I have configured hexS and 951G as I wanted. I have another question, how to configure IKEv2/IPsec with VLANs. Currently I have three of them, MGMT, home and guest (WiFi network).
I configured my connection in the same way, but when I set 192.168.10.0/24 (VLAN/home), NAT shows up, but traffic doesn't go through VPN.
[admin@RB760iGS] > /export hide-sensitive
# jul/31/2019 19:43:49 by RouterOS 6.45.2
# software id = HJFI-YNP6
#
# model = RB760iGS
# serial number =
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN-livebox
set [ find default-name=ether5 ] name=ether5-TRUNK-RB951G
/interface vlan
add interface=BR1 name=HOME_VLAN vlan-id=10
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=MANAGEMENT vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=HOME
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=ca458.nordvpn.com exchange-mode=ike2 name=NordVPN_CA458 profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=HOME ranges=192.168.10.100-192.168.10.254
add name=GUEST ranges=192.168.20.2-192.168.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=HOME disabled=no interface=HOME_VLAN name=HOME
add address-pool=GUEST disabled=no interface=GUEST_VLAN name=GUEST
add address-pool=BASE_POOL disabled=no interface=MANAGEMENT name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=BR1 ingress-filtering=yes interface=ether5-TRUNK-RB951G
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether5-TRUNK-RB951G untagged=ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=99
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=20
add bridge=BR1 tagged=BR1,ether4,ether5-TRUNK-RB951G vlan-ids=30
/interface list member
add interface=ether1-WAN-livebox list=WAN
add interface=MANAGEMENT list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=MANAGEMENT list=BASE
/ip address
add address=192.168.0.1/24 interface=MANAGEMENT network=192.168.0.0
add address=192.168.10.1/24 interface=HOME_VLAN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST_VLAN network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN-livebox use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.0 list=HOME
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add chain=forward comment="Allow established connections through router" connection-state=established
add chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=new in-interface-list=VLAN
add action=drop chain=forward comment="Drop all other connections through the router"
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface-list=VLAN
add chain=input comment="Allow established connections to the router, these are OK because we aren't allowing new connections" connection-state=established
add chain=input comment="Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=ether1-WAN-livebox src-address=192.168.0.0/24
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN_CA458 policy-template-group=NordVPN username=\
sliwma@
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=192.168.1.1
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=RB760iGS