You forgot to post the export of your router's configuration, but from what you wrote I assume the dst-address of your /ip ipsec policy row includes also the local subnet 172.16.10.0/24. Hence packets sent by the router to hosts in the LAN subnet are diverted to the IPsec tunnel as well.
To prevent this, you have to add another /ip ipsec policy row before (above) the existing one:
/ip ipsec policy add place-before=[find src-address=172.16.10.0/24] action=none src-address=172.16.10.0/24 dst-address=172.16.10.0/24
It will shadow the existing policy for packets within the local subnet, and thus exempt packets from the router to the LAN hosts from diversion to the tunnel.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.