I have edited the config for some more not important info …
# jan/07/2022 15:14:04 by RouterOS 7.1.1
# software id = 3HDX-880N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = AAAAAAAAAAAAAAA
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX comment="Wireless 5 GHz chip model: QCA9984 " country=\
"xxxxxxxxxxxx" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge secondary-frequency=auto ssid=XXXXXX \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="xxxxxxxxxxxx" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=xxxxxx wireless-protocol=802.11
/interface wireless manual-tx-power-table set wlan1 comment="Wireless 5 GHz chip model: QCA9984 "
/interface wireless nstreme set wlan1 comment="Wireless 5 GHz chip model: QCA9984 "
/interface wireguard add comment=WIREGUARD listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing table
add fib name=""
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=8192
/ipv6 settings set max-neighbor-entries=8192
/interface detect-internet set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.1.101.1/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network= 192.168.88.0
add address=10.255.255.1/30 disabled=yes interface=wireguard1 network=10.255.255.0
add address=10.1.101.1/24 interface=wireguard1 network=10.1.101.0
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set servers=1.1.1.1,1.0.0.1
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=xxx.xxx.xxx.xxx/26 comment="xxxxxxxx" list=allowed-in
add address=13.230.0.0/15 comment=AMAZON-NRT list=block-in
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
"" log=yes src-address-list=block-in
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
protocol=icmp src-address-list=allowed-in
add action=accept chain=input comment="accept SSH / IP addrs" dst-port=22 \
log=yes protocol=tcp src-address-list=allowed-in
add action=accept chain=input comment="defconf: accept WinBox / IP addrs" \
dst-port=8291 log=yes protocol=tcp src-address=xxx.xxx.xxx.xxx/28
add action=accept chain=input comment=WIREGUARD dst-port=13231 \
in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward disabled=yes src-address=10.1.101.0/24
add action=accept chain=forward disabled=yes dst-address=10.1.101.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service set www-ssl disabled=no
/ip ssh set host-key-size=8192 strong-crypto=yes
/ip upnp set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock set time-zone-name=Europe/xxxxxxx
/system identity set name=RB4011iGS+5HacQ2HnD
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system ntp client set enabled=yes
/system ntp client servers
add address=xx.pool.ntp.org
add address=0.xx.pool.ntp.org
add address=1.xx.pool.ntp.org
add address=2.xx.pool.ntp.org
add address=3.xx.pool.ntp.org
/system resource irq rps set sfp-sfpplus1 disabled=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN