IKEv2 vpn. Can access only few computers in network

RouterOS Beginner Basics
1

Hi,
I have RB3011UiAS as a gate router with static IP.
Set up IKEv2 VPN
I can connect to it from the internet. Can use internet with IP of RB3011
But i can’t access to hosts with IP greater than 192.168.1.11 in LAN of 3011. And can’t ping them.
hosts with ip 192.168.1.2-11 is hikvision cameras and recorder. 11+ are computers, servers and over equipment, which i can see all, while i’m in LAN.

I removed from config’s printout all about capsman and over unnecessary.

# 2023-11-07 12:44:37 by RouterOS 7.11.2
# model = RB3011UiAS


/interface bridge
add arp=proxy-arp name=bridge-lan


/ip ipsec policy group
add name=ike2
/ip ipsec profile
add name=profile-ike2
/ip ipsec peer
add exchange-mode=ike2 name=peerike2 passive=yes profile=profile-ike2
/ip ipsec proposal
add name=proposal-ike2 pfs-group=none

/ip pool
add name=dhcp ranges=192.168.1.101-192.168.1.199
add name=vpn-pool ranges=192.168.2.1-192.168.2.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-lan lease-time=10m name=dhcp1
/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=ike2-modconf \
    split-include=192.168.0.0/16

/ppp profile
add local-address=192.168.1.1 name=SSTP-admin remote-address=dhcp

/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2

/user-manager user
add name=someUsername

/interface bridge port
add bridge=bridge-lan ingress-filtering=no interface=ether2
add bridge=bridge-lan ingress-filtering=no interface=ether3
add bridge=bridge-lan ingress-filtering=no interface=ether4
add bridge=bridge-lan ingress-filtering=no interface=ether5
add bridge=bridge-lan ingress-filtering=no interface=ether6
add bridge=bridge-lan ingress-filtering=no interface=ether7
add bridge=bridge-lan ingress-filtering=no interface=ether8
add bridge=bridge-lan ingress-filtering=no interface=ether9
add bridge=bridge-lan ingress-filtering=no interface=ether10
add bridge=bridge-lan ingress-filtering=no interface=sfp1


/interface list member
add interface=ether1 list=WAN
add interface=bridge-lan list=LAN


/ip address
add address=192.168.1.1/16 interface=bridge-lan network=192.168.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.0.0/16 gateway=192.168.1.1 netmask=16


/ip firewall address-list
add address=192.168.1.2-192.168.10.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast_RFC2780 list=not_in_internet
add address=192.88.99.0/24 comment="6to4_RFC 3068" list=not_in_internet

/ip firewall filter
add action=drop chain=input connection-state=new disabled=yes dst-port=53 \
    in-interface=ether1 protocol=udp
add action=drop chain=input connection-state=new disabled=yes dst-port=53 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input disabled=yes in-interface=ether1 protocol=gre
add action=accept chain=input comment="Permit PPTP" disabled=yes dst-port=\
    1723 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Permit L2TP" disabled=yes dst-port=\
    1701 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Permit IPSec" disabled=yes dst-port=\
    50,500,4500 protocol=udp
add action=accept chain=input comment="Allow IKEv2 VPN" dst-port=500,4500 \
    in-interface=ether1 protocol=udp
add action=accept chain=forward comment="Allow IKEv2 VPN LAN" in-interface=ether1 \
    ipsec-policy=in,ipsec
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=accept chain=input comment="Accept enstablished connections" \
    connection-state=established
add action=accept chain=input comment="Accept related connections" \
    connection-state=related
add action=accept chain=input comment="LIST allowed_to_router" \
    src-address-list=allowed_to_router
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=bridge-lan log=yes log-prefix=\
    !public_from_LAN out-interface=!bridge-lan
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge-lan \
    log=yes log-prefix=LAN_!LAN src-address=!192.168.0.0/16
add action=drop chain=input comment="Drop SSH brutforce" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment=Stage1 connection-state=new \
    dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment=Stage2 connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment=Stage3 connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=3d chain=input comment="block address 3d" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1


/ip ipsec identity
add auth-method=eap-radius certificate=\
    letsencrypt-autogen_2023xxxxxxx.pem_0 \
    generate-policy=port-strict mode-config=ike2-modconf peer=peerike2 \
    policy-template-group=ike2

/ip ipsec policy
add dst-address=192.168.2.0/24 group=ike2 proposal=proposal-ike2 src-address=\
    0.0.0.0/0 template=yes



/radius
add address=127.0.0.1 service=ppp,ipsec
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Etc/GMT+3
/system identity
set name=Core

/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=no.pool.ntp.org
add address=time4.google.com
/user-manager
set enabled=yes
/user-manager router
add address=127.0.0.1 name=router1

Routes on windows 10 laptop, I’m connecting from
win-routes.PNG