First thing to fix. Use only one bridge!!
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Simplify your life by defining at least two vlans
vlan10 is trusted or home vlan
vlan20 is guest wifi vlan
you can add if you wish to separate out servers, or multimedia, or video cameras or other equipment that should not be on the trusted LAN.
you can add more vlans for different wifi needs as well,
RP filter strict is a BAD idea especially with multiple WANS, change to loose.
Your WAN IP address and dhcp client were confusing until I realized you had one of each them disabled.
Please clean up a config so you dont have such confusion existing…
Firewall address lists for local subnets are a waste, unless its a remote subnet that doesnt exist on the router.
Your firewall rules have very little to do with needed traffic and more on blocking crap.
Suggest its a waste of time at least in getting a working config going. You can add some things back if you need to…
AKA… default rules plus what is needed for traffic. Hint at end of forward chain drop all traffic.
Having www and telnet setup for services is not a secure methodology to use and recommend disabling those.
IP Routes are messy.
Not clear what you are trying to do with routing rules either.
Out of control scripts
Overboard netwatch.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The main focus should be go back to basics, get the config working then add back in what is needed, not what you think is nice to have.
To do so, clearly state your requirements so a clean practical config can be developed.
Identify all user(s)/device(s), including the Admin
Identify all traffic they require to have. ( without mention of the config )
For the two WANS, are they both public IPs, or private IPs, static or dynamic?
I gather WAN1 is primary and WAN2 is secondary and you dont want to share the load at all time so both WAN1 and WAN2 are used at the same time?
(throughput of each?)
I see you do have external users that need to reach router services (IPSEC), any reason why much simpler and very secure Wireguard is not being used…???
Do you have any external traffic going to the LAN…aka any servers on the LAN??
What would you like to do with netwatch purpose of its use at the moment.
Purpose of all the scripts??