Hi this is my simple setup
/ip address
add address=192.168.99.1/24 broadcast=192.168.99.255 comment=ether3 disabled=no interface=ether3-local network=192.168.99.0
add address=192.168.100.1/24 broadcast=192.168.100.255 comment=PMS-local disabled=no interface=PMS-vlan network=192.168.100.0
add address=192.168.101.1/24 broadcast=192.168.101.255 comment=OFFICE-local disabled=no interface=OFFICE-vlan network=192.168.101.0
add address=192.168.102.1/24 broadcast=192.168.102.255 comment=HOTSPOT1-local disabled=no interface=hotspot-vlan1 network=192.168.102.0
add address=192.168.103.1/24 broadcast=192.168.103.255 comment=HOTSPOT2-local disabled=no interface=hotspot-vlan2 network=192.168.103.0
add address=192.168.104.1/24 broadcast=192.168.104.255 comment=HOTSPOT3-local disabled=no interface=hotspot-vlan3 network=192.168.104.0
add address=xxx.xx.xxx.211/24 broadcast=xxx.xx.xxx.255 comment=cable_pldt disabled=no interface=ether1-gateway network=xx.xx.xxx.0
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=overall_nat disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=“china >>>> boracay” disabled=no dst-address=xxx.xx.xxx.211 dst-port=2600 protocol=tcp
to-addresses=192.168.100.10 to-ports=2600
add action=dst-nat chain=dstnat comment=cctv_forward disabled=no dst-address=xxx.xx.xxx.211 dst-port=8001 protocol=tcp to-addresses=
192.168.100.20 to-ports=8001
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=xxx.xx.xxx.211 dst-port=8002 protocol=tcp to-addresses=192.168.100.21
to-ports=8002
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=xxx.xx.xxx.211 dst-port=8003 protocol=tcp to-addresses=192.168.100.22
to-ports=8003
add action=dst-nat chain=dstnat comment=“” disabled=no dst-address=xxx.xx.xxx.211 dst-port=8004 protocol=tcp to-addresses=192.168.100.23
to-ports=8004
add action=masquerade chain=srcnat comment=“hotspot1 masquerade” disabled=no src-address=192.168.102.0/24
add action=masquerade chain=srcnat comment=“hotspot2 masquerade” disabled=no src-address=192.168.103.0/24
add action=masquerade chain=srcnat comment=“hotspot3 masquerade” disabled=no src-address=192.168.104.0/24
add action=redirect chain=dstnat comment=pms_proxy disabled=yes dst-port=80 in-interface=PMS-vlan protocol=tcp to-ports=8080
add action=redirect chain=dstnat comment=pms_proxy disabled=yes dst-port=80 in-interface=OFFICE-vlan protocol=tcp to-ports=8080
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=drop chain=forward comment=worms disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=forward comment=“block rules” disabled=no in-interface=hotspot-vlan1 out-interface=PMS-vlan
add action=drop chain=forward comment=“” disabled=no in-interface=hotspot-vlan2 out-interface=PMS-vlan
add action=drop chain=forward comment=“” disabled=no in-interface=hotspot-vlan3 out-interface=PMS-vlan
add action=drop chain=forward comment=“” disabled=no in-interface=hotspot-vlan1 out-interface=OFFICE-vlan
add action=drop chain=forward comment=“” disabled=no in-interface=hotspot-vlan2 out-interface=OFFICE-vlan
add action=drop chain=forward comment=“” disabled=no in-interface=hotspot-vlan3 out-interface=OFFICE-vlan
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“Port scanners to list "
disabled=no protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP FIN Stealth scan”
disabled=no protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/FIN scan” disabled=no
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“SYN/RST scan” disabled=no
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“FIN/PSH/URG scan” disabled=
no protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“ALL/ALL scan” disabled=no
protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners” address-list-timeout=2w chain=input comment=“NMAP NULL scan” disabled=no
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“dropping port scanners” disabled=no src-address-list=“port scanners”
add action=drop chain=input comment=“drop ftp brute forcers” disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment=”" content=“530 Login incorrect” disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment=“” content=
“530 Login incorrect” disabled=no protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=52w2d chain=input comment=“” connection-state=new
disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment=“” connection-state=new disabled=
no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment=“” connection-state=new disabled=
no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment=“” connection-state=new disabled=
no dst-port=22 protocol=tcp
add action=drop chain=forward comment=p2p disabled=no p2p=all-p2p
add action=drop chain=input comment=“block proxying in outside” disabled=no dst-port=8080 in-interface=ether1-gateway protocol=tcp
add action=accept chain=forward comment=rdp disabled=no dst-port=3389 protocol=tcp
add action=accept chain=forward comment=“brother printer port” disabled=no dst-port=54921 protocol=tcp
add action=accept chain=forward comment=“” disabled=no dst-port=54925,54926 protocol=udp
add action=accept chain=forward comment=ICMP disabled=no protocol=icmp
add action=accept chain=forward comment=“mail, pop3” disabled=no dst-port=25,26,143,110,465,995,2525,587,993 protocol=tcp
add action=accept chain=forward comment=HTTP disabled=no dst-port=80,81 protocol=tcp
add action=accept chain=forward comment=HTTPS disabled=no dst-port=443 protocol=tcp
add action=accept chain=forward comment=MSN disabled=no dst-port=1863,6891-6900,7001 protocol=tcp
add action=accept chain=forward comment=“” disabled=no dst-port=6901 protocol=udp
add action=accept chain=forward comment=“ventrillo and mumble” disabled=no dst-port=4346,64738 protocol=tcp
add action=accept chain=forward comment=“vonage " disabled=no dst-port=10000-20000 protocol=udp
add action=accept chain=forward comment=”" disabled=no dst-port=5050,5060-5063 protocol=udp
add action=accept chain=forward comment=“” disabled=no dst-port=123 protocol=udp
add action=accept chain=forward comment=“” disabled=no dst-port=80 protocol=udp
add action=accept chain=forward comment=SSH disabled=yes dst-port=22,23 protocol=tcp
add action=accept chain=forward comment=eve-online disabled=no dst-port=26000,6112 protocol=tcp
add action=accept chain=forward comment=winbox disabled=no dst-port=8291 protocol=tcp
add action=accept chain=forward comment=mirc disabled=no dst-port=6665-7000 protocol=tcp
add action=accept chain=forward comment=“streaming server” disabled=no dst-port=8000 protocol=tcp
add action=accept chain=forward comment=yahoo_messenger disabled=no dst-port=5050,5000-5001,5100 protocol=tcp
add action=accept chain=forward comment=“” disabled=no dst-port=5000-5010 protocol=udp
add action=accept chain=forward comment=teamspeak disabled=no dst-port=9987 protocol=udp
add action=accept chain=forward comment=“google talk” disabled=no dst-port=5222,5223 protocol=tcp
add action=accept chain=forward comment=“zynga poker” disabled=no dst-port=9339 protocol=tcp
add action=accept chain=forward comment=“china stock exchange” disabled=no dst-port=7708-7709 protocol=tcp
add action=accept chain=forward comment=“taiwan webmail” disabled=no dst-port=3000 protocol=tcp
add action=accept chain=forward comment=“mikrotik remote support” disabled=no dst-port=1122 protocol=tcp
add action=accept chain=forward comment=dns disabled=no dst-port=53 protocol=tcp
add action=accept chain=forward comment=“” disabled=no dst-port=53 protocol=udp
add action=accept chain=forward comment=FTP disabled=no dst-port=20,21 protocol=tcp
add action=accept chain=forward comment=“” connection-state=established disabled=no
add action=accept chain=forward comment=“” connection-state=related disabled=no
add action=accept chain=forward comment=cctv_cam disabled=no protocol=tcp src-port=8001-8005
add action=drop chain=forward comment=default_drop disabled=yes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=“torrent user” disabled=no new-connection-mark=torrent_user p2p=all-p2p passthrough=
yes
add action=mark-packet chain=prerouting comment=“” connection-mark=torrent_user disabled=no new-packet-mark=torrent passthrough=yes
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no