Well, you could do a selective NAT based on the blacklist - or simply have a policy route to next-hop=IP of filter box/sandbox which redirects all destination IPs to self and then replies on whatever service is desired with ye olde sandbox.....
Or you could put a router in front of the sandbox and do dstnat on the sandbox router. So the real WAN router just has a policy that does a route-mark if the source IP of a packet coming in port8 is in the blacklist, then forward to the sandbox router IP as the "default GW" - only route-mark packets coming in port 8 - this way, the standard default GW still works on the replies.
So there is no blacklist currently. All internet addresses need to have this behavior. It will build a blacklist over time. So all traffic needs to be split this way. So I think that disables the selective NAT idea, unless I am misunderstanding it.
Maybe I should clarify one more point, as well.
The computer 1 connected via port 1 will make a request to the internet (say 22.214.171.124:53). The computer on the internet responds trying to connect to the epherical port given by computer1 (like 59234 or something weird). I can see the response
Src: 126.96.36.199:53 Dst:188.8.131.52:59234
being routed to port2Table. Even though the request was started from port1
It is VERY important that 184.108.40.206 and 220.127.116.11 are communicating. There will be one machine on 18.104.22.168, one on 22.214.171.124, etc. if 126.96.36.199 makes a request to 188.8.131.52:80, then the machine at 184.108.40.206 has to answer it. And the response going back needs to be from 220.127.116.11. So when 18.104.22.168 makes a call to 22.214.171.124:80 and 126.96.36.199:80, I can't have masquerade going on causing 188.8.131.52 and 184.108.40.206's IP addresses to be masqueraded (hidden and combined) to like 220.127.116.11 or whatever the ip address on the router's port1 is.
I'm not 100% sure what you mean about the next-hop=ip of filter. There are two different next-hops, depending on which port is being requested.
using the third option, of another router, with dstnat, I think that wouldn't allow all the outgoing requests from port1 to use their real IP addresses, it would all be masqueraded via the additional router, which would be an issue as mentioned above.
I'm not a routing expert. But I love to solve problems. I'll look more into your suggestions and see how the router behaves. It's currently processing over 2k packets / second, so there is a lot of data to look through. But it also means I can see how changes behave pretty quickly.
Thanks for your help. If you felt like offering some specific mikrotik config ideas to help I'd definitely look over them as well.