My example config below. I want to make sure it doesn’t work if a user connects something on bridge_vpn1 and sets and IP of bridge_vpn2 subnet and that way could reach something outside the policy defined for his bridge_vpn1 subnet. I know it would not work straight away because router has another IP set for this subnet but I think the client could still at least send packets to an host on a subnet he shouldn’t be able to access by directing the packet to bridge_vpn1 gateway IP but claiming a source IP of bridge_vpn2 subnet, right? But I want this to be really secure so i can be certain a user can not access anything else than the subnet of the correct bridge_vpnX policy.
/interface bridge
add name=WAN
add name=bridge_vpn1
add name=bridge_vpn2
add name=bridge_vpn3
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 exchange-mode=ike2 name=ipsec_vpn
/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=12h
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp1536
/interface bridge port
add bridge=WAN interface=ether1
add bridge=bridge_vpn1 interface=ether2
add bridge=bridge_vpn2 interface=ether3
add bridge=bridge_vpn3 interface=ether4
add bridge=WAN interface=ether5
/ip address
add address=10.101.1.1/24 interface=bridge_vpn1 network=10.101.1.0
add address=10.151.1.1/24 interface=bridge_vpn2 network=10.151.1.0
add address=10.201.1.1/24 interface=bridge_vpn3 network=10.201.1.0
/ip dhcp-client
add disabled=no interface=WAN
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add my-id=key-id:testvpn peer=ipsec_vpn remote-id=key-id:XXXX secret=XXXXXX
/ip ipsec policy
# For VPN1
add dst-address=10.100.1.0/24 peer=ipsec_vpn sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=xxx.xxx.xxx.xxx src-address=10.101.1.0/24 tunnel=yes
# For VPN2
add dst-address=10.150.1.0/24 peer=ipsec_vpn sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=xxx.xxx.xxx.xxx src-address=10.151.1.0/24 tunnel=yes
# For VPN3
add dst-address=10.200.1.0/24 peer=ipsec_vpn sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=xxx.xxx.xxx.xxx src-address=10.201.1.0/24 tunnel=yes