External WAN ETH1
Default config
Internal LAN ETH2
Default config
DHCP on ETH2
Default config
10.1.1.0/24 on ETH2
You'll need to change the various LAN addresses from the default of 192.168.88.x to 10.1.1.x. There are 3 main places.
- /ip address for ether2-local-master
/ip dhcp-server network
/ip pool for default-dhcp
nat outbound traffic from LAN to WAN using WAN's IP.
Default config
Allow inbound from WAN to LAN for winbox managing
Not actually to the LAN, but to the router itself. Do you really need to manage the router from the WAN side, rather than from a machine on the LAN? This will involve adding a simple accept rule to the input chain. I'd strictly limit the source addresses allowed.
port forward 446 to 10.1.1.5
port forward 3389 to 10.1.1.6
You'll need to add a couple of /ip firewall nat rules to map those ports in and a couple of accept rules in the forward chain. Be careful though, RDP is currently a *very* popular service to attack.