hAP ax lite LTE6 internet via ethernet ports but not on wifi

Hi to everyone,
i tried to set up this router for having two ethernet ports which have internet available, and two wireless networks one for IoT and guests hoping for a better security (if you have a better option to this i will happily listen) of my main wifi. These wifi networks can connect and ping to client but cannot access to internet. I am very new to this complex settings so i you can help me i will be very grateful. Here is my config, if you need any info i will tell you.

# 1970-01-02 01:15:15 by RouterOS 7.16.2
# software id = T5FG-FRKM
#
# model = L41G-2axD&FG621-EA
# serial number = 
/interface bridge
add admin-mac=F4:1E:57:21:C5:06 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .frequency=2442 \
    .secondary-frequency=2452 .skip-dfs-channels=all .width=20/40mhz-Ce \
    configuration.country=Italy .manager=local .mode=ap .multicast-enhance=\
    enabled .qos-classifier=priority .ssid=Routi disabled=no \
    interworking.internet=yes .ipv4-availability=public .ipv6-availability=\
    not-available .network-type=private .wan-status=reserved mtu=1500 \
    security.authentication-types=wpa3-psk .encryption=ccmp .ft=yes \
    .ft-over-ds=yes .management-encryption=cmac .management-protection=\
    required .sae-anti-clogging-threshold=5 .sae-max-failure-rate=40 \
    .sae-pwe=both .wps=disable
add channel.frequency=2447 .secondary-frequency=2467 .skip-dfs-channels=all \
    configuration.mode=ap .multicast-enhance=disabled .qos-classifier=\
    dscp-high-3-bits .ssid=NoRouti datapath.client-isolation=yes disabled=no \
    interworking.internet=yes .ipv4-availability=public .ipv6-availability=\
    not-available .network-type=personal-device .wan-status=up mac-address=\
    F6:1E:57:21:C5:0A master-interface=wifi1 name=wifi2 \
    security.authentication-types=wpa2-psk .encryption=ccmp .ft=yes \
    .ft-over-ds=yes .management-encryption=cmac .management-protection=\
    allowed .sae-anti-clogging-threshold=10 .sae-max-failure-rate=50 \
    .sae-pwe=both .wps=push-button
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=1,3,7,20 network-mode=\
    lte sms-protocol=auto sms-read=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=wap.tim.it use-network-apn=no use-peer-dns=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/queue type
add fq-codel-ecn=no kind=fq-codel name=fq-codel-ethernet-default
/queue interface
set ether1 queue=fq-codel-ethernet-default
set ether2 queue=fq-codel-ethernet-default
set ether3 queue=fq-codel-ethernet-default
set ether4 queue=fq-codel-ethernet-default
/user-manager user
add name=Nicola shared-users=unlimited
/user-manager user group
set [ find default-name=default ] inner-auths=peap-mschap2 outer-auths=\
    eap-peap
set [ find default-name=default-anonymous ] inner-auths=\
    ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 outer-auths=\
    pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf disabled=yes interface=ether3
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge interface=wifi2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add interface=bridge use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=5048KiB mdns-repeat-ifaces=bridge \
    servers=9.9.9.11,149.112.112.11 use-doh-server=\
    https://dns11.quad9.net/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=1024 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=Rooti
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address="132.163.97.2 "
add address="129.6.15.30 "
add address="132.163.96.4 "
add address="128.138.141.172 "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate=*0 require-message-auth=no use-profiles=yes
/user-manager advanced
set web-private-username=Nicola
/user-manager router
add address=192.168.88.1 name=router1

You seemingly have a duplicate masquerade rule in /ip firewall nat (but that shoudln’t be an issue.

Post the output of:

/ip address print

and of

/ip route print

Try to be more precise when reporting a problem, “cannot access internet” may be due to several reasons, try

/ping 8.8.8.8

what is the result (i.e. timeout, no route to host, etc.)

try

/tool trace 8.8.8.8

what happens? (does it list a next hop, or not?)

