Hello All,
New here, so please forgive me if that is not in the right place. I have a Mikrotik RB 750Gr3 with firmware mt7621L factory firmware 6.44.5 and current firmware if 6.46.8 It is connected to my modem. I have a Bluecave on port 1 that is setup as an AIMesh - AP with another Bluecave (wireless) as a repeater. All the Bluecaves have the latest firmware installed.
I have a Glaxy S9+, when I get home from work it connects but without internet. I have tried all the normal fixes, reboot phone, turn on/off wireless, forget network, and so on. This cannot be the answer. I’m trying to find out why when the cell phone reconnects to the network, (it get’s the same IP) it’s MAC is the same but for some reason it cannot get out to the internet. I can see the phone in the list under IP/DHCP server/ leases and I can see the phone connected to the Bluecave. Any suggestions please!
Here is a copy of the config:

dec/07/2020 13:08:02 by RouterOS 6.46.8

software id = P8L0-USWK

model = RB750Gr3

serial number = C55D0B398869

/interface ovpn-client
add cipher=aes256 connect-to=216.243.2.74 mac-address=02:E6:6E:D7:41:98 name=
ovpn-EVERETT-WAVE password=************************** user=Reafs
add cipher=aes256 connect-to=174.127.185.34 mac-address=02:E6:6E:D7:41:98
name=ovpn-WESTIN-WAVE password=************************** user=Reafs
/interface bridge
add admin-mac=C4:AD:34:C6:25:87 auto-mac=no comment=defconf name=bridge
/interface ethernet switch
set 0 name=Reafs
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default ranges=10.1.249.10-10.1.249.254
/ip dhcp-server
add add-arp=yes address-pool=default disabled=no interface=bridge lease-time=
2d name=default
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp”
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.1.249.1/24 comment=defconf interface=bridge network=10.1.249.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=10.1.249.0/24 comment=defconf dns-server=
10.1.249.1,10.1.0.50,10.1.1.50,10.1.1.6 domain=domain.com gateway=
10.1.249.1 ntp-server=10.1.0.5
/ip dns
set allow-remote-requests=yes servers=10.1.0.50,10.1.1.50
/ip firewall address-list
add address=10.0.0.0/8 list=VPN
/ip firewall filter
add action=drop chain=input dst-address-list=!VPN dst-port=53 protocol=udp
src-address-list=!VPN
add action=accept chain=input dst-address-list=VPN src-address-list=VPN
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=dstnat dst-address-list=VPN src-address-list=VPN
add action=accept chain=srcnat dst-address-list=VPN src-address-list=VPN
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=ovpn-WESTIN-WAVE
add distance=2 dst-address=10.0.0.0/8 gateway=ovpn-EVERETT-WAVE
add distance=1 dst-address=10.1.1.0/24 gateway=ovpn-EVERETT-WAVE
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=“Reafs VPN”
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Update:
I have noticed that our Peloton also will “timeout” and show as connected without internet, and the firestick attached to the tv upstairs. If I remove them from the DHCP Server/leases list they auto connect and have internet.
I have changed the lease time to 1hr, and watched. The phone, Peloton, and firestick all showed as connected to the internet. I reset the lease time to 4 hours, and very close to this new lease time my phone lost internet, and the so did the firestick. The firestick lost its connection to the internet while we were watching. I waited about a min. and then reconnected back to my SSID and it reconnected to the internet. The phone was not able to recover, and I had to remove it’s lease for it to reconnect to the internet.
** I would sure like to hear back from someone with an idea of what could be causing this.**

Is there a reason you have add-arp=yes for the DHCP server? What if you change that to no?

Well I dont see anything else problematic.
I am assuming the wireless (bluecav?) units are NOT on port 1, as that is connected to your ISP (and presumably wan modem/ont).
(bridge only connects ports 2-5)