There are 2 local nets: 192.168.2.0/24 (special accounts) and 10.0.200.0/24 (common accounts)
Common accounts are forbidden to enter special accounts. I isolated nets for this purpose by adding RULES in ROUTE LIST:
192.168.2.0/24 is unreachable for 10.0.200.0/24
All was working good.
But now I should allow some IPs in 10.0.200.0/24 to get access for some IPs in 192.168.2.0/24.
I don’t know how to do it.
You could insert a rule before what you have blocking the specific IP you want to allow
ip firewall filter add chain=forward src-address=10.0.200.15 dst-address=192.168.2.33 action=accept
.
.
.
.
ip firewall filter add chain=forward src-address=10.0.200.0/24 dst-address=192.168.2.0/24 action=drop
Thank you very much for solving problem. Now all works as I wanted.