/export hide-sensitive file=anynameyouwish
This is the output and some things edited that i think will just make this thread long with lines of Destnat to webserver, IP cameras, ssh server etc removed.
# apr/07/2020 20:10:38 by RouterOS 6.46.4
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-GLOBAL
set [ find default-name=ether2 ] name=ether2-iNFINITUM
set [ find default-name=ether3 ] name=ether3-LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-GLOBAL name=\
pppoe-GlobalPCNet user=XXXXXX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall layer7-protocol
add name=NOPERMITIDO regexp="^.+(facebook.com|youtube.com|netflix.com|mercadol\
ibre.com|twitter.com|amazon.com|amazon.com.mx|instagram.com|facebook|snapc\
hat.com).*\$"
/ip pool
add name=dhcp_pool0 ranges=192.168.10.25-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge lease-time=1h name=\
dhcp1
/interface bridge port
add bridge=bridge interface=ether3-LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=pppoe-GlobalPCNet list=WAN
add comment=defconf interface=ether2-iNFINITUM list=WAN
/ip address
add address=216.x.x.x/28 interface=ether1-GLOBAL network=216.x.x.x
add address=192.168.10.1/24 interface=ether3-LAN network=192.168.10.0
/ip dhcp-client
add disabled=no interface=ether2-iNFINITUM
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,208.67.220.123,9.9.9.9
/ip firewall filter
add action=accept chain=input comment="allow all" in-interface-list=WAN \
protocol=icmp
add action=drop chain=forward comment="NO JUNK" dst-port=80,443 \
layer7-protocol=NOPERMITIDO out-interface-list=WAN protocol=tcp \
src-address=192.168.10.2-192.168.10.100
add action=drop chain=forward comment="NO JUNK" dst-port=80,443 \
layer7-protocol=NOPERMITIDO out-interface-list=WAN protocol=udp \
src-address=192.168.10.2-192.168.10.100
add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=tcp
add action=drop chain=input comment="deny dns" dst-port=53 in-interface-list=\
WAN protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log-prefix=Invalid-
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=PPPOE out-interface-list=WAN
add action=masquerade chain=srcnat comment=PPPOE out-interface=\
pppoe-GlobalPCNet
add action=masquerade chain=srcnat comment=PPPOE ipsec-policy=out,none \
out-interface=ether2-iNFINITUM
/ip route
add comment=secondary distance=2 gateway=192.168.1.254 routing-mark=ISP2-OUT
add comment="EMAIL Priority 1" distance=3 gateway=8.8.4.4 routing-mark=\
ISP2-OUT target-scope=40
add comment="EMAIL priority 2" distance=6 gateway=8.8.8.8 routing-mark=\
ISP2-OUT target-scope=40
add check-gateway=ping comment=ISP1 distance=1 gateway=8.8.8.8 target-scope=\
40
add check-gateway=ping comment=ISP2 distance=2 gateway=8.8.4.4 target-scope=\
40
add comment="validate secondary" distance=1 dst-address=8.8.4.4/32 gateway=\
192.168.1.254
add comment="validate primary" distance=1 dst-address=8.8.8.8/32 gateway=\
216.x.x.x
Thank you for the help.