Then i turn on Hotspot - MikroTik have crash in 5-10 minutes.
[admin@48:A9:8A:F1:D1:A1] > export
# 2026-04-08 18:36:12 by RouterOS 7.22.1
# software id = **ELIDED**
#
# model = L41G-2axD
# serial number =
/interface bridge
add name=bridge-5rm
add admin-mac=48:A9:8A:F1:D1:A2 auto-mac=no comment=defconf name=bridge-mgmt
/interface ovpn-client
add auth=null cipher=null connect-to=vpn.ru mac-address=FE:6B:99:EB:C1:DD \
name=ovpn-5rm user=password
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462,2472 name=ch24-5rm \
width=20mhz
add band=5ghz-ax disabled=no frequency=2427,2452,2457,2462 name=ch5-5rm width=\
20mhz
/interface wifi datapath
add bridge=bridge-5rm client-isolation=yes disabled=no name=datapath-5rm \
traffic-processing=on-capsman-secure
/interface wifi security
add authentication-types="" disabled=no encryption="" name=security-5rm
/interface wifi configuration
add channel=ch24-5rm country=Russia datapath=datapath-5rm disabled=no mode=ap \
name=cfg24-5rm security=security-5rm ssid=SSID
add channel=ch5-5rm country=Russia datapath=datapath-5rm disabled=no mode=ap \
name=cfg5-5rm security=security-5rm ssid=SSID
/ip hotspot profile
add hotspot-address=10.22.92.1 http-cookie-lifetime=1w login-by=\
cookie,http-pap,mac-cookie name=hsprof-5rm radius-location-name=\
radius-location-name use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=15m keepalive-timeout=none \
mac-cookie-timeout=1w rate-limit=7m/7m shared-users=20
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool ranges=10.22.92.2-10.22.92.254
add name=dhcp_mgmt ranges=172.16.100.20-172.16.100.254
/ip dhcp-server
add address-pool=hs-pool interface=bridge-5rm lease-time=10m name=dhcp-5rm
add address-pool=dhcp_mgmt interface=bridge-mgmt name=dhcp-mgmt
/snmp community
set [ find default=yes ] name=name
/system logging action
add name=syslog5rm remote=10.0.255.242 target=remote
/interface bridge port
add bridge=bridge-mgmt comment=defconf interface=ether2
add bridge=bridge-mgmt comment=defconf interface=ether3
add bridge=bridge-mgmt comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-mgmt list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi access-list
add action=accept disabled=no signal-range=-79..120
add action=reject disabled=no signal-range=-120..-80
/interface wifi cap
set caps-man-addresses=127.0.0.1
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge-mgmt \
package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg24-5rm
add action=create-dynamic-enabled disabled=no master-configuration=cfg5-5rm
/ip address
add address=192.168.69.1/24 comment=defconf interface=bridge-mgmt network=\
192.168.69.0
add address=10.22.92.1/24 comment="hotspot network" interface=bridge-5rm \
network=10.22.92.0
add address=172.16.100.1/24 comment=MGMT interface=bridge-mgmt network=\
172.16.100.0
/ip dhcp-client
add comment=defconf interface=ether1 name=client1
/ip dhcp-server network
add address=10.22.92.0/24 comment="hotspot network" dns-server=10.22.92.1 \
gateway=10.22.92.1
add address=172.16.100.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=172.16.100.1
/ip dns
set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 list=ACCEPT
add address=192.168.0.0/16 list=ACCEPT
add address=5.188.129.176/29 list=ACCEPT
add address=172.16.100.0/24 list=ACCEPT
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=accept chain=pre-hs-input dst-address=192.168.69.1
add action=accept chain=input comment="Allow LAN UDP DNS" dst-port=53 \
protocol=udp src-address=10.22.92.0/24
add action=accept chain=input comment="Allow LAN UDP DNS CAPSMAN" dst-port=53 \
protocol=udp src-address=172.16.100.0/24
add action=drop chain=input comment="Drop UDP DNS from WAN" dst-port=53 \
protocol=udp
add action=accept chain=input comment="Allow LAN TCP DNS" dst-port=53 \
protocol=tcp src-address=10.22.92.0/24
add action=accept chain=input comment="Allow LAN TCP DNS CAPSMAN" dst-port=53 \
protocol=tcp src-address=172.16.100.0/24
add action=drop chain=input comment="Drop TCP DNS from WAN" dst-port=53 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
src-address-list=!ACCEPT
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
in-interface-list=WAN
add action=drop chain=forward dst-address=10.22.92.0/24 src-address=\
10.22.92.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=accept chain=pre-hotspot dst-address=192.168.69.1
add action=masquerade chain=srcnat
/ip hotspot
add interface=bridge-5rm name=hotspot-5rm profile=hsprof-5rm
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=*5rm.ru
add dst-host=*5wifi.ru
/ip hotspot walled-garden ip
add action=accept disabled=no dst-host=5rm.ru
add action=accept disabled=no dst-host=5wifi.ru
/ip route
add distance=1 dst-address=10.0.255.0/24 gateway=10.19.0.1
/ip traffic-flow
set enabled=yes interfaces=bridge-5rm
/ip traffic-flow target
add dst-address=10.0.255.15 port=3000 version=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/radius
add address=5.188.129.179 require-message-auth=no service=hotspot timeout=10s
add address=5.188.129.180 require-message-auth=no service=hotspot timeout=10s
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=48:A9:8A:F1:D1:A1
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.8
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set accounting=no default-group=full use-radius=yes
Apr/08/2026 16:26:04 dhcp,debug,packet Server-Id = 192.168.1.1
Apr/08/2026 16:26:04 dhcp,info client1 on ether1 got IP address 192.168.1.124
Apr/08/2026 16:26:04 dhcp,debug,state client1 on ether1 entering <bound> state
Apr/08/2026 16:26:04 route,debug,calc route/calc/publish
Apr/08/2026 16:26:04 route,debug,calc route/calc/merge/input/route
Apr/08/2026 16:26:04 route,debug,calc route/calc/merge/route
Apr/08/2026 16:26:04 route,debug,calc route/calc/fwp/merge
Apr/08/2026 16:26:04 route,debug,calc Prepare queued IP/10.19.0.1/30-10/0
Apr/08/2026 16:26:04 route,debug,calc Prepare queued IP/192.168.1.1/30-10/0
Apr/08/2026 16:26:04 route,debug,calc Resolving IP/10.19.0.1/30-10/0
Apr/08/2026 16:26:04 route,debug,calc Resolving IP/192.168.1.1/30-10/0
Apr/08/2026 16:26:08 bridge,stp,debug ether2:0 role transition DESIGNATED_FORWARD
Apr/08/2026 16:26:08 bridge,stp ether2:0 forwarding
Apr/08/2026 16:26:08 route,debug,calc route/calc/merge/input/route
Apr/08/2026 16:26:08 route,debug,calc route/calc/merge/route
Apr/08/2026 16:26:08 route,debug,calc route/calc/fwp/merge
Apr/08/2026 16:26:08 route,debug,calc route/calc/publish
Apr/08/2026 16:26:08 route,debug,calc route/calc/cleanup/route
Apr/08/2026 16:26:09 bridge,stp,debug ether3 rx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3c { LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 0 cistRegionalRootId: 0x8000:04f41c8aae56 portId: 0x8001 messageAge: 0(0) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 16:26:09 bridge,stp,debug ether3:0 rcv info SuperiorDesignated
Apr/08/2026 16:26:09 bridge,stp,debug ether2 tx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3e { PROP LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 200000 cistRegionalRootId: 0x8000:48a98af1d1a2 portId: 0x8001 messageAge: 256(1) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 16:26:10 ovpn,info ovpn-5rm: initializing...
Apr/08/2026 16:26:10 ovpn,info ovpn-5rm: connecting...
