Hello,

A school would like to provide RDP access to computers in a computer lab for the students to use during a specific time that is not fixed.

Is there any way I can allow the teacher to enable some NAT rules without giving the teacher access to the management of the router?

I am not new to MikroTik and the only thing I can think of is to set up a VPN profile that will execute a specific script and this script will be performing the requested tasks. I was wondering if there is something even more simple or just other ideas you can share?

Thank you!

If you want to avoid scripting, you can make a firewall-only setup, where the teacher would be pinging the devices to which RDP access needs to be allowed, so firewall rules would add destination addresses pinged from the source address of the teacher's PC to an address-list, and the rules permitting RDP access will match on that address-list. But I like your suggestion more - switching the access off and on by logging and unlogging to a VPN account is quite neat. Or, if the router has PoE out, you can even enable and disable the firewall rules for RDP using a hardware switch :)

No matter what control method you choose, don't forget that when the default firewall rules are used, where "accept established" is the first one in the forward chain (leaving aside fasttracking which complicates things even more), the selective rules only affect the establishing of new connections, but once a connection gets established, the "accept established" rule allows its packets to flow until the connection gets terminated by one of the endpoints. So to forcifully terminate existing RDP connections once the teacher stops pinging a machine and the corresponding record in the address-list expires, you need to place rules like action=reject reject-with=tcp-reset protocol=tcp dst-port=3389 dst-address-list=!permitted-machines before the "accept established" one.