hAP ac^2 trunk VLAN ports from WAN and LAN bridge

Hello,
I have such device and current configuration
Device: hAP ac^2
Version: 7.3.1
WAN - ehter1
LAN - bridge(ether2, ether3, ether4)
ether5 - desired trunk port that forwards tagged lan traffic and VLAN 6 from WAN. I will untagg with switch on the next cable end.

ISP provides untagged internet traffic and IPTV on VLAN6 through ether1 (WAN). I want to take VLAN 6 and pass it to ether5 plus tagged LAN bridge traffic.

I have been configuring half a day, but I could not make it work. I only passed the VLAN 6 to the trunk port ether5, but then lost the internet from ISP. So I am doing something wrong and can’t figure out what. Could not make it work for LAN bridge.

Could someone help me with the approach how to tag the traffic for the LAN and pass the LAN 6 coming from WAN interface.

Desired network diagram

Please post your config (just ensure no public IPs are visible)

Here is my router os config. At the moment I am untagging vlan6 to ether5, but as described earlier I want ether5 to be a trunk port for vlan 6 coming from WAN and also tag lan traffic to port ether5

# jul/02/2022 19:32:46 by RouterOS 7.3.1
# software id = M4Q2-7E8G
#
# model = RBD52G-5HacD2HnD
# serial number = **********
/interface bridge
add name=TVBridge
add admin-mac=2C:AA:AA:AA:AA:C4 auto-mac=no comment="LAN bridge" name=bridge
add name=bridge-loopback

/interface vlan
add comment="TV VLAN6" interface=ether1 name=vlan6 vlan-id=6

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    wireless_ssid supplicant-identity=MikroTik
	
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX \
    country=lithuania disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge name=wlan1-2.4GHz security-profile=\
    wireless_ssid ssid=wireless_ssid wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    country=lithuania disabled=no distance=indoors frequency=5220 \
    installation=indoor mode=ap-bridge name=wlan2-5Ghz security-profile=\
    wireless_ssid ssid=wireless_ssid wireless-protocol=802.11 wps-mode=disabled

/ip ipsec policy group
add name="group 22.22.22.22"

/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name="profile 22.22.22.22"

/ip ipsec peer
add exchange-mode=ike2 local-address=22.22.22.22 name="peer 22.22.22.22" \
    passive=yes profile="profile 22.22.22.22"

/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name="proposal 22.22.22.22" pfs-group=none

/ip pool
add name=dhcp ranges=192.168.100.50-192.168.100.90
add name="vpn pool" ranges=10.0.70.2-10.0.70.25

/ip dhcp-server
add address-pool=dhcp interface=bridge name="LAN DHCP"

/ip ipsec mode-config
add address-pool="vpn pool" address-prefix-length=32 name=\
    "modeconf 22.22.22.22" split-include=0.0.0.0/0

/routing bgp template
set default disabled=no output.network=bgp-networks

/routing ospf instance
add disabled=no name=default-v2

/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=TVBridge ingress-filtering=no interface=\
    ether5 pvid=6
add bridge=bridge ingress-filtering=no interface=wlan1-2.4GHz
add bridge=bridge ingress-filtering=no interface=wlan2-5Ghz
add bridge=TVBridge ingress-filtering=no interface=vlan6 pvid=6

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.100.254/24 interface=bridge network=192.168.100.0
add address=10.0.70.1/24 interface=bridge-loopback network=10.0.70.0

/ip dhcp-client
add interface=ether1 use-peer-dns=no

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.254,1.1.1.2 gateway=\
    192.168.100.254

/ip dns
set allow-remote-requests=yes servers=1.1.1.2

/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 log=yes protocol=\
    udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow UDP 500,4500IPSec for 22.22.22.22" dst-address=22.22.22.22 \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp for 22.22.22.22" \
    dst-address=22.22.22.22 protocol=ipsec-esp
add action=accept chain=input comment=\
    "IKE2: Allow ALL incoming traffic from 10.0.70.0/24 to this RouterOS" \
    ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "IKE2: Allow ALL forward traffic from 10.0.70.0/24 to HOME network" \
    dst-address=192.168.100.0/24 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=accept chain=forward comment=\
    "IKE2: Allow ALL forward traffic from 10.0.70.0/24 to ANY network" \
    dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS from 10.0.70.0/24 to ANY" ipsec-policy=in,ipsec \
    new-mss=1360 passthrough=yes protocol=tcp src-address=10.0.70.0/24 \
    tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS from ANY to 10.0.70.0/24" dst-address=10.0.70.0/24 \
    ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=!0-1360

/ip firewall nat
add action=src-nat chain=srcnat comment=\
    "SRC-NAT IKE2:10.0.70.0/24 --> ether1 traffic" ipsec-policy=out,none \
    out-interface=ether1 src-address=10.0.70.0/24 to-addresses=22.22.22.22
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip ipsec identity
add auth-method=digital-signature certificate=***** generate-policy=\
    port-strict match-by=certificate mode-config="modeconf 22.22.22.22" \
    peer="peer 22.22.22.22" policy-template-group="group 22.22.22.22" \
    remote-certificate=*******@22.22.22.22 remote-id=\
    user-fqdn:******@22.22.22.22

/ip ipsec policy
add dst-address=10.0.70.0/24 group="group 22.22.22.22" proposal=\
    "proposal 22.22.22.22" src-address=0.0.0.0/0 template=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 dhcp-client
add disabled=yes interface=ether1 pool-name=wan-ipv6 request=prefix \
    use-peer-dns=no

/routing igmp-proxy
set quick-leave=yes

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Interesting config, so attempting to get vlan6 to port X…
Not sure I would use a bridge to do so but lets give it a shot…

(A) You you have to assign the vlan to the bridge and not ether1 with a bridge approach…
/interface vlan
interface=TVBridge name=TV-VLAN6 vlan-id=6

(1) You will note I have renamed the vlan, TV-VLAN6 for clarity.

OKAY the real problem here is that its VLAN 6 coming from the WAN side you dont want to PVID this end its a trunk port end…
The Port X, will be the pvid end, aka your TV or tv box. However if you tv box is expecting VLAN6 than that port will also need to be a trunk port.

Thus its either
add bridge=TVBridge ingress-filtering=no interface=ether1
add bridge=TVBridge ingress-filtering=no interface=ether5 pvid=6 (tv or tv box does not read vlans)
OR
add bridge=TVBridge ingress-filtering=no interface=ether1
add bridge=TVBridge ingress-filtering=no interface=ether5 (tv or tv box has to read vlans)

(2) The vlan6 interface is technically coming in on the wan interface, but may not be required.
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=TV-WAN list=WAN (not needed unless no tv traffic working and then enter it to see if it helps)

If the tv signals go from ISP to box and back without the above addition then dont add it…

(3) You are missing /interface bridge vlan rules for IPTV.
/inteface bridge vlans
add bridge=TVBridge tagged=TVBridge,ether1 untagged=ether5 vlan-ids=6 (assumes tv or tv box cannot read vlans).
add bridge=TVBridge tagged=TVBridge,ether1,ether5 vlan-ids=6 (assumes tv or tv box can read vlans).


(4) Finally after completing the above you have to activate vlan filtering…
add name=TVBridge vlan-filtering=yes

(5) Again out of my league but I dont think you can ipsec a bridge ???
/ip address
add address=10.0.70.1/24 interface=bridge-loopback network=10.0.70.0

++++++++++++++++++++++++++++
FW RULES- input

a. (Not sure why you are blocking port 53 DNS?? ) I have not seen this done and there is no need to do so,
with a proper set of input chain rules. You will see why eventually.

b. I dont think you need to specify the destination IP for ipsec but I could be wrong. IM pretty sure based on your various internal router ipsec settings that is covered but not sure.

c. I am more sure in that you don’t allow public IP complete access to your router, that defeats the purpose of IPSEC.
You allow a port to the router and the router internally then takes care of security, to me this is a RED SECURITY FLAG

d. the last rule is okay but THERE IS BETTER.
The most obvious is simply being clear and not overly clever with these two rules…
add chain=input action=accept in-interface-list=LAN
add chain=input action=drop comment=“drop all else”

better is a drop all RULE for both LAN and WAN. To do this you have to be sure Two things FIRST and foremost, you as admin to maintain access to the router so you need something like…
add chain=input action=accept in-interface-list=LAN src-address=IP-of_admin_PC (or src-address-list=authorized where authorized might be comprised of admin PC, admin laptop, admin smartphone etc.)

Then you need to ensure essential services are provided to the LAN users (who dont need access to the router but for example to dns services).
add chain=input action=accept in-interface-list=LAN protocol=tcp port=53
add chain=input action=accept in-interface-list=LAN protocol=udp port=53

Then add the last rule only when the above ones are in place.
add chain=input action=drop comment=“drop all else”

/ip firewall filter
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=
“Allow UDP 500,4500IPSec for 22.22.22.22” dst-address=22.22.22.22
dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“Allow IPSec-esp for 22.22.22.22”
dst-address=22.22.22.22 protocol=ipsec-esp
add action=accept chain=input comment=
“IKE2: Allow ALL incoming traffic from 10.0.70.0/24 to this RouterOS”
ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

++++++++++++++++++++++++++++
Forward chain -----\

what are you trying to attempt to do here?
come in on vpn tunnel to this device and then access internet and home network??

