So, here is my main mikrotik config:
# 2025-05-14 11:28:52 by RouterOS 7.18.2
# software id = 9ZB7-ZQFH
#
# model = RB2011UiAS
# serial number = E7E30FB005C6
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x4000 \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan11 vlan-id=11
add interface=bridge1 name=vlan12 vlan-id=12
/interface list
add name=wan
add name=mac-winbox
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.3.224-172.16.3.254
add name=dhcp_pool1 ranges=192.168.2.64-192.168.2.200
add name=dhcp_pool2 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool3 ranges=192.168.1.2-192.168.1.100
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge1 lease-time=1h30m name=dhcp1
add address-pool=dhcp_pool1 interface=vlan10 lease-time=1h30m name=dhcp2
add address-pool=dhcp_pool2 interface=vlan11 lease-time=1h30m name=dhcp3
add address-pool=dhcp_pool3 interface=vlan12 lease-time=1h30m name=dhcp4
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *0 local-address=192.168.89.1 remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether6 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether7 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether8 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether9 internal-path-cost=\
10 path-cost=10 pvid=12
add bridge=bridge1 interface=sfp1 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=ether5,bridge1 vlan-ids=10,11
add bridge=bridge1 tagged=bridge1 untagged=ether9 vlan-ids=12
add bridge=bridge1 tagged=bridge1,sfp1 vlan-ids=7
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=wan
add interface=ether1 list=mac-winbox
add interface=bridge1 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:1B:07:ED:A5:E4 name=ovpn-server1
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/ip address
add address=172.16.3.1/24 interface=bridge1 network=172.16.3.0
add address=192.168.2.1/24 interface=vlan10 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan11 network=192.168.3.0
add address=192.168.1.1/24 interface=vlan12 network=192.168.1.0
add address=10.22.139.10/24 interface=ether10 network=10.22.139.0
/ip arp
add address=192.168.2.2 interface=vlan10 published=yes
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=172.16.3.0/24 dns-server=172.16.3.1 gateway=172.16.3.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.52.31.91 comment=ENNA1 name=knz-wl-app.konzum.hr type=A
add address=10.52.35.75 comment=ENNA2 name=wms-app.konzum.hr type=A
add address=10.52.52.7 comment=ENNA3 name=wms-master.konzum.hr type=A
add address=10.52.52.107 comment=ENNA4 name=wmsknz7.konzum.hr type=A
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=ether1 protocol=gre
add action=accept chain=input dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input src-address=192.168.2.100
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=forward in-interface=bridge1 src-address=\
172.16.3.0/24
add action=accept chain=input in-interface=bridge1 src-address=172.16.3.0/24
add action=accept chain=input dst-port=53 in-interface-list=!wan protocol=udp
add action=accept chain=forward in-interface=vlan10 out-interface-list=wan \
src-address=192.168.2.0/24
add action=accept chain=forward in-interface=vlan11 out-interface-list=wan \
src-address=192.168.3.0/24
add action=accept chain=forward in-interface=vlan12 out-interface-list=wan \
src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.200 in-interface=vlan10 \
out-interface=vlan12 src-address=192.168.2.0/24
add action=accept chain=forward comment=CAPSMAN dst-address=192.168.2.0/24 \
src-address=192.168.7.0/24
add action=accept chain=forward comment=CAPSMAN dst-address=192.168.7.0/24 \
src-address=192.168.2.0/24
add action=accept chain=forward comment="ENNA FRUIT HRVATSKA" dst-address=\
10.22.131.0/24 src-address=192.168.2.0/24
add action=accept chain=forward comment="ENNA FRUIT HRVATSKA" dst-address=\
192.168.2.0/24 src-address=10.22.131.0/24
add action=accept chain=forward comment=ENNA1 dst-address=10.52.31.91 \
src-address=192.168.2.0/24
add action=accept chain=forward comment=ENNA1 dst-address=192.168.2.0/24 \
src-address=10.52.31.91
add action=accept chain=forward comment=ENNA2 dst-address=10.52.35.75 \
src-address=192.168.2.0/24
add action=accept chain=forward comment=ENNA2 dst-address=192.168.2.0/24 \
src-address=10.52.35.75
add action=accept chain=forward comment=ENNA3 dst-address=10.52.52.7 \
src-address=192.168.2.0/24
add action=accept chain=forward comment=ENNA3 dst-address=192.168.2.0/24 \
src-address=10.52.52.7
add action=accept chain=forward comment=ENNA4 dst-address=10.52.52.107 \
src-address=192.168.2.0/24
add action=accept chain=forward comment=ENNA4 dst-address=192.168.2.0/24 \
src-address=10.52.52.107
add action=accept chain=forward comment="PRINTERI FORWARDING" dst-address=\
10.22.139.0/24 src-address=192.168.2.0/24
add action=accept chain=forward comment="PRINTERI FORWARDING" dst-address=\
192.168.2.0/24 src-address=10.22.139.0/24
add action=accept chain=forward comment="PRINTERI FORWARD .1" dst-address=\
192.168.7.0/24 src-address=10.22.139.0/24
add action=accept chain=forward comment="PRINTERI FORWARD .1" dst-address=\
10.22.139.0/24 src-address=192.168.7.0/24
add action=drop chain=forward
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input
/ip firewall nat
add action=dst-nat chain=dstnat comment="ZEBRA1 DSTNAT" dst-address=\
10.22.139.11 log=yes to-addresses=192.168.2.211
add action=src-nat chain=srcnat comment="ZEBRA1 SRCNAT" log=yes src-address=\
192.168.2.211 to-addresses=10.22.139.11
add action=dst-nat chain=dstnat comment="ZEBRA2 DSTNAT" dst-address=\
10.22.139.12 dst-port=515 log=yes protocol=tcp to-addresses=192.168.7.211 \
to-ports=515
add action=src-nat chain=srcnat comment="ZEBRA2 SRCNAT" log=yes src-address=\
192.168.7.211 to-addresses=10.22.139.12
add action=dst-nat chain=dstnat comment="CANON DSTNAT" dst-address=\
10.22.139.13 log=yes to-addresses=192.168.2.212
add action=src-nat chain=srcnat comment="CANON SRCNAT" log=yes src-address=\
192.168.2.212 to-addresses=10.22.139.13
add action=masquerade chain=srcnat comment="TELEKOM HRVATSKA SERVER" \
dst-address=10.22.131.0/24 out-interface=ether10 src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.1.200 out-interface=\
vlan12 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=ENNA1 dst-address=10.52.31.91 \
out-interface=ether10 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=ENNA2 dst-address=10.52.35.75 \
out-interface=ether10 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=ENNA3 dst-address=10.52.52.7 \
out-interface=ether10 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=ENNA4 dst-address=10.52.52.107 \
out-interface=ether10 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface-list=wan
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="ENNA FRUIT HRVATSKA" disabled=no distance=1 dst-address=\
10.22.131.0/24 gateway=10.22.139.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=ENNA3 disabled=no distance=1 dst-address=10.52.52.0/24 gateway=\
10.22.139.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=ENNA1 disabled=no distance=1 dst-address=10.52.31.91/32 gateway=\
10.22.139.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=ENNA2 disabled=no distance=1 dst-address=10.52.35.75/32 gateway=\
10.22.139.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=192.168.7.0/24 gateway=192.168.2.2 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=vpn service=l2tp
add local-address=192.168.2.1 name=pijaca remote-address=192.168.2.211 \
service=l2tp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Podgorica
/system logging
add topics=l2tp
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=mac-winbox, secondary mt config:
This is my capsman router config:
# 2025-05-14 08:39:10 by RouterOS 7.18.2
# software id = QCN0-ZBPA
#
# model = RB4011iGS+
# serial number = HFJ0953JM27
/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] mac-address=78:9A:18:EC:5E:9C
/caps-man configuration
add datapath.bridge=bridge1 .local-forwarding=no name=Config1 \
security.authentication-types=wpa-psk,wpa2-psk ssid=EnnaFruit
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.7.101-192.168.7.199
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config1
/interface bridge port
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
add mac-address=FE:58:7C:22:82:F7 name=ovpn-server1
/ip address
add address=192.168.7.1/24 interface=bridge1 network=192.168.7.0
add address=192.168.2.2/24 interface=sfp-sfpplus1 network=192.168.2.0
/ip dhcp-server network
add address=192.168.7.0/24 dns-server=192.168.2.1 gateway=192.168.7.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.52.31.91 name=knz-wl-app.konzum.hr type=A
add address=10.52.35.75 name=wms-app.konzum.hr type=A
add address=10.52.52.7 name=wms-master.konzum.hr type=A
add address=10.52.52.107 name=wmsknz7.konzum.hr type=A
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=forward comment=CAPSMAN dst-address=192.168.7.0/24 \
src-address=192.168.2.0/24
add action=accept chain=forward comment=CAPSMAN dst-address=192.168.2.0/24 \
src-address=192.168.7.0/24
add action=accept chain=forward comment="PRINTERI FORWARD .1" dst-address=\
10.22.139.0/24 src-address=192.168.7.0/24
add action=accept chain=forward comment="PRINTERI FORWARD .1" dst-address=\
192.168.7.0/24 src-address=10.22.139.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.22.139.0/24 gateway=192.168.2.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=flash/pub
/system clock
set time-zone-name=Europe/Podgorica
/system identity
set name="RedKomerc MikroTik"
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key.
The client that is on the 10.22.139.0/24 network can telnet 192.168.2.211 and 192.168.2.212 printers but cannot do it on 192.168.7.211