I very quickly set this up last night, so I didn't mess with the routing and set it up on the same subnet (192.168.0.0)
I'm new to this, be gentle
But if you see anything glaringly obvious that I need to do for security, please let me know. Thanks!
/interface bridge
add admin-mac=xxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=vlan1 vlan-id=201
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 use-peer-dns=yes user=xxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
add name=vpn-pool ranges=192.168.0.100-192.168.0.105
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.0.1 name=vpn-profile remote-address=vpn-pool
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input connection-state=new dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input connection-state=new dst-port=1701 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override local-address=192.168.0.1
/ip proxy
set cache-on-disk=yes enabled=yes parent-proxy=0.0.0.0 src-address=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=vpn-profile
add name=jason profile=vpn-profile
/system clock
set time-zone-name=America/Chicago
/system logging
add disabled=yes topics=ppp,pppoe,packet,debug
add action=disk disabled=yes topics=l2tp,ipsec,debug
add action=disk disabled=yes topics=ipsec,debug
/system note
set note="You are attempting to connect to a private network - Authorized administrators only. Access to this device is monitored."
/system routerboard mode-button
set enabled=no on-event=""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN