Rdp failure

Alessio1234577890 · September 25, 2024, 2:34pm

Good afternoon to all,

My name is Alex
I tried many times to use rdp rules to reach to 2 pc behind the mikrotik firewall but without result. The firewall must block Internet except some ip/site that i've put in wallet garden and wallet garden ip.

I post my configuration.

2024-09-12 14:57:55 by RouterOS 7.14.1

software id = AL8S-ZMIQ

model = RB962UiGS-5HacT2HnT

serial number = HD708E2A6EX

/interface bridge
add name=bridgeNGlLan vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridgeNGlLan name=vlanWiFi_20 vlan-id=20
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=
NG_profile supplicant-identity="" unicast-ciphers=tkip,aes-ccm
wpa-pre-shared-key="Ngbox_2024!2" wpa2-pre-shared-key="Ngbox_2024!2"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto hide-ssid=yes installation=indoor mode=
ap-bridge security-profile=NG_profile ssid=NgBox wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=yes distance=indoors frequency=auto hide-ssid=yes
installation=indoor mode=ap-bridge security-profile=NG_profile ssid=NgBox
wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] hotspot-address=172.16.10.1
add hotspot-address=172.16.11.1 html-directory=flash/hotspot name=defaultWiFi
/ip pool
add name=dhcp_pool0 ranges=172.16.10.200-172.16.10.210
add name=dhcp_pool1 ranges=172.16.11.30
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=bridgeNGlLan name=dhcp1
add address-pool=dhcp_pool1 interface=vlanWiFi_20 name=dhcp2
/ip hotspot
add address-pool=dhcp_pool0 addresses-per-mac=unlimited disabled=no
interface=bridgeNGlLan name=server1
add address-pool=dhcp_pool1 addresses-per-mac=unlimited disabled=no
interface=vlanWiFi_20 name=server2 profile=defaultWiFi
/interface bridge port
add bridge=bridgeNGlLan interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridgeNGlLan interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeNGlLan interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeNGlLan interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeNGlLan interface=wlan1 pvid=20
/interface bridge vlan
add bridge=bridgeNGlLan tagged=bridgeNGlLan untagged=wlan1 vlan-ids=20
/ip address
add address=172.16.10.1/24 interface=bridgeNGlLan network=172.16.10.0
add address=172.16.11.1/24 interface=vlanWiFi_20 network=172.16.11.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=8.8.8.8 gateway=172.16.10.1
add address=172.16.11.0/24 dns-server=8.8.8.8 gateway=172.16.11.1
/ip dns
set servers=8.8.8.8,8.8.8.8
/ip firewall address-list
add address=51.77.75.16 disabled=yes list=NGBox
add address=8.8.8.8 disabled=yes list=NGBox
add address=52.30.174.254 disabled=yes list=NGBox
add address=maritimegate.net disabled=yes list=NGBox
add address=192.168.1.0/24 comment="Lan Nave" disabled=yes list=NGBox
add address=teamviewer.com disabled=yes list=NGBox
add address=216.58.205.46 disabled=yes list=NGBox
add address=216.58.204.131 disabled=yes list=NGBox
add address=openstreetmap.org disabled=yes list=NGBox
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="blocco la navig del 20 " disabled=yes
log-prefix=Blok protocol=tcp src-address=172.16.10.20
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Wlan1 " src-address=172.16.0.0/24
add action=masquerade chain=srcnat comment=ETH1 out-interface=ether1
add action=dst-nat chain=dstnat comment="NGBox WCF port forwarding" dst-port=
8732 in-interface=bridgeNGlLan log=yes log-prefix="WCF NGBox IN" port=""
protocol=tcp to-addresses=172.16.10.20 to-ports=8732
add action=dst-nat chain=dstnat comment="NGBox RDP port forwarding" dst-port=
60000 in-interface=ether1 log=yes log-prefix="RDP NGBox IN" port=""
protocol=tcp to-addresses=172.16.10.20 to-ports=3389
add action=dst-nat chain=dstnat comment="NaviGate RDP port forwarding"
dst-port=60001 in-interface=ether1 log=yes log-prefix="RDP NaviGate IN"
port="" protocol=tcp to-addresses=172.16.10.21 to-ports=3389
/ip hotspot ip-binding
add address=172.16.11.30 comment=
"Bypass firewall limitation for specific IP address" type=bypassed
add address=172.16.10.20 comment=
"Bypass firewall limitation for specific IP address" disabled=yes type=
bypassed
add address=172.16.10.21 comment=
"Bypass firewall limitation for specific IP address" disabled=yes type=
bypassed
/ip hotspot user
add name=NGBoxAdmin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add comment="place hotspot rules here" disabled=yes
add dst-host=.maritimegate.net server=server1
add dst-host=.unpkg.com server=server1
add dst-host=.googleapis.com server=server1
add dst-host=.fontawesome.com server=server1
add dst-host=.datatables.net server=server1
add dst-host=.bootstrapcdn.com server=server1
add dst-host=.cloudflare.com server=server1
add dst-host=.jquery.com server=server1
add dst-host=.mapbox.com server=server1
add dst-host=.navchannel.com server=server1
add dst-host=.jsdelivr.net server=server1
add dst-host=.openstreetmap.org server=server1
add dst-host=.akamai.com server=server1
add dst-host=maritimegate.net server=server1
add dst-host=www.w3.org server=server1
add dst-host=api.tiles.mapbox.com server=server1
add dst-host=code.jquery.com server=server1
add dst-host=cdnjs.cloudflare.com server=server1
add dst-host=maxcdn.bootstrapcdn.com server=server1
add dst-host=cdn.datatables.net server=server1
add dst-host=stackpath.bootstrapcdn.com server=server1
add dst-host=use.fontawesome.com server=server1
add dst-host=fonts.googleapis.com server=server1
add dst-host=unpkg.com server=server1
add dst-host=cdn.jsdelivr.net server=server1
add dst-host=navchannel.com server=server1
add dst-host=.teamviewer.com server=server1
add dst-host=.maritimegate.net server=server2
add dst-host=.unpkg.com server=server2
add dst-host=.googleapis.com server=server2
add dst-host=.fontawesome.com server=server2
add dst-host=.datatables.net server=server2
add dst-host=.bootstrapcdn.com server=server2
add dst-host=.cloudflare.com server=server2
add dst-host=.jquery.com server=server2
add dst-host=.mapbox.com server=server2
add dst-host=.navchannel.com server=server2
add dst-host=.jsdelivr.net server=server2
add dst-host=.openstreetmap.org server=server2
add dst-host=.akamai.com server=server2
add dst-host=maritimegate.net server=server2
add dst-host=www.w3.org server=server2
add dst-host=api.tiles.mapbox.com server=server2
add dst-host=code.jquery.com server=server2
add dst-host=cdnjs.cloudflare.com server=server2
add dst-host=maxcdn.bootstrapcdn.com server=server2
add dst-host=cdn.datatables.net server=server2
add dst-host=stackpath.bootstrapcdn.com server=server2
add dst-host=use.fontawesome.com server=server2
add dst-host=fonts.googleapis.com server=server2
add dst-host=unpkg.com server=server2
add dst-host=cdn.jsdelivr.net server=server2
add dst-host=navchannel.com server=server2
add dst-host=.teamviewer.com server=server2
add dst-host=frame-server.maritimegate.net server=server1
add dst-host=frame-server.maritimegate.net server=server2
add dst-host=54.217.198.28
add dst-host=108.128.43.145
/ip hotspot walled-garden ip
add action=accept comment="Server DNS di Google" disabled=no dst-address=
8.8.8.8
add action=accept comment="Server DNS di Google" disabled=no dst-address=
52.30.174.254
add action=accept disabled=no dst-address=184.104.179.139 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept comment=akama disabled=no dst-address=95.101.22.21
!dst-address-list !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=92.223.88.232 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.17.25.14 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.18.10.207 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=104.22.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=108.157.188.37 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=142.250.180.131 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=151.101.1.229 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=151.101.66.137 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=172.64.207.38 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=34.250.50.39 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.16.86.20 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=185.229.191.39 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=105.101.1.91 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=105.101.1.229 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=151.101.129.91 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=105.101.193.91 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=216.239.38.117 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=216.58.205.35 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=216.58.204.234 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.22.51.93 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.16.126.175 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.17.24.14 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=104.16.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=104.17.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=104.18.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=105.101.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=151.101.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept comment="Server DNS di Google" disabled=no dst-address=
8.8.8.8
add action=accept comment="Server DNS di Google" disabled=no dst-address=
52.30.174.254
add action=accept disabled=no dst-address=184.104.179.139 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept comment=akama disabled=no dst-address=95.101.22.21
!dst-address-list !dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=92.223.88.232 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.17.25.14 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.18.10.207 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=104.22.0.0/16 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=108.157.188.37 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=142.250.180.131 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=151.101.1.229 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=151.101.66.137 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=172.64.207.38 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=34.250.50.39 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=104.16.86.20 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=185.229.191.39 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=105.101.1.91 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=105.101.1.229 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=151.101.129.91 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=yes dst-address=105.101.193.91 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=216.239.38.117 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=172.16.11.30 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=54.217.198.28 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no dst-address=108.128.43.145 !dst-address-list
!dst-port !protocol !src-address !src-address-list
add action=accept disabled=no !dst-address !dst-address-list dst-host=
frame-server.maritimegate.net !dst-port !protocol !src-address
!src-address-list
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=NGBox_F14-24-Rev2
/system note
set show-at-login=no
/system routerboard settings
set silent-boot=yes