Apr/08/2026 16:26:10 radvd,debug received Router Advertisement on ether1 from fe80::3e81:d8ff:fe10:44d5
Apr/08/2026 16:26:10 radvd,debug router valid: 0
Apr/08/2026 16:26:10 radvd,debug neighbor fe80::3e81:d8ff:fe10:44d5 on interface ether1 uses other stateful configuration
Apr/08/2026 16:26:10 radvd,debug prefix:fd6a:18b1:f9e7::/64, valid:4294967295, pref:4294967295, onlink:1, autonom:1
Apr/08/2026 16:26:10 ovpn,info ovpn-5rm: disconnected <could not connect>
Apr/08/2026 16:26:10 ovpn,info ovpn-5rm: terminating... - could not connect
Apr/08/2026 16:26:10 ovpn,info ovpn-5rm: disconnected
Apr/08/2026 16:26:10 ntp,debug tx dst:216.239.35.8
Apr/08/2026 16:26:10 ntp,debug rx src:216.239.35.8 dst:192.168.1.124
Apr/08/2026 16:26:10 ntp,debug Message offset:6771.122033 delay:0.036046 disp:0.000002
Apr/08/2026 16:26:10 ntp,debug Checking peer (216.239.35.8). Peer is: FIT
Apr/08/2026 16:26:10 ntp,debug System peer changed to: 216.239.35.8
Apr/08/2026 18:19:01 ntp,debug System time changing step: 6771.122011
Apr/08/2026 18:19:01 system,clock,critical,info ntp change time Apr/08/2026 16:26:10 => Apr/08/2026 18:19:01
Apr/08/2026 18:19:01 ntp,debug System clock stepped, resetting all peers
Apr/08/2026 18:19:02 bridge,stp,debug ether3 rx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3c { LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 0 cistRegionalRootId: 0x8000:04f41c8aae56 portId: 0x8001 messageAge: 0(0) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 18:19:02 bridge,stp,debug ether3:0 rcv info SuperiorDesignated
Apr/08/2026 18:19:02 ntp,debug (216.239.35.8) unreachable and iburst enabled. Send burst
Apr/08/2026 18:19:02 ntp,debug tx dst:216.239.35.8
Apr/08/2026 18:19:02 ntp,debug rx src:216.239.35.8 dst:192.168.1.124
Apr/08/2026 18:19:02 ntp,debug Message offset:0.001536 delay:0.036190 disp:0.000002
Apr/08/2026 18:19:03 bridge,stp,debug ether2 tx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3e { PROP LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 200000 cistRegionalRootId: 0x8000:48a98af1d1a2 portId: 0x8001 messageAge: 256(1) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 18:19:04 bridge,stp,debug ether3 rx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3c { LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 0 cistRegionalRootId: 0x8000:04f41c8aae56 portId: 0x8001 messageAge: 0(0) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 18:23:28 bridge,stp,debug ether3:0 rcv info SuperiorDesignated
Apr/08/2026 18:23:29 bridge,stp,debug ether2 tx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3e { PROP LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 200000 cistRegionalRootId: 0x8000:48a98af1d1a2 portId: 0x8001 messageAge: 256(1) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 18:14:01 dhcp,debug dhcp-mgmt on bridge-mgmt sending ack with id 2373276073 from 192.168.69.1:67 (48:A9:8A:F1:D1:A2) to 172.16.100.235:68 (00:12:41:55:49:0B) (network only)
Apr/08/2026 18:14:01 dhcp,debug,packet ciaddr = 0.0.0.0
Apr/08/2026 18:14:01 dhcp,debug,packet yiaddr = 172.16.100.235
Apr/08/2026 18:14:01 dhcp,debug,packet siaddr = 192.168.69.1
Apr/08/2026 18:18:18 bridge,stp,debug ether3 rx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3c { LEARN FWD DSGN } cistRootId: 0x8000:04f41c8aae56 cistEpc: 0 cistRegionalRootId: 0x8000:04f41c8aae56 portId: 0x8001 messageAge: 0(0) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 18:18:18 bridge,stp,debug ether3:0 rcv info SuperiorDesignated
Apr/08/2026 18:18:18 bridge,stp,debug cap-wifi1 tx bpdu protoId: 0x0 protoVer: 0x2 type: 0x2 flags: 0x3c { LEARN FWD DSGN } cistRootId: 0x8000:48a98af1d1a5 cistEpc: 0 cistRegionalRootId: 0x8000:48a98af1d1a5 portId: 0x8001 messageAge: 0(0) maxAge: 5120(20) helloTime: 512(2) forwardDelay: 3840(15) version1Length: 0
Apr/08/2026 16:25:54 system,error,critical router was rebooted without proper shutdown, probably kernel failure
Apr/08/2026 16:25:54 route,rpki,debug stats roas 0 roa 0 nodes4 0 nodes6 0
Apr/08/2026 16:25:54 route,rpki,debug wipe stats roas 0 roa 0 nodes4 0 nodes6 0