If so the second rule does the same thing as the first rule (it includes it)

add action=accept chain=forward comment=
“IKE2: Allow ALL forward traffic from 10.0.70.0/24 to HOME network”
dst-address=192.168.100.0/24 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=accept chain=forward comment=
“IKE2: Allow ALL forward traffic from 10.0.70.0/24 to ANY network”
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.70.0/24

The last rule is another one I despise… its too tricky for its own good and is a half measure on the drop side.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Much better and clearer to do the following.

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=“allow internet traffic”
add action=accept chain=forward connection-nat-state=dstnat comment=“allow allow port forwarding”
add action=drop chain=forward comment=“drop all else”

Thank you for the answer, this helps a lot.

Do you have some insights how to pass lan brigde traffic as tagged one or make a hybrid port on ether5.

At the moment I have bridge that is called LAN and has 4 ports assigned. I want to pass packets through ether5 by making by using trunk or hybrid port configuration. Hybrid port is more acceptable for me (LAN traffic + vlan6 traffic).

Went through a lot articles, but did not figure out the proper way to handle this.

I assume to create like vlan10 and attached it to bridge (LAN) interface.
assign IP address for vlan10 interface.

Then i create HybridTrunkBridge and add vlan10 as interface with pvid 10
I also add ether5 to the HybridTrunkBridge

Add something like this /interface bridge vlan add bridge=HybridTrunkBridge tagged=HybridTrunkBridge untagged=ether5 vlan-ids=10

I dont really care to discuss config specifics until we understand the requirements.
A port function is not decided by a whim.
What is not known, is what is at the other end of port 5?
You indicated it was for IPTV from your ISP? With better communication a more rationale discussion can be had.


YOur diagram shows a switch, if so, is it a managed switch?
Where is vlan10 on your config as it is noted on the diagram?


In other words, if a managed switch indicate what each port on the switch is going to…

I am trying to achieve this

I have:
option A - use lan as untagged and vlan 6 from isp on the trunk\hybrid port. On other end switch untags vlan6 for one specific switch port
option B - use taged lan traffic and taged vlan 6 from isp (coming taged) on the trunk port. On other end switch would handle untaging

So the important questions.
The switch is a managed switch based on your diagram. Y/N
The STB or whatever it is cannot read vlans. Y/N

Switch is managed
Stb cannot read vlans, it needs untagged traffic

Okay a simplified approach…
This setup makes ether1 and ether5 hybrid ports
The single LAN is distributed to all ports, ether1 and ether5 are solely tied together for vlan6 (TV) (Trunk)
The only real gotcha here, is that you need to tie your wan IP DHCP settings or pppoe settings to wandata (not ether1)

/interface bridge
add comment=“LAN bridge” name=bridge vlan-filtering=yes
/interface vlan
add comment=wandata interface=bridge name=wandata vlan-id=11
/ip address
add address=192.168.100.254/24 interface=bridge network=192.168.100.0
/ip pool
add name=dhcp ranges=192.168.100.50-192.168.100.90
/ip dhcp-server
add address-pool=dhcp interface=bridge name=“LAN DHCP”
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.254,1.1.1.2 gateway=
192.168.100.254
/interface bridge port
add bridge=bridge interface=ether1 pvid=11
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
dd bridge=bridge interface=ether5
add bridge=bridge interface=wlan1-2.4GHz
add bridge=bridge interface=wlan2-5Ghz
/interface bridge vlans
add bridge=bridge tagged=ether1,ether5 vlan-ids=6
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=11

Thank you very much, I followed your advice and have working solution. One thing I needed to do additionally is to add vlan “wandata” to the WAN list as masquerade would not work and I lost access to outside.

Now I will need to review firewall rules according your suggestions as I used default ones that comes with device.
And for vpn I use to reach internal devices and browse internet

Only one thing that is wrong now that isp port if any devices connected will get dhcp ip address frmo my lan pool.
What is the best method to solve this? Is it firewall or bridge filter?

It is not clear what you mean??
Also post latest config please.

if I unplug ISP cable from ether1 and plug pc there I would get LAN IP assigned, but I want that port only accept dchp client request for ISP.
DHCP is running on the bridge, and ether1 belong to bridge that I believe why PC gets ip assigned once it is plugged in to that port.
I was trying to move lan to it’s vlan, but not really helped
I needed to reset my router, so I hope the config is fine and it is the same it was

Update: current config is working as expected, internal LAN cannot be reached through ether1

Current config

/interface bridge
add admin-mac=***** auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
add name=bridge-loopback

/interface vlan
add interface=bridge name=landata-vl10 vlan-id=10
add comment=wandata interface=bridge name=wandata-vl11 vlan-id=11

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no


/ip ipsec policy group
add name="group 2.2.2.2"

/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name="profile 2.2.2.2"

/ip ipsec peer
add exchange-mode=ike2 local-address=2.2.2.2 name="peer 2.2.2.2" \
    passive=yes profile="profile 2.2.2.2"

/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 enc-algorithms="aes-256-cbc,aes-256-ctr\
    ,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm" \
    lifetime=8h name="proposal 2.2.2.2" pfs-group=none

/ip pool
add name=dhcp ranges=192.168.100.100-192.168.100.120
add name="vpn pool" ranges=10.0.70.2-10.0.70.25

/ip dhcp-server
add address-pool=dhcp interface=landata-vl10 name="LAN DHCP"

/ip ipsec mode-config
add address-pool="vpn pool" address-prefix-length=32 name=\
    "modeconf 2.2.2.2" split-include=0.0.0.0/0

/routing bgp template
set default disabled=no output.network=bgp-networks

/routing ospf instance
add disabled=no name=default-v2

/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1 pvid=10
add bridge=bridge comment=defconf interface=wlan2 pvid=10
add bridge=bridge interface=ether1 pvid=11

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=11
add bridge=bridge tagged=ether1,ether5 vlan-ids=6
#untag vlan10 only for these specific interfaces
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,wlan1,wlan2 vlan-ids=10

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wandata-vl11 list=WAN
add interface=landata-vl10 list=LAN

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.100.254/24 interface=landata-vl10 network=192.168.100.0
add address=10.0.70.1/24 interface=bridge-loopback network=10.0.70.0

/ip dhcp-client
add interface=wandata-vl11 use-peer-dns=no

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.254,1.1.1.2 gateway=\
    192.168.100.254

/ip dns
set allow-remote-requests=yes servers=1.1.1.2

/ip firewall filter
add action=drop chain=input connection-state=established,related,new \
    dst-port=53 in-interface-list=WAN log=yes protocol=udp
add action=drop chain=input connection-state=established,related,new \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow UDP 500,4500IPSec for 2.2.2.2" dst-address=2.2.2.2 \
    dst-port=500,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp for 2.2.2.2" \
    dst-address=2.2.2.2 protocol=ipsec-esp
add action=accept chain=input comment=\
    "IKE2: Allow ALL incoming traffic from 10.0.70.0/24 to this RouterOS" \
    ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "IKE2: Allow ALL forward traffic from 10.0.70.0/24 to HOME network" \
    dst-address=192.168.100.0/24 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=accept chain=forward comment=\
    "IKE2: Allow ALL forward traffic from 10.0.70.0/24 to ANY network" \
    dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=10.0.70.0/24
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall mangle
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS from 10.0.70.0/24 to ANY" ipsec-policy=in,ipsec \
    new-mss=1360 passthrough=yes protocol=tcp src-address=10.0.70.0/24 \
    tcp-flags=syn tcp-mss=!0-1360
add action=change-mss chain=forward comment=\
    "IKE2: Clamp TCP MSS from ANY to 10.0.70.0/24" dst-address=10.0.70.0/24 \
    ipsec-policy=out,ipsec new-mss=1360 passthrough=yes protocol=tcp \
    tcp-flags=syn tcp-mss=!0-1360

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment=\
    "SRC-NAT IKE2:10.0.70.0/24 --> ether1 traffic" ipsec-policy=out,none \
    out-interface=wandata-vl11 src-address=10.0.70.0/24 to-addresses=\
    2.2.2.2
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log=yes out-interface-list=WAN

/ip ipsec policy
add dst-address=10.0.70.0/24 group="group 2.2.2.2" proposal=\
    "proposal 2.2.2.2" src-address=0.0.0.0/0 template=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ipv6 dhcp-client
add disabled=yes interface=ether1 pool-name=wan-ipv6 request=prefix \
    use-peer-dns=no

/routing igmp-proxy
set quick-leave=yes

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Too funny, if you look carefully in my new version, last post, there is only one vlan and you have two running.
If it works it works, dont break it LOL…
Glad that all works for you now.