealth scan"
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="SYN/FIN scan" protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="SYN/RST scan" protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="FIN/PSH/URG scan" protocol=tcp
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="ALL/ALL scan" protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="NMAP NULL scan" protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="NMAP NULL scan" protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=ps comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139
protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139
protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445
protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=
tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.C-K" dst-port=2745 protocol=
tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128
protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410
protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=
tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=
tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=
tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=
tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=
tcp
add action=drop chain=virus comment=cache dst-port=47585 protocol=tcp
add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" dst-port=
65506 protocol=tcp
add action=drop chain=virus comment="Deny all p2p" p2p=all-p2p
add action=drop chain=input src-address-list="port scanners"
add action=jump chain=input jump-target=ps
add action=jump chain=input jump-target=virus
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21
protocol=tcp src-address-list=ftp_blacklist
add chain=output content="530 Login incorrect" dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22
protocol=tcp src-address-list=ssh_blacklist

add action=drop chain=input comment="DNS ATTack" dst-port=53 in-interface=
ether1-EXT protocol=udp
add action=drop chain=input comment="DNS ATTACK" dst-port=53 in-interface=
ether1-EXT protocol=tcp

I haven’t mikrotik router yet. What Model Do you suggest for second Map of my first Post?

I think you can use Mikrotik SOHO router board like RB951G-2HnD.(recommended bridge the DSL modem and register PPPOE connection on the Router Board).
for traffic management i suggest run the hotspot or any ppp server (vpn server like as pptp, l2tp and … , best is hotspot).
but for best device select we must know about some importance items like as traffic throughput on router and user usage.

Make sure in server network settings there are only internal DNS server IP addresses. AD DC should not know about any external DNS servers. To access Internet resources there should be forwarders configured on DNS server.

May I contact you directly? Please send me an email: aminamini766@gmail.com

You can talk with me on skype.
Hasan.asghari@hotmail.com