My goal is to allow an employee from home to VPN into the office and access information from a laptop at 192.168.33.2, which is directly connected to Eth2 on the router. The VPN will only connect if the netmask is /21, to match the public IP from our ISP. But the 192.168.33.0 subnet has a mask of /29, so even if I have the VPN apply a .33.x IP they won't communicate. I created the 192.168.48.0/21 subnet for the VPN to connect to, and I have been trying to find a way to get that to communicate to the .33.0 subnet, to no avail.
Sorry for any confusion. I hope this helps.
# sep/04/2020 16:20:52 by RouterOS 6.44.3
# software id = CUYU-RBI1
#
# model = 435G
# serial number = 894109055921
/interface bridge
add arp=proxy-arp name=bridge1
add arp=proxy-arp name=bridge2
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=[REDACTED] \
wpa2-pre-shared-key=[REDACTED]
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=office supplicant-identity="" \
wpa2-pre-shared-key=[REDACTED]
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=accounting supplicant-identity="" \
wpa2-pre-shared-key=[REDACTED]
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn country=canada disabled=no \
frequency=5825 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6\
,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15" \
installation=outdoor mode=ap-bridge security-profile=office ssid=Site2020 \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-onlyn country=canada disabled=no \
frequency=5260 hide-ssid=yes ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs\
-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15\
" installation=outdoor mode=ap-bridge security-profile=accounting ssid=\
Site2020a wireless-protocol=802.11
set [ find default-name=wlan3 ] disabled=no mode=ap-bridge security-profile=\
office ssid=Site2020_2_4GHz wps-mode=disabled
/ip pool
add name=dhcp_pool1 ranges=192.168.33.3-192.168.33.6
add name=dhcp_pool2 ranges=192.168.22.40-192.168.22.254
add name=pool3 ranges=192.168.48.0/21
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge2 name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=wlan2
add bridge=bridge2 interface=ether3
add bridge=bridge1 interface=wlan3
/interface detect-internet
set detect-interface-list=all lan-interface-list=all
/interface ovpn-server server
set auth=sha1 certificate=[REDACTED] cipher=aes256 enabled=yes netmask=21 \
require-client-certificate=yes
/ip address
add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0
add address=192.168.33.1/29 interface=bridge2 network=192.168.33.0
add address=192.168.44.1/24 interface=bridge1 network=192.168.44.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.33.2 client-id=1:a0:2b:b8:2f:77:aa mac-address=\
A0:2B:B8:2F:77:AA server=dhcp2
/ip dhcp-server network
add address=192.168.22.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.22.1
add address=192.168.33.0/29 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.33.1
/ip firewall filter
add action=drop chain=input dst-address=192.168.33.0/29 log=yes src-address=\
192.168.22.0/24
add action=drop chain=input dst-address=192.168.22.0/24 src-address=\
192.168.33.0/29
add action=drop chain=forward protocol=rdp src-address=!192.168.0.0/16
add action=log chain=forward dst-address=10.10.33.2 protocol=rdp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.22.0/24 src-address-list=""
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.33.0/29
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
192.168.44.0/24
add action=masquerade chain=srcnat disabled=yes
/ip route
add distance=1 gateway=[REDACTED]
add distance=2 gateway=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=192.168.48.1 name=[REDACTED] password=\
[REDACTED] remote-address=192.168.48.2 routes=\
Bridge2 service=ovpn
/system clock
set time-zone-name=America/Halifax
/system console
set [ find ] disabled=yes
/tool bandwidth-server
set enabled=no