BrateloSlava · September 26, 2024, 9:26am

I reread your post and the config file several times and I absolutely don’t understand what you wanted to get? Why hotspot? For a guest WiFi network?
IMHO, this configuration file is easier to erase and recreate, than to understand it.

As far as I understand:

Internet access is via ether1. IP address is obtained via DHCP client.
There are two computers inside the local network, that need to be accessed remotely via RDP.
There are two possible solutions to this problem:

(Wrong) By port forwarding from the outside. This is simple to implement, but very easy to detect by attackers. In a couple of hours you will be watching your computers inside the network being hacked from the outside. And the likelihood of being hacked is very high.
- By (correctly) Setting up VPN access to the local network. In this case, the firewall of your router will be responsible for security, as it should be. Not security-hole Windows.

About WiFi networks - you need to clarify the task you want to realize. So far it is not clear to me.
Blocking access to certain sites is solved by filtering through a list. This list is created in the firewall and blocked, for example, in the RAW rule chain.

To summarize - describe your task as fully as possible. Then it will be possible to help you.

anav · September 26, 2024, 12:26pm

Concur, go back to basic config.
Dont attempt to use RDP on your router, even enterprises have stopped using RDP with all their edge router firewalls and fancy protections etc…most if not all have moved to citrix like setups.
As intimated, if you need to provide secure access, wireguard ( or other vpn ) into the router and then allow vpn users to where they need to go by firewall rules.

Alessio1234577890 · September 27, 2024, 5:25am

Good morning to all, Thanks for your reply.

I am forced to use rdp because the company we are working for wants it. Security is guaranteed because we go through a jumping server with two-factor authentication

Basically I tried to do this::

1 lan with ip address 172.16.10.0/24 without dhcp
1 vlan (id20) with ip address 172 16.11.0/24ust for the wifi
Vlan20 need to talk with lan because we need to send automatically (we have a software do to this) some files from lan to vlan.
Vlan20 has dchp server with just 1 leased ip that is 172.16.11.30 and this ip doesn’t have access to internet.
On llan with have 2 pc with ip address that must go on the internet but only to the servers and IPs indicated in the wallet garden and wallet garden ip
Pc 1 ip is 172.16.10 20
Pc 2 ip is 172.16.10.30

Both need to be reached with rdp from wan.
Wan has a fixed ip/gateway/dns (we will have to install 36 of them in as many places, the IPs will be communicated to us, for now they will be dhcp on the wan)

Actually all si working except the rdp that for some reasons that i don’t understand is blocked somewhere. If i enable the ip bindings to bypass the firewall rules,obviously is working for both pc

The rdp incoming port for the pc1 number 1 is 60000 to 3389, and 60001 to 3389 for pc number2.

I hope I was clear enough, and that you can give me a .ajo. Thanks anyway for your collaboration.

Thanks,
Alex

BrateloSlava · September 27, 2024, 2:41pm

Made a rough configuration for your task. You will need to change the wireless network settings to your own. To be honest, I was too lazy to go back to the previous drivers.

# 2024-09-27 17:27:11 by RouterOS 7.16
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 

/interface bridge add name=bridge1 vlan-filtering=yes

/interface ethernet set [ find default-name=ether1 ] comment=WAN

/ipv6 settings set disable-ipv6=yes

/interface vlan add interface=bridge1 name=Vlan_10_LAN vlan-id=10
/interface vlan add interface=bridge1 name=Vlan_20_WiFi vlan-id=20

/interface list add name=WAN
/interface list add name=LAN

/interface list member add interface=ether1 list=WAN
/interface list member add interface=bridge1 list=LAN
/interface list member add interface=Vlan_10_LAN list=LAN
/interface list member add interface=Vlan_20_WiFi list=LAN

/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=20
/interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=20

/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=ether2,ether3,ether4,ether5 vlan-ids=10
/interface bridge vlan add bridge=bridge1 tagged=bridge1 untagged=wifi1,wifi2 vlan-ids=20

/ip address add address=172.16.10.254/24 interface=Vlan_10_LAN network=172.16.10.0
/ip address add address=172.16.11.254/24 interface=Vlan_20_WiFi network=172.16.11.0

/interface wifi security add authentication-types=wpa2-psk connect-priority=0/1 disable-pmkid=yes disabled=no encryption=ccmp group-key-update=1h management-protection=disabled name=sec-Test wps=disable
/interface wifi steering add disabled=no name=steering-Test neighbor-group=NBG-Test rrm=yes wnm=yes
/interface wifi configuration add channel.band=2ghz-n .reselect-interval=1h..2h .width=20/40mhz country=Ukraine disabled=no manager=local mode=ap name=cfg-2.4-Test security=sec-Test security.ft=yes .ft-over-ds=yes ssid=MikroTik-Test steering=steering-Test
/interface wifi configuration add channel.band=5ghz-ac .reselect-interval=1h..1h30m .skip-dfs-channels=10min-cac .width=20/40/80mhz country="United States" disabled=no manager=local mode=ap name=cfg-5.0-Test security=sec-Test security.ft=yes .ft-over-ds=yes ssid=MikroTik-Test steering=steering-Test
/interface wifi set [ find default-name=wifi1 ] configuration=cfg-2.4-Test configuration.mode=ap disabled=no
/interface wifi set [ find default-name=wifi2 ] configuration=cfg-5.0-Test configuration.mode=ap disabled=no

/ip pool add name=pool_WiFi ranges=172.16.11.100-172.16.11.250
/ip pool add name=pool-LAN ranges=172.16.10.100-172.16.10.250

/ip dhcp-server add address-pool=pool_WiFi interface=Vlan_20_WiFi name=dhcp-WiFi
/ip dhcp-server add address-pool=pool-LAN interface=Vlan_10_LAN name=dhcp-LAN

/ip dhcp-server network add address=172.16.10.0/24 dns-server=172.16.10.254 gateway=172.16.10.254 netmask=24 ntp-server=172.16.10.254
/ip dhcp-server network add address=172.16.11.0/24 dns-server=172.16.11.254 gateway=172.16.11.254 netmask=24 ntp-server=172.16.11.254