Thanks for replying!
The first output is:

 Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS          NETWORK       INTERFACE
;;; defconf
0   192.168.88.1/24  192.168.88.0  bridge   
1 D 10.75.124.85/32  10.75.124.85  lte1

then:

 Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, m - MODEM
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY  DISTANCE
DAm 0.0.0.0/0        lte1            2
DAc 10.75.124.85/32  lte1            0
DAc 192.168.88.0/24  bridge          0

Sorry i am not so expert i didn’t know about these commands

    80 8.8.8.8                                    56 112 74ms333us 
   81 8.8.8.8                                    56 112 520ms419us
   82 8.8.8.8                                    56 112 275ms916us
   83 8.8.8.8                                    56 112 256ms859us
   84 8.8.8.8                                    56 112 200ms742us
   85 8.8.8.8                                    56 112 151ms878us
   86 8.8.8.8                                                      timeout        
   87 8.8.8.8                                    56 112 48ms234us 
   88 8.8.8.8                                    56 112 60ms543us 
   89 8.8.8.8                                    56 112 87ms554us 
   90 8.8.8.8                                    56 112 65ms694us 
   91 8.8.8.8                                    56 112 57ms620us 
   92 8.8.8.8                                    56 112 59ms713us 
   93 8.8.8.8                                    56 112 112ms343us
   94 8.8.8.8                                    56 112 78ms202us 
   95 8.8.8.8                                    56 112 51ms531us 
   96 8.8.8.8                                    56 112 56ms551us 
   97 8.8.8.8                                    56 112 58ms614us 
   98 8.8.8.8                                    56 112 56ms613us 
   99 8.8.8.8                                    56 112 56ms505us 
    sent=100 received=97 packet-loss=3% min-rtt=37ms611us avg-rtt=146ms420us 
   max-rtt=549ms791us 
  SEQ HOST                                     SIZE TTL TIME       STATUS         
  100 8.8.8.8                                    56 112 139ms253us
  101 8.8.8.8                                    56 112 56ms574us 
  102 8.8.8.8                                    56 112 49ms619us 
  103 8.8.8.8                                    56 112 47ms604us 

  
  Columns: ADDRESS, LOSS, SENT, LAST, AVG, BEST, WORST, STD-DEV
 #  ADDRESS         LOSS   SENT  LAST     AVG    BEST   WORST  STD-DEV
 1                  100%     14  timeout                              
 2  172.31.8.101    0%       13  46.3ms   129.2  26.1   330.6  112.2  
 3  172.19.202.6    0%       13  41.8ms   51.2   22.6   128.9  27.5   
 4  172.19.202.21   0%       13  41ms     66.2   26     268.8  65.7   
 5  172.19.202.36   92.3%    13  timeout  20.7   20.7   20.7   0      
 6  172.18.16.244   92.3%    13  timeout  264.7  264.7  264.7  0      
 7  172.19.177.86   92.3%    13  timeout  43.9   43.9   43.9   0      
 8  172.19.177.2    92.3%    13  timeout  38.9   38.9   38.9   0      
 9  195.22.196.170  92.3%    13  timeout  39.9   39.9   39.9   0      
10  72.14.214.92    92.3%    13  timeout  39.8   39.8   39.8   0      
11  172.253.72.111  92.3%    13  timeout  39     39     39     0      
12  192.178.82.61   92.3%    13  timeout  49.8   49.8   49.8   0      
13  8.8.8.8         0%       13  56.4ms   134    51     280.8  87.6

A news: the ethernet also stopped working, before worked but now no, like on off on and so on.
I should also delete one of the two nat rules?

Remove mdns-repeat-ifaces=bridge, and check allow remote requestes. Check in ip/dhcp-server/network for dns setting the router local address/192.168.88.1/ availability !

1. Establish basic requirements
   a. one subnet for HOME
   b. one subnet for HOME wifi
   c. one subnet for IOT (such devices should be separate from home users )
   d. one subnet for guest wifi (obviously should be isolated from rest )’

It would appear that you need three vlans ( as home wired and home wifi should be the same subnet ) and this can be your trusted subnet
The other two are wifi for iot and wifi for guests.
Thus one MAIN wifi and two virtual WIFIs
If you want to ONLY have one virtual wifi, consider pairing the IOT and guests and use isolation between them…
Will assume this is copacetic which means you can narrow this down to two vlans for now.

Will also use your ethernet port 4 to config the router safely, for these changes and down the line, as vlan filtering can cause headaches!!!
Simply plug in your laptop into ether4 change IPV4 settings to 192.168.44.2 and you are in. So enter the router add the ether 4 components required and work from there.
( remove from bridge, add to LAN interface list, add address 192.168.44.1/30 )

Major changes only shown.
NOTE: Do NOT use IP bridge filtering, as this is advanced settings and not suitable for a basic setup. Firewall filter rules should suffice for your needs.
Internet detect should be set to none, causes issues when used…
For some reason you have duplicate sets of filter rules in your config and same with the sourcenat rule…
Remove ipv6 firewall address lists, noise…

/interface bridge
add admin-mac=F4:1E:57:21:C5:06 auto-mac=no comment=defconf name=bridge vlan-filtering=no { change to yes at the very end }
/interface ethernet
set [ find default-name=ether4 ] name=OffBridge4
/interface vlan
add interface=bridge name=HomeV88 vlan-id=88
add interface=bridge name=iotGuestV10 vlan-id=10
/interface wifi
{ add a second virtual WIFI, with its own SSID and Security setup, the master wifi is wifi1 }
/interface wifi
{ to isolate iot devices from each other, being on the same vlan, and from guests and guests from each other, we will use the DATAPATH wifi tab to create datapath1 (default name) and simply check off the isolation box. Then apply this for WIFI 2 configuration }
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=iot-guest-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=HomeV88 name=defconf
add address-pool=iot-guest-dhcp interface=iotGuestV10 bridge name=other
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether1 pvid=88
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether1 pvid=88
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=wifi1 pvid=88
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=wifi2 pvid=10
/interface bridge settings < — REMOVE THIS
set use-ip-firewall=yes_/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1,ether2,wifi1 vlan-id=88
add bridge=bridge tagged=bridge untagged=wifi2 vlan-id=10
/interface detect-internet
set detect-interface-list=none
/interface list member
add comment=defconf interface=lte1 list=WAN
add comment=defconf interface=HomeV88 list=LAN
add interface=iotGuest10 list=LAN
add interface=OffBridge4 list=LAN
add interface=HomeV88 list=TRUSTED
add interface=OffBridge4 list=TRUSTED
/ip address
add address=192.168.88.1/24 interface=HomeV88 network=192.168.88.0
add address=192.168.10.1/24 interface=iotGuest10 network=192.168.10.0
add address=192.168.44.1/30 interface=OffBridge4 network=192.168.44.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin access” in-interface-list=TRUSTED
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=forward comment=“drop all else”_ **** { put this rule in last so you don’t lock yourself out }
++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if required or remove }
add action=drop chain=forward comment=“drop all else”/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Thanks for replying, i removed the mdns interface and allowed requestes, but didn’t changed anything. following your directions i opened that tab, is it ok? The dhcp pool start at .10 to.254

Thanks a for the reply!
I used that guide with a script for setting up a basic firewall https://mikrotikusers.com/lab-3-1-creating-a-basic-firewall-with-mikrotik-router/ but it is not a problem to delete all the rules if they cause the issue.
For the networks i thought that using vlans is difficult, so i arranged with two wifi, but you understood exactly my ideal set up, i only add that i use a philips hue bridge with requires an ethernet port, and i don’t know how to isolate that (i thought about making two vlan, but this was beyond my expertise).
I also disabled ip firewall from bridge.
Since there are a lot of changes to do maybe i start from a fresh config? Moreover i changed the ip of ether 4 and removed it from bridge and added to the list but i am unaware of where setting up the 192.168.44.1/30 (i already set up the ether 4 with ip 192.168.44.2).

