/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=reject chain=forward comment="from vpn" connection-state="" disabled=yes dst-address=192.168.1.0/24 log=yes reject-with=icmp-network-unreachable \
src-address=10.0.0.0/8
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="L2TP Accept" dst-port=500,1701,4500 in-interface=pppoe-Internet protocol=udp
add action=accept chain=input comment="Accept all from my home IP" src-address=9x.12x.14x.22x
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WANL3 для того чтобы за вас все сделал провайдер
Я хочу чтобы Петя из 192.168 мог лазить по любым ресурсам из 10.0.0.0, а Вася из 10.0.0.0 не имел доступа ни к чему из 192.168.
Под ресурсами подразумевается все от А до Я: Пинги, SMB, FTP, HTTP, и любая другая хрень.