Hi,
i want to ask you, my internet finished at bilion(adsl router).I got Public IP, also i connected rb433 to that router via lan. My quastion is, can i access to rb433 by VPN from outside? i need to apply rules on NAT but i have no idea.
You are NAT-ing traffic twice. So or you wanna DMZ your Mikrotik or forward ports for VPN to Mikrotik. First solution is easier to configure, 2nd depends on protocol you gonna use.
If you do not have any other hosts connected to modem, you can use DMZ form modem to MT, or even reconfigure modem to bridge and get public IP on MT directly, which would be best solution.
i was thing about your last,but on my billion n7800, i couldn’t see bridge mode.Just i want to access to my RB i dont need DMZ, just access from outside.
You can switch modem to bridge ( i just checked in manual for that modem). Path is : Configuration, WAN port - protocol “Pure Bridge”. But anyway you need username/pass combo to setup PPPoE client ( assuming your ISP is authenticating you this way). This you can get from your ISP.
As for port-forward, what type of VPN are you going to setup? PPTP, IPSEC…?
i wan to use L2TP/IPSEC, i need to implement some rouls in NAT…did you do before same things?
Pozdrav is Makedonije 
You should nat 1701, 4500 and 500 UDP, form Billion to MT.
i’ve been opening port for winbox,ssh,telnet…but this port for l2tp dose’t work.
Are you accepting connections to these ports on WAN interface on mikrotik?
Hows your firewall configured?
im using this rules ,but if im going to disable…same thing
Well,
Because of default deny you need to accept mentioned ports in input chain, and place them above default deny.