What anav just posted is a “complete” and “final” confiiguration, I believe it would be more useful, before studying and implementing that solution, to try understanding what is the issue right now, before introducing the complications of the complete setup, with VLAN’s and what not..

You have basic internet connection from the router (through the LTE modem), and the addresses and routes seem just fine.
Right now your configuration seems a pretty much basic and default one, it should be working.

Could it be a DNS issue?
I.e. does

/ping google.com

work just like pinging to 8.8.8.8?

If no, with a message like “cannot resolve” the issue is in your DNS settings, you could try removing that doh entry and set (only for the testing) a single simple dns:server, like from:

/ip dns
set allow-remote-requests=yes cache-size=5048KiB mdns-repeat-ifaces=bridge
servers=9.9.9.11,149.112.112.11 use-doh-server=
https://dns11.quad9.net/dns-query > verify-doh-cert=yes

to:

/ip dns
set allow-remote-requests=yes servers=9.9.9.9

if yes then the connection from router to the internet is fine and the issue is , try connecting a wired device (Linux or Windows or whatever) and try pinging and traceroute to 8.8.8.8 and google.com from that device and report what happens.

Thank fro replying, i tried varius dns services, but is the same. I posted before the ping to 8.8.8. with another error code resulting, but here i post this from my laptop connected via ethernet to the modem

C:\Windows\System32>ping www.google.com

Esecuzione di Ping www.google.com [216.58.205.36] con 32 byte di dati:
Risposta da 216.58.205.36: byte=32 durata=47ms TTL=111
Risposta da 216.58.205.36: byte=32 durata=799ms TTL=111
Risposta da 216.58.205.36: byte=32 durata=257ms TTL=111
Risposta da 216.58.205.36: byte=32 durata=752ms TTL=111

Statistiche Ping per 216.58.205.36:
    Pacchetti: Trasmessi = 4, Ricevuti = 4,
    Persi = 0 (0% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 47ms, Massimo =  799ms, Medio =  463ms

it is in italian but basically say that it received all packets

if i connect the laptop via wifi this is the result:

C:\Windows\System32>ping www.google.com

Esecuzione di Ping www.google.com [142.250.185.100] con 32 byte di dati:
Richiesta scaduta.
Risposta da 142.250.185.100: byte=32 durata=132ms TTL=111
Risposta da 142.250.185.100: byte=32 durata=266ms TTL=111
Risposta da 142.250.185.100: byte=32 durata=310ms TTL=111

Statistiche Ping per 142.250.185.100:
    Pacchetti: Trasmessi = 4, Ricevuti = 3,
    Persi = 1 (25% persi),
Tempo approssimativo percorsi andata/ritorno in millisecondi:
    Minimo = 132ms, Massimo =  310ms, Medio =  236ms

Which says 4 packets trasmitted and 3 received and 1 lost (these are with dns 8.8.8.8 )

when i ping from modem to google it says

[Nicola2000@Rooti] > /ping google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                
    0 216.58.204.142                             56 113 388ms365us
    1 216.58.204.142                             56 113 256ms388us
    2 216.58.204.142                             56 113 243ms189us
    3 216.58.204.142                             56 113 487ms803us
    4 216.58.204.142                                               timeout                                               
    5 216.58.204.142                             56 113 511ms965us
    6 216.58.204.142                             56 113 51ms177us 
    7 216.58.204.142                             56 113 572ms125us
    8 216.58.204.142                                               timeout                                               
    9 216.58.204.142                             56 113 45ms486us 
   10 216.58.204.142                             56 113 467ms605us
   11 216.58.204.142                             56 113 548ms417us
   12 216.58.204.142                                               timeout                                               
   13 216.58.204.142                             56 113 655ms497us
   14 216.58.204.142                             56 113 436ms716us
   15 216.58.204.142                             56 113 643ms87us 
   16 216.58.204.142                             56 113 267ms132us
   17 216.58.204.142                             56 113 808ms317us
   18 216.58.204.142                             56 113 921ms579us
   19 216.58.204.142                             56 113 415ms843us
    sent=20 received=17 packet-loss=15% min-rtt=45ms486us avg-rtt=454ms158us max-rtt=921ms579us 
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                
   20 216.58.204.142                             56 113 87ms57us  
   21 216.58.204.142                             56 113 55ms396us 
   22 216.58.204.142                             56 113 608ms94us 

