This is from my last attempt. There have been various changes and settings attempted... I found most people want the switch port set to vlan, but these don't support that option...
Gateway:
# 2024-03-24 17:59:16 by RouterOS 7.14.1
# software id =
#
# model = RB760iGS
# serial number =
/interface bridge
add name=pnp_bridge port-cost-mode=short
add name=smr_bridge port-cost-mode=short
/interface vlan
add interface=smr_bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik-Gateway
/ip pool
add name=smr_dhcp ranges=192.168.1.100-192.168.1.245
add name=pnp_dhcp ranges=10.185.79.27-10.185.79.29
add name=vlan10_dhcp ranges=10.200.201.10-10.200.201.15
/ip dhcp-server
add address-pool=smr_dhcp interface=smr_bridge lease-time=1h name=defconf
add address-pool=pnp_dhcp interface=pnp_bridge lease-time=10m name=pnp_fiber
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge=smr_bridge local-address=192.168.1.1 remote-address=\
smr_dhcp use-ipv6=no
/queue simple
add max-limit=38M/38M name=pnp_queue target=pnp_bridge
add max-limit=10M/10M name=tjm_client target=vlan10
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=smr_bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=pnp_bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=smr_bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=pnp_bridge comment=defconf ingress-filtering=no interface=sfp1 \
internal-path-cost=10 path-cost=10
add bridge=smr_bridge interface=ether2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=smr_bridge list=LAN
add comment="Spirit Communications" interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=smr_bridge network=\
192.168.1.0
add address=[redacted]/29 interface=ether1 network=[redacted]
add address=10.185.79.26/24 interface=pnp_bridge network=10.185.79.0
add address=10.200.201.1/24 interface=vlan10 network=10.200.201.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1 use-peer-dns=no
/ip dhcp-server lease
[removed]
/ip dhcp-server network
add address=10.185.79.0/24 dns-server=9.9.9.9 domain=149.112.112.112 gateway=\
10.185.79.26 netmask=22
add address=10.200.201.0/24 dns-server=9.9.9.9 domain=10.200.201.1 gateway=\
10.200.201.1
add address=192.168.1.0/24 comment=defconf dns-server=9.9.9.9,1.1.1.1 \
gateway=192.168.1.1 netmask=24
/ip dns
set servers=9.9.9.9,1.1.1.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward in-interface=pnp_bridge out-interface=\
smr_bridge
add action=drop chain=forward in-interface=smr_bridge out-interface=\
pnp_bridge
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=8291 in-interface=ether1 protocol=tcp \
src-address=[redacted]
add action=drop chain=input dst-port=8291 in-interface=ether1 protocol=tcp \
src-address=![redacted]
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes in-interface=\
smr_bridge
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Temp Rule (delete when done)" \
dst-port=8292 protocol=tcp src-address=[redacted] to-addresses=\
192.168.1.2 to-ports=8291
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
/ip route
add check-gateway=ping comment="Spirit Communications" disabled=no \
dst-address=0.0.0.0/0 gateway=[redacted]
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24,[redacted]/32
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-Gateway
/system note
set show-at-login=no
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Switch:
# 2024-03-24 18:11:56 by RouterOS 7.14.1
# software id = [redacted]
#
# model = RB760iGS
# serial number = [redacted]
/interface bridge
add admin-mac=2C:C8:1B:E7:DD:0B auto-mac=no comment=defconf fast-forward=no \
ingress-filtering=no name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=ether1 name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridge1 comment=defconf ingress-filtering=no interface=sfp1 \
internal-path-cost=10 path-cost=10
add auto-isolate=yes bridge=bridge1 ingress-filtering=no interface=ether1 \
internal-path-cost=10 path-cost=10 pvid=10
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=sfp1,ether2,ether3,ether4,ether5 \
vlan-ids=10
/interface list member
add comment=defconf interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.2 interface=sfp1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=bridge1
/ip dns
set allow-remote-requests=yes
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=Front-Building-Bridge
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none