Okay, then repost the config so I am working with the exact config you have now........
add band=2ghz-g/n name="Auto 2,4GHz"
add band=5ghz-a/n/ac name="Auto 5GHz"
/interface bridge
add admin-mac=C4:AD:34:85:10:A5 auto-mac=no fast-forward=no name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Orion (Optika)"
set [ find default-name=ether10 ] comment="Wireless Internet (Backup)"
set [ find default-name=sfp1 ] comment="TRUNK Cisco"
/interface pppoe-client
add disabled=no interface=ether10 name="Wireless net" user=spajz
/interface ipip
add local-address=178.219.10.134 name="SPAJZ Centrala" remote-address=\
95.140.124.94
/interface vlan
add comment=Data interface=bridge name=vlan10 vlan-id=10
add comment=Voip interface=bridge name=vlan20 vlan-id=20
add comment=Management+Securitry interface=bridge name=vlan30 vlan-id=30
add comment=Gosti interface=bridge name=vlan254 vlan-id=254
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
Firma vlan-id=10 vlan-mode=use-tag
add bridge=bridge name=Gosti vlan-id=254 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=Gosti
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=Firma
/caps-man configuration
add channel="Auto 2,4GHz" country=serbia datapath=Firma mode=ap name=\
"Firma 2,4GHz" security=Firma ssid="SPAJZ D.O.O. 2,4GHz"
add channel="Auto 2,4GHz" country=serbia datapath=Gosti mode=ap name=Gosti \
security=Gosti ssid=Gosti
add channel="Auto 5GHz" country=serbia datapath=Firma mode=ap name=\
"Firma 5GHz" security=Firma ssid="SPAJZ D.O.O. 5GHz"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.5.50-192.168.5.200
add name=dhcp_pool1 ranges=192.168.20.50-192.168.20.150
add name=dhcp_pool2 ranges=192.168.33.50-192.168.33.100
add name=dhcp_pool3 ranges=192.168.254.2-192.168.254.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=vlan10 \
lease-time=1d name=Data
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=vlan20 \
lease-time=1d name=VoIP
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=vlan30 \
lease-time=1d name=Security+Management
add add-arp=yes address-pool=dhcp_pool3 disabled=no interface=vlan254 \
lease-time=1d name=Gosti
/interface sstp-client
add connect-to=securitron.dyndns-work.com disabled=no name="VPN Securitron" \
profile=default-encryption user=Spajz_VelikiMagacin
/queue tree
add comment=Gosti max-limit=10M name=download packet-mark=download-vlan254 \
parent=vlan254 queue=pcq-download-default
add comment=Gosti max-limit=5M name=upload packet-mark=upload-vlan254 parent=\
vlan254 queue=pcq-upload-default
/snmp community
set [ find default=yes ] disabled=yes
add addresses=10.20.20.0/24 authentication-protocol=SHA1 name=private \
security=private write-access=yes
/system logging action
add name=Remote remote=10.20.20.254 target=remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any \
signal-range=-78..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
signal-range=-120..-79 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
add disabled=no interface=vlan30
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
"Firma 2,4GHz" name-format=identity slave-configurations=Gosti
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
"Firma 5GHz" name-format=identity
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
ingress-filtering=yes interface=ether8 pvid=30
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=sfp1,bridge untagged=\
ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=10
add bridge=bridge tagged=bridge,sfp1 untagged=ether8 vlan-ids=30
add bridge=bridge tagged=sfp1,bridge vlan-ids=20
add bridge=bridge tagged=sfp1,bridge vlan-ids=254
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=vlan30 list=LAN
add interface=ether1 list=WAN
add interface="Wireless net" list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan254 list=LAN
/ip address
add address=192.168.33.1/24 interface=vlan30 network=192.168.33.0
add address=192.168.5.1/24 interface=vlan10 network=192.168.5.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.254.1/24 interface=vlan254 network=192.168.254.0
add address=178.219.10.134/30 interface=ether1 network=178.219.10.132
add address=13.0.0.2/30 interface="SPAJZ Centrala" network=13.0.0.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.33.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.33.1
add address=192.168.254.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.254.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.5.0/24 src-address=\
192.168.254.0/24
add action=drop chain=input dst-address=192.168.5.0/24 src-address=\
192.168.254.0/24
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=vlan254 new-packet-mark=\
upload-vlan254 passthrough=yes
add action=mark-packet chain=prerouting in-interface=ether10 new-packet-mark=\
download-vlan254 passthrough=yes
add action=mark-routing chain=prerouting new-routing-mark=vlan254-routing \
packet-mark=upload-vlan254 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
"VPN Securitron"
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=\
udp to-addresses=192.168.5.251 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.251 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=\
udp to-addresses=192.168.5.252 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=\
tcp to-addresses=192.168.5.252 to-ports=8000
/ip route
add comment=Gosti disabled=yes distance=2 gateway="Wireless net" \
routing-mark=ISP2
add check-gateway=ping distance=1 gateway=178.219.10.133
add distance=2 gateway="Wireless net"
add comment="Centrala Data" distance=1 dst-address=192.168.3.0/24 gateway=\
"SPAJZ Centrala"
add comment="Centrala CCTV" distance=1 dst-address=192.168.37.0/24 gateway=\
"SPAJZ Centrala"
/ip route rule
add action=lookup-only-in-table disabled=yes interface=vlan254 table=ISP2
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=vlan30
/ip upnp
set show-dummy-rule=no
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd pin
set pin-number=1910
/snmp
set contact="Milan Rankovic" enabled=yes location=\
"Spajz Veliki Magacin/Ruter" trap-community=private trap-generators=\
interfaces,start-trap,temp-exception trap-interfaces=all trap-target=\
10.20.20.254 trap-version=3
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name="Ruter Spajz Magacin 7000"
/system logging
add action=Remote prefix=Spajz_Veliki_Magacin-Ruter topics=critical
add action=Remote prefix=Spajz_Veliki_Magacin-Ruter topics=error
/system ntp client
set enabled=yes primary-ntp=162.159.200.123
/system scheduler
add interval=1w name="FTP Remote Backup enscripted" on-event=\
"FTP Remote Backup enscripted" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/09/2020 start-time=03:00:00
add interval=15m name="DynuDNS update" on-event="DynuDNS update" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/10/2021 start-time=17:24:53
/system script
add dont-require-permissions=yes name="FTP Remote Backup enscripted" owner=\
nemke policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Script for backup of device data\r\
\n\r\
\n:global ime;\r\
\n:global ver;\r\
\n:global full;\r\
\n:global path;\r\
\n:set ime \"\$[/system identity get name]\";\r\
\n:set ver \"\$[/system package get number=0 version]\";\r\
\n:set full \"\$ime-\$ver.backup\";\r\
\n:set path \"/Backup/Uredjaji/Network/Spajz/Magacin7000/\$full\";\r\
\n\r\
\n# Create Backup file\r\
\n/system backup save encryption=aes-sha256 name=\"\$ime-\$ver\" password=\
Mephisto1910\r\
\n\r\
\n:log info \" Local Backup Created Successfully\"\r\
\n\r\
\n# delay time to finish the create \r\
\n:delay 10s\r\
\n\r\
\n# Upload backup file to FTP server.\r\
\n\r\
\n/tool fetch address=10.20.20.254 src-path=\"\$ime-\$ver.backup\" \\\r\
\nuser=mikrotik mode=ftp password=mikrotik1910 \\\r\
\ndst-path=\$path upload=yes port=21\r\
\n\r\
\n:log info \"Backup Uploaded Successfully\"\r\
\n\r\
\n# delay time to finish the upload\r\
\n:delay 10s\r\
\n\r\
\n# Delete created backup files once they have been uploaded\r\
\n# So they don't accumulate and fill up storage space on the router\r\
\n\r\
\n/file remove [find name~\".backup\"]\r\
\n\r\
\n:log info \"Local Backup File Deleted Successfully\""
add dont-require-permissions=yes name="DynuDNS update" owner=nemke policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
tool fetch url=\"
https://api.dynu.com/nic/update\\\?user ... rabe&hostn\
ame=spajzmagacin7000.dynuddns.com&password=34564024978dc5bbe824e27b6dd15c7\
928f8ce65c22f3837895e589807af0882\" keep-result=no"
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add allow-address=10.20.20.0/24
/tool graphing queue
add allow-address=10.20.20.0/24
/tool graphing resource
add allow-address=10.20.20.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool romon port
add disabled=no interface=vlan30