A packet lost on a LTE connection (possibly through wifi) should not be a problem of actual connectivity.

So your DNS is working (it can resolve google.com just fine) and you do have internet connection on both ethernet and wifi.
Since you are using windows (I presume a recent one like 10) you should have a network connection icon in the tray showing either “connected” or “no connection to internet”.
What does it show?
Or what does not work (like opening google.com in your browser?)

No, the problem is that both on windows 11 and on multiple androids, is show connected but with no internet, and i cannot open a website (if it helps all the devices get an ip from the router successfully). On the pc using ethernet can open any website, only sometimes i have no internet access.

Before this situation i have done a reset config the i added a wifi slave interface, i added all the lan interfaces in use to the default bridge, i set up the lte interface, started an dhcp server and set the dhcp clients, both of this i set the interface as the bridge itself. I set up a dns a ntp server and i applied a script with some basic firewall rules which i linked before(but i don’t think it is the cause of the issues). Maybe i have forgot to set up something?

I disabled ipv6

And before this set up i tried others config also, with the same problem this is why i am writing here.

Concur jac, that learning is important.
If the OP takes the time to understand each line of the completed config and what it does, the learning will come.

1. In terms of the config
   the offbridge settings are in three places ( plus remove from bridge )
   a. name the ethernet port (OffBridge4)
   b. add the address to /ip address add address=192.168.44.1/30 interface=OffBridge4 network=192.168.44.0
   c. add to trusted interface list as a member
   On the pc you plug into ether4, you need to manually change IPV4 settings to 192.168.44.2

2. For the HUE bridge, this is not an issue. You have ether3 available … simply add this to the bridge and apply the necessary vlan.

/interface ethernet
set [ find default-name=ether3 ] disabled=no name=Hue3
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether1 pvid=88
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether2 pvid=88
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=ether3 pvid=10 comment=“hue bridge”
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=wifi1 pvid=88
add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-untagged interface=wifi2 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1,ether2,wifi1 vlan-id=88
add bridge=bridge tagged=bridge untagged**=ether3**,wifi2 vlan-id=10

I waited to reply, because, i don’t know why nor how but wifi yesterday started to work, both the interfaces, so i started testing and hoping, and it stayed working. Thanks to you all for the kind help!
I followed all your advices and also a command that suggested me chatgpt for adding lte as gateway but i don’t remember the exact line, and i cannot trace a specific action to the wifi start working.
I have only one question, i have noted a little slow connection, sometimes firefox say that there is an ocsp server error, and sometimes android say limited connection, can you explain why? (anyway i am ok now)


At the end of the day i resetted and rebooted multiple times the router, it was fun but i think for the moment i will stay ok now, but thanks a lot for the config for multiple vlans, in future i will try also that. Maybe there is a method to backup the current config of the router, just in case? And there are other advices for improving security or performance of router (also link or other sources)?
It was fun but reaching a usable config feels like landing on the moon

A saved export Is enough normally, but a (binary) backup gives added security.
They have different uses and different characteristics.
The backup allows to “clone” a router, It Is “all or nothing”.
The export represents the exact configuration, but can be modified or used partially, as a matter of fact to “restore” a configuration from export usually snippets are copied and pasted.
https://help.mikrotik.com/docs/spaces/ROS/pages/40992852/Backup

Thank you! I will you give it a look!