# It is necessary to replace these MAK addresses with real ones
/ip dhcp-server lease add address=172.16.11.30 mac-address=9A:9B:9C:9D:9E:9F server=dhcp-WiFi
/ip dhcp-server lease add address=172.16.10.30 mac-address=1A:1B:1C:1D:1E:1F server=dhcp-LAN
/ip dhcp-server lease add address=172.16.10.20 mac-address=2A:2B:2C:2D:2E:2F server=dhcp-LAN

/ip dhcp-client add interface=ether1 use-peer-dns=no use-peer-ntp=no

/ip dns set allow-remote-requests=yes cache-max-ttl=6h max-concurrent-queries=500 max-concurrent-tcp-sessions=100 servers=1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001 verify-doh-cert=yes

/ip firewall address-list add address=172.16.11.30 list=BlockAccess2Internet

/ip firewall filter add action=accept chain=input comment="Handle (input) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="Drop invalid (input)" connection-state=invalid in-interface-list=WAN
/ip firewall filter add action=drop chain=input comment="TCP non SYN scan attack input" connection-state=new in-interface-list=WAN protocol=tcp tcp-flags=!syn
/ip firewall filter add action=drop chain=input comment="Drop DHCP request from WAN" dst-port=67,68 in-interface-list=WAN protocol=udp
/ip firewall filter add action=drop chain=input comment="Drop Neighbor Discovery" dst-port=5678 in-interface-list=WAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp
/ip firewall filter add action=drop chain=input comment="Drop excess pings" protocol=icmp
/ip firewall filter add action=accept chain=input comment="<- LAN ->" connection-state=new in-interface-list=LAN
/ip firewall filter add action=drop chain=input comment="Drop else"
/ip firewall filter add action=fasttrack-connection chain=forward comment="Enable FastTracked traffic" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="Handle (forward) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="Drop invalid (forward)" connection-state=invalid in-interface-list=WAN
/ip firewall filter add action=drop chain=forward comment="TCP non SYN scan attack forward" connection-state=new in-interface-list=WAN protocol=tcp tcp-flags=!syn
/ip firewall filter add action=drop chain=forward comment="Drop access to Internet by IP list" out-interface-list=WAN src-address-list=BlockAccess2Internet
/ip firewall filter add action=accept chain=forward comment="Allow Torrent redirect" dst-port=60000,60001 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=accept chain=forward comment="<- LAN ->" in-interface-list=LAN
/ip firewall filter add action=drop chain=forward comment="Drop else"
/ip firewall filter add action=accept chain=output comment="Allow output (new)" connection-state=new
/ip firewall filter add action=accept chain=output comment="Handle (output) already established, related, untracked connections" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=output comment="Allow output to LAN" out-interface-list=LAN
/ip firewall filter add action=drop chain=output comment="Drop output everything else" log=yes log-prefix=OUT
/ip firewall nat add action=masquerade chain=srcnat comment="Access LAN to Internet (masquerade)" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment="RDP Redirect to PC1" dst-port=60000 protocol=tcp to-addresses=172.16.10.20 to-ports=3389
/ip firewall nat add action=dst-nat chain=dstnat comment="RDP Redirect to PC2" dst-port=60001 protocol=tcp to-addresses=172.16.10.30 to-ports=3389
/ip firewall raw add action=accept chain=prerouting comment="accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
/ip firewall raw add action=drop chain=prerouting comment="DDoS drop" dst-port=53 in-interface-list=WAN log-prefix=Attack protocol=udp
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log-prefix=Attack protocol=tcp

/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes

/ip service set telnet disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

/system clock set time-zone-name=Europe/Kiev

/system identity set name=hAP-ac2

/system note set show-at-login=no

/system ntp client set enabled=yes
/system ntp server set enabled=yes manycast=yes
/system ntp client servers add address=ntp.time.in.ua
/system ntp client servers add address=ntp2.time.in.ua
/system ntp client servers add address=ntp3.time.in.ua

/system routerboard settings set auto-upgrade=yes silent-boot=yes

/ip neighbor discovery-settings set discover-interface-list=LAN

/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Replace the time zone and NTP server settings as well.