Некоторая защита RDP внутри сети

/ip firewall mangle
 
add action=add-src-to-address-list address-list=rdp_drop address-list-timeout=30m chain=forward comment=rdp_drop connection-state=\
    new dst-port=3389 protocol=tcp src-address-list=rdp_stage5
 
add action=add-src-to-address-list address-list=rdp_stage5 address-list-timeout=30s chain=forward comment=rdp_stage5 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage4
 
add action=add-src-to-address-list address-list=rdp_stage4 address-list-timeout=30s chain=forward comment=rdp_stage4 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage3
 
add action=add-src-to-address-list address-list=rdp_stage3 address-list-timeout=30s chain=forward comment=rdp_stage3 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage2
 
add action=add-src-to-address-list address-list=rdp_stage2 address-list-timeout=30s chain=forward comment=rdp_stage2 \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=rdp_stage1
 
add action=add-src-to-address-list address-list=rdp_stage1 address-list-timeout=1m chain=forward comment=rdp_stage1 \
    connection-state=new dst-port=3389 log-prefix=MANGLE protocol=tcp
/ip firewall raw
 
add action=drop chain=prerouting comment="// ~ ~ ~ rdp_drop" in-interface=pppoe-out1 log-prefix=PRE src-address-list=rdp_drop