Guys, I know that there passed a long time, but I had a very busy year behind (who didn't?!) and very small opportunity for "side projects".
Thanks also to ZeroByte's excellent instructions, so far I managed to (changed /24 local subnet for clients: from 192.168.x.0/24 to 10.0.0.0/24, for testing considerations - 192.168.0.0/24 is my office LAN, and 0.101 address is assigned to mikrotik WAN):
- add 18.104.22.168/29 blackhole - working as expected:
add dst-address=22.214.171.124/29 type=blackhole
- 1:1 mapping for 126.96.36.199 address to 10.0.0.199 - working as expected
/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.0.0.199 dst-address=188.8.131.52
add chain=srcnat action=src-nat to-addresses=184.108.40.206 src-address=10.0.0.199
- test filter for the above mapping, allowing few MTA services to / from 10.0.0.199 - working as expected
/ip firewall filter
add chain=forward dst-address=10.0.0.199 protocol=tcp dst-port=25,110 action=accept
add chain=forward dst-address=10.0.0.199 action=drop
TO DO (will keep you posted):
1. fist of all, need to use one of 220.127.116.11/29 IP's (let's say 18.104.22.168) for masquerading multiple general LAN clients, keeping inside critical services machines (as MTA above) on their own 2.2.2.x IP.
2. later-on, and somehow trickier - this I don't have the slightest idea how: I need to assign one public IP to a specific device - it's a critical device, which needs it's own public IP - already configured, without access for changing that.
This could be done - probably easier - by routing the 22.214.171.124/29 subnet directly and assign one IP to a virtual interface to Mikrotik. Actual location setup, in fact. Moreover, the device does not need any kind of "protection" / filtering. It's a hardware device with only 2 ports opened in firmware, and those 2 ports should be accessible from anywhere. This should lead me to have all LAN clients masquerated through Link IP, which I can live with.
In case it's possible, I'd like to also have a combination of 1. and 2., as having both mappings and routing for the same /29 subnet. If you have any idea ...
Guys, it's still wip, and it's not "on-fire"!
I will revert, as said above!
In the meantime I wish you Happy and nice Holidays!