The last two are like working NAT. 443 - Mikrotik web server, 8291 - Winbox (software for managing Mikrotik), 2000 - see description.
Why not open the ones you need in the firewall and close the rest? Then you don't have to figure it out.
For you, it will look something like this (I haven’t tested it, I’m writing from memory):
/ip firewall filter
add chain=forward src-address=local subnet
add chain=input protocol=tcp dst-port=22,1723
add chain=input protocol=gre
add chain=forward protocol=tcp dst-port=3389 dst-address=terminal server address
add chain=input action=drop
add chain=forward action=drop
1. We allow local hosts to go to the Internet. Everything is open here, I usually open only http and https, the rest if necessary.
2. Allow incoming connections 1723 (pptp) and 22 (Mikrotik control via SSH). Using a standard port, by the way, is not safe, but here they suggested a very cool thing.
3. For PPTP, the GRE protocol is still needed
4. RDP access to the terminal server, or whatever you have.
5. We discard all other incoming ones
6. All other routable ones (through NAT, for example) too.

Well, 443 is a webmord. 8291 is winbox. The rest I don't know.

Disable everything except the main control tool. The safest option (and convenient) is ssh, change it to a non-standard port.
/ip ssh set strong-crypto=yes
/ip neighbor discovery set discover=no [find]
/tool ​​mac-server set disabled=yes [find]
/tool ​​mac-server mac-winbox set disabled=yes [find]
/tool ​​mac -server ping set enabled=no
/ip service disable [find where name!=ssh] set ssh port=34567