Hello,

I will be provisioning a hAP AC2, my 1st MikroTik, this week. I have not installed or accessed the equipment yet and am researching how to configure using Winbox. The setup requires admin access to a PBX behind a NAT.

Is it possible to limit access to forwarded ports to specified FQDN(s)? Say, using Src Address or an address list in NAT Rule, or possibly some other way? I've scoured the internet and I'm still none the wiser.

Any help / direction is much appreciated.

A VPN is always a better option, especially if the management protocol is a plaintext one (in the encryption sense), but if you insist, you can use an address-list where the address columns are set to fqdns; each such item gets resolved to an IP address (or a list of addresses) which are added as dynamic rows to the same address-list; once the TTL of the DNS response expires, the process repeats. So it would be something like

/ip firewall address-list

add list=permitted-pbx-managers address=some.domain.name
add list=permitted-pbx-managers address=another.domain.name

/ip firewall nat
...
add chain=dstnat in-interface-list=WAN src-address-list=permitted-pbx-managers protocol=tcp dst-port=the-external-one action=dst-nat to-addresses=ip.of.the.pbx to-ports=the-internal-one
...

Make sure you understand how the default firewall rules work before adding the one above. If you don't need to translate the port, the to-ports item is not necessary.

Thanks for your help @sindy :-)