My configuration:
# oct/27/2022 23:21:51 by RouterOS 6.47.10
# software id = ZWRC-FBTF
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460C19DA7E
/interface bridge
add name=TV
add name=Telefon
add name=bridge1
add name=bridge_WiFi
/interface wireless
set [ find default-name=wlan1 ] country=slovenia disabled=no frequency=auto \
mode=ap-bridge ssid="Bezan 5G" station-roaming=enabled wireless-protocol=\
802.11
set [ find default-name=wlan2 ] antenna-gain=50 band=2ghz-b/g/n \
channel-width=20/40mhz-Ce country=japan disabled=no frequency=auto \
frequency-mode=superchannel mode=ap-bridge ssid=Bezan station-roaming=\
enabled wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-sfpplus1 name=pppoe-out1 \
password=xxxx use-peer-dns=yes user=xxxxx
/interface vlan
add interface=ether6 name="TV BOX1" vlan-id=3999
add interface=ether7 name="TV BOX2" vlan-id=3999
add interface=sfp-sfpplus1 name="TV IN" vlan-id=3999
add interface=ether2 name="TV NEO1" vlan-id=3999
add interface=sfp-sfpplus1 name="Telefon IN" vlan-id=3998
add interface=ether4 name="Telefon Out" vlan-id=3998
add name=vlan100 vlan-id=100
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
xxx wpa2-pre-shared-key=mobitel123
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.199
add name=dhcp_WiFi ranges=192.168.1.200-192.168.1.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_WiFi disabled=no interface=bridge_WiFi name=dhcp_WiFi
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/ppp profile
add bridge=bridge1 local-address=192.168.1.1 name=vpn_profile
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 disabled=yes interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether2
add bridge=TV interface="TV IN"
add bridge=TV interface="TV BOX1"
add bridge=TV interface="TV BOX2"
add bridge=Telefon interface="Telefon IN"
add bridge=Telefon interface="Telefon Out"
add bridge=TV interface="TV NEO1"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=luftP0st! use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
require-client-certificate=yes
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.100.1/24 disabled=yes network=192.168.100.0
/ip dhcp-client
add !dhcp-options interface=sfp-sfpplus1
/ip dhcp-server lease
add address=192.168.1.60 always-broadcast=yes mac-address=34:E1:D1:80:C0:F7 \
server=dhcp1
add address=192.168.1.61 mac-address=00:1E:42:4D:26:DC server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
192.168.1.1,193.189.160.13,193.189.160.23 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=193.189.160.13,193.189.160.23
/ip dns static
add address=192.168.1.26 comment="MK Raubritter Spletna Stran" name=\
mk-raubritter.com
add address=192.168.1.26 name=
www.mk-raubritter.com
add address=192.168.1.26 comment="Arja Spletna Stran" name=\
pomoc-zivalim-arja.si
add address=192.168.1.26 name=
www.pomoc-zivalim-arja.si
/ip firewall address-list
add address=192.168.1.70-192.168.0.79 disabled=yes list=VPN
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=fasttrack-connection chain=forward disabled=yes
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="Allow t2p" in-interface=pppoe-out1 \
protocol=ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=pppoe-out1 \
protocol=udp
add action=accept chain=input comment=OpenVPN dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=80,443,8291 protocol=tcp src-address=\
192.168.1.0/24
add action=drop chain="log and drop" disabled=yes
add action=jump chain=input disabled=yes jump-target="log and drop"
add action=drop chain=input in-interface-list=!LAN
/ip firewall mangle
add action=route chain=prerouting disabled=yes dst-address-list=!VPN \
passthrough=yes protocol=!icmp route-dst=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment=VPN src-address=192.168.1.0/24
add action=accept chain=dstnat disabled=yes dst-port=1194 protocol=udp
/ip upnp
set enabled=yes
/ppp secret
add local-address=192.168.1.1 name=rocky password=Passw0rd0 remote-address=\
192.168.1.70
add local-address=192.168.1.1 name=teltonika password=Passw0rd0 \
remote-address=192.168.1.71
/system clock
set time-zone-name=Europe/Ljubljana
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager