VLANs and L2 VPN

Hi,
How to get a working vpn to vlan connection? There are 4 vlans on the router (bridge vlan filtering), vpn should lead to id 10.
Vlan10 192.168.40.0/24
Vlan11 192.168.41.0/24
Vlan12 192.168.42.0/24
Vlan13 192.168.43.0/24
Openvpn pool: 192.168.40.200-210
Openvpn tap mode, server is mikrotik, client is windows. Connection works but no communication (ping, winbox) to 192.168.40.1.

# mar/23/2022 12:04:44 by RouterOS 7.1.5
# software id = KLKM-4308
#
# model = CCR2004-16G-2S+
# serial number = HB307Z7B3E0
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridgeTrunk pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1
set [ find default-name=ether2 ] comment=WAN2
set [ find default-name=ether3 ] comment="Link to 1G"
set [ find default-name=sfp-sfpplus1 ] comment=WAN0
set [ find default-name=sfp-sfpplus2 ] comment="Link to 10G & PoE"
/interface ovpn-server
add name=ovpn-in1 user=user
/interface vlan
add interface=bridgeTrunk name=vlan-10 vlan-id=10
add interface=bridgeTrunk name=vlan-11 vlan-id=11
add interface=bridgeTrunk name=vlan-12 vlan-id=12
add interface=bridgeTrunk name=vlan-13 vlan-id=13
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN11_pool ranges=192.168.41.100-192.168.41.199
add name=VLAN12_pool ranges=192.168.42.100-192.168.42.199
add name=VLAN13_pool ranges=192.168.43.100-192.168.43.199
add name=VLAN10_pool ranges=192.168.40.100-192.168.40.199
add name=ovpn ranges=192.168.40.200-192.168.40.210
/ip dhcp-server
add address-pool=VLAN11_pool authoritative=after-2sec-delay interface=vlan-11 lease-time=20m name=dhcp_vlan11
add address-pool=VLAN12_pool authoritative=after-2sec-delay interface=vlan-12 lease-time=20m name=dhcp_vlan12
add address-pool=VLAN10_pool interface=vlan-10 lease-time=20m name=dhcp_vlan10
add address-pool=VLAN13_pool interface=vlan-13 lease-time=20m name=dhcp_vlan13
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=192.168.40.1 local-address=ovpn name=ovpn remote-address=ovpn use-encryption=yes use-ipv6=no
/routing table
add disabled=no fib name=to_ETH1
add disabled=no fib name=to_ETH2
/interface bridge filter
add action=mark-packet chain=input in-interface-list=VPN new-packet-mark=packetOVPN
/interface bridge port
add bridge=bridgeTrunk ingress-filtering=no interface=ether10 pvid=10
add bridge=bridgeTrunk ingress-filtering=no interface=ether11 pvid=11
add bridge=bridgeTrunk ingress-filtering=no interface=ether12 pvid=11
add bridge=bridgeTrunk ingress-filtering=no interface=ether13 pvid=12
add bridge=bridgeTrunk ingress-filtering=no interface=ether9 pvid=10
add bridge=bridgeTrunk ingress-filtering=no interface=ether14 pvid=12
add bridge=bridgeTrunk ingress-filtering=no interface=ether15 pvid=13
add bridge=bridgeTrunk ingress-filtering=no interface=ether16 pvid=13
add bridge=bridgeTrunk interface=ether8 pvid=10
add bridge=bridgeTrunk interface=ether7 pvid=10
add bridge=bridgeTrunk interface=ether6 pvid=10
add bridge=bridgeTrunk interface=ether5 pvid=10
add bridge=bridgeTrunk interface=ether4 pvid=10
add bridge=bridgeTrunk interface=ether3 pvid=10
add bridge=bridgeTrunk interface=sfp-sfpplus2 pvid=10
add bridge=bridgeTrunk ingress-filtering=no interface=VPN pvid=10 tag-stacking=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeTrunk tagged=ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus2,bridgeTrunk untagged=ether9,ether10,ovpn-in1 vlan-ids=10
add bridge=bridgeTrunk tagged=sfp-sfpplus2,bridgeTrunk,ether3,ether4,ether5,ether6,ether7,ether8 untagged=ether11,ether12 vlan-ids=11
add bridge=bridgeTrunk tagged=ether8,sfp-sfpplus2,bridgeTrunk,ether3,ether4,ether5,ether6,ether7 untagged=ether13,ether14 vlan-ids=12
add bridge=bridgeTrunk tagged=ether8,sfp-sfpplus2,bridgeTrunk,ether3,ether4,ether5,ether6,ether7 untagged=ether15,ether16 vlan-ids=13
/interface list member
add interface=ether1 list=WAN
add interface=bridgeTrunk list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=vlan-10 list=LAN
add interface=vlan-11 list=LAN
add interface=vlan-12 list=LAN
add interface=vlan-13 list=LAN
add interface=ether2 list=WAN
add interface=ovpn-in1 list=VPN
/interface ovpn-server server
set certificate=Server cipher=aes128,aes192,aes256 default-profile=ovpn enabled=yes mode=ethernet port=37193 protocol=udp require-client-certificate=yes
/ip address
add address=192.168.41.1/24 comment=VLAN11 interface=vlan-11 network=192.168.41.0
add address=192.168.42.1/24 comment=VLAN12 interface=vlan-12 network=192.168.42.0
add address=192.168.43.1/24 comment=VLAN13 interface=vlan-13 network=192.168.43.0
add address=192.168.40.1/24 comment=VLAN10 interface=vlan-10 network=192.168.40.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add interface=ether1
add interface=ether2
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1 netmask=24
add address=192.168.41.0/24 dns-server=192.168.41.1 gateway=192.168.41.1
add address=192.168.42.0/24 dns-server=192.168.42.1 gateway=192.168.42.1
add address=192.168.43.0/24 dns-server=192.168.43.1 gateway=192.168.43.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall address-list
add address=192.168.40.0/24 list=VLAN11block
add address=192.168.42.0/24 list=VLAN11block
add address=192.168.43.0/24 list=VLAN11block
add address=192.168.41.0/24 list=VLAN10block
add address=192.168.42.0/24 list=VLAN10block
add address=192.168.43.0/24 list=VLAN10block
add address=192.168.40.0/24 list=VLAN12block
add address=192.168.41.0/24 list=VLAN12block
add address=192.168.43.0/24 list=VLAN12block
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="Allow OVPN" dst-port=37193 protocol=udp
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="VLAN10  to 11,12,13 block" disabled=yes dst-address-list=VLAN10block src-address=192.168.40.0/24
add action=drop chain=forward comment="VLAN11 to 10,12,13 block" disabled=yes dst-address-list=VLAN11block src-address=192.168.41.0/24
add action=drop chain=forward comment="VLAN12 to 10,11,13 block" disabled=yes dst-address-list=VLAN12block src-address=192.168.42.0/24
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=output comment=ETH1_ConnectionMark connection-mark=no-mark connection-state=new new-connection-mark=ETH1_conn out-interface=ether1 passthrough=\
    yes
add action=mark-connection chain=output comment=ETH2_ConnectionMark connection-mark=no-mark connection-state=new new-connection-mark=ETH2_conn out-interface=ether2 passthrough=\
    yes
add action=mark-routing chain=output comment=ETH1_RoutingMark connection-mark=ETH1_conn new-routing-mark=to_ETH1 out-interface=ether1 passthrough=yes
add action=mark-routing chain=output comment=ETH2_RoutingMark connection-mark=ETH2_conn new-routing-mark=to_ETH2 out-interface=ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment=Failover disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment=Failover disabled=no dst-address=8.8.4.4/32 gateway=192.168.88.1 routing-table=main scope=10 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=to_ETH1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_ETH1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=to_ETH2 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_ETH2 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=37080
set ssh disabled=yes
set api disabled=yes
set winbox port=37291
set api-ssl disabled=yes
/ppp secret
add name=user profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I’m not sure what exactly it can do, but tag-stacking=yes doesn’t look right to me.

OK, after a little investigation i noticed that there is a communication to network 192.168.40.0. I plugged some stuff in it and i can ping and open web portals of devices. BUT, no ping to router (192.168.40.1), no winbox, no www.
Tag-stacking removed, this is actual export:

# mar/24/2022 10:40:42 by RouterOS 7.1.5
# software id = KLKM-4308
#
# model = CCR2004-16G-2S+
# serial number = HB307Z7B3E0
/interface bridge
add arp=proxy-arp ingress-filtering=no name=bridgeTrunk pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN1
set [ find default-name=ether2 ] comment=WAN2
set [ find default-name=ether3 ] comment="Link to 1G"
set [ find default-name=sfp-sfpplus1 ] comment=WAN0
set [ find default-name=sfp-sfpplus2 ] comment="Link to 10G & PoE"
/interface ovpn-server
add name=ovpn-in1 user=user
/interface vlan
add interface=bridgeTrunk name=vlan-10 vlan-id=10
add interface=bridgeTrunk name=vlan-11 vlan-id=11
add interface=bridgeTrunk name=vlan-12 vlan-id=12
add interface=bridgeTrunk name=vlan-13 vlan-id=13
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=VLAN11_pool ranges=192.168.41.100-192.168.41.199
add name=VLAN12_pool ranges=192.168.42.100-192.168.42.199
add name=VLAN13_pool ranges=192.168.43.100-192.168.43.199
add name=VLAN10_pool ranges=192.168.40.100-192.168.40.199
add name=ovpn ranges=192.168.40.200-192.168.40.210
/ip dhcp-server
add address-pool=VLAN11_pool authoritative=after-2sec-delay interface=vlan-11 lease-time=20m name=dhcp_vlan11
add address-pool=VLAN12_pool authoritative=after-2sec-delay interface=vlan-12 lease-time=20m name=dhcp_vlan12
add address-pool=VLAN10_pool interface=vlan-10 lease-time=20m name=dhcp_vlan10
add address-pool=VLAN13_pool interface=vlan-13 lease-time=20m name=dhcp_vlan13
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=192.168.40.1 local-address=ovpn name=ovpn only-one=yes remote-address=ovpn use-encryption=yes use-ipv6=no
/routing table
add disabled=no fib name=to_ETH1
add disabled=no fib name=to_ETH2
/interface bridge filter
add action=mark-packet chain=input in-interface-list=VPN new-packet-mark=packetOVPN
/interface bridge port
add bridge=bridgeTrunk ingress-filtering=no interface=ether10 pvid=10
add bridge=bridgeTrunk ingress-filtering=no interface=ether11 pvid=11
add bridge=bridgeTrunk ingress-filtering=no interface=ether12 pvid=11
add bridge=bridgeTrunk ingress-filtering=no interface=ether13 pvid=12
add bridge=bridgeTrunk ingress-filtering=no interface=ether9 pvid=10
add bridge=bridgeTrunk ingress-filtering=no interface=ether14 pvid=12
add bridge=bridgeTrunk ingress-filtering=no interface=ether15 pvid=13
add bridge=bridgeTrunk ingress-filtering=no interface=ether16 pvid=13
add bridge=bridgeTrunk interface=ether8 pvid=10
add bridge=bridgeTrunk interface=ether7 pvid=10
add bridge=bridgeTrunk interface=ether6 pvid=10
add bridge=bridgeTrunk interface=ether5 pvid=10
add bridge=bridgeTrunk interface=ether4 pvid=10
add bridge=bridgeTrunk interface=ether3 pvid=10
add bridge=bridgeTrunk interface=sfp-sfpplus2 pvid=10
add bridge=bridgeTrunk ingress-filtering=no interface=VPN pvid=10
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridgeTrunk tagged=ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus2,bridgeTrunk untagged=ether9,ether10,ovpn-in1 vlan-ids=10
add bridge=bridgeTrunk tagged=sfp-sfpplus2,bridgeTrunk,ether3,ether4,ether5,ether6,ether7,ether8 untagged=ether11,ether12 vlan-ids=11
add bridge=bridgeTrunk tagged=ether8,sfp-sfpplus2,bridgeTrunk,ether3,ether4,ether5,ether6,ether7 untagged=ether13,ether14 vlan-ids=12
add bridge=bridgeTrunk tagged=ether8,sfp-sfpplus2,bridgeTrunk,ether3,ether4,ether5,ether6,ether7 untagged=ether15,ether16 vlan-ids=13
/interface list member
add interface=ether1 list=WAN
add interface=bridgeTrunk list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=vlan-10 list=LAN
add interface=vlan-11 list=LAN
add interface=vlan-12 list=LAN
add interface=vlan-13 list=LAN
add interface=ether2 list=WAN
add interface=ovpn-in1 list=VPN
/interface ovpn-server server
set certificate=Server cipher=aes128,aes192,aes256 default-profile=ovpn enabled=yes mode=ethernet port=37193 protocol=udp require-client-certificate=yes
/ip address
add address=192.168.41.1/24 comment=VLAN11 interface=vlan-11 network=192.168.41.0
add address=192.168.42.1/24 comment=VLAN12 interface=vlan-12 network=192.168.42.0
add address=192.168.43.1/24 comment=VLAN13 interface=vlan-13 network=192.168.43.0
add address=192.168.40.1/24 comment=VLAN10 interface=vlan-10 network=192.168.40.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add interface=ether1
add interface=ether2
/ip dhcp-server network
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1 netmask=24
add address=192.168.41.0/24 dns-server=192.168.41.1 gateway=192.168.41.1
add address=192.168.42.0/24 dns-server=192.168.42.1 gateway=192.168.42.1
add address=192.168.43.0/24 dns-server=192.168.43.1 gateway=192.168.43.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall address-list
add address=192.168.40.0/24 list=VLAN11block
add address=192.168.42.0/24 list=VLAN11block
add address=192.168.43.0/24 list=VLAN11block
add address=192.168.41.0/24 list=VLAN10block
add address=192.168.42.0/24 list=VLAN10block
add address=192.168.43.0/24 list=VLAN10block
add address=192.168.40.0/24 list=VLAN12block
add address=192.168.41.0/24 list=VLAN12block
add address=192.168.43.0/24 list=VLAN12block
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="Allow OVPN" dst-port=37193 protocol=udp
add action=drop chain=input comment="drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="VLAN10  to 11,12,13 block" disabled=yes dst-address-list=VLAN10block src-address=192.168.40.0/24
add action=drop chain=forward comment="VLAN11 to 10,12,13 block" disabled=yes dst-address-list=VLAN11block src-address=192.168.41.0/24
add action=drop chain=forward comment="VLAN12 to 10,11,13 block" disabled=yes dst-address-list=VLAN12block src-address=192.168.42.0/24
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=output comment=ETH1_ConnectionMark connection-mark=no-mark connection-state=new new-connection-mark=ETH1_conn out-interface=ether1 passthroug
    yes
add action=mark-connection chain=output comment=ETH2_ConnectionMark connection-mark=no-mark connection-state=new new-connection-mark=ETH2_conn out-interface=ether2 passthroug
    yes
add action=mark-routing chain=output comment=ETH1_RoutingMark connection-mark=ETH1_conn new-routing-mark=to_ETH1 out-interface=ether1 passthrough=yes
add action=mark-routing chain=output comment=ETH2_RoutingMark connection-mark=ETH2_conn new-routing-mark=to_ETH2 out-interface=ether2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add comment=Failover disabled=no distance=1 dst-address=8.8.8.8/32 gateway=192.168.1.1 pref-src="" routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add comment=Failover disabled=no dst-address=8.8.4.4/32 gateway=192.168.88.1 routing-table=main scope=10 suppress-hw-offload=no
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=to_ETH1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_ETH1 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=3 dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=to_ETH2 scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=8.8.4.4 pref-src="" routing-table=to_ETH2 scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=37080
set ssh disabled=yes
set api disabled=yes
set winbox port=37291
set api-ssl disabled=yes
/ppp secret
add name=user profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

EDIT: Winbox in MAC mode can connect but often disconnects.

EDIT2: It seems that problem is in openvpn server. After connection dynamic ip address are created:

address=192.168.40.201 interface=ovpn-in1 network=192.168.40.202

.
When i remove above and add:

add address=192.168.40.201 interface=ovpn-in1 network=192.168.40.0

starts working.
Is ther a way to disable this dynamic address?