Thanks to the wonderful information on the forum i started doing my own config.
Because i need the router next week, i did a quick and dirty solution with different bridges,
there are probably more elegant ways to solve this (vlans?).
Here is the config so far:
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=bridge_lan
add name=bridge_vpn
add name=bridge_wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=no_country_set \
disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower \
installation=indoor ssid="" wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
MyRouted supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
AccessPoint supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
Buffalo_C_2_4 supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
IslaDeMuerta supplicant-identity=""
/interface wireless
add comment=MyBridged disabled=no keepalive-frames=disabled mac-address=\
xx:xx:xx:xx:xx:xx master-interface=wlan1 mode=bridge multicast-buffering=\
disabled name=wlan2 security-profile=MyRouted ssid=MyBridged \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add comment=MyRouted disabled=no keepalive-frames=disabled mac-address=\
xx:xx:xx:xx:xx:xx master-interface=wlan1 multicast-buffering=disabled \
name=wlan3 security-profile=MyRouted ssid=MyRouted wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
add comment=MyVPN disabled=no keepalive-frames=disabled mac-address=\
xx:xx:xx:xx:xx:xx master-interface=wlan1 multicast-buffering=disabled \
name=wlan4 security-profile=MyRouted ssid=MyVPN wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan2 comment=MyBridged
set wlan3 comment=MyRouted
set wlan4 comment=MyVPN
/interface wireless nstreme
set *8 comment=MyBridged
set *9 comment=MyRouted
set *C comment=MyVPN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=myvpn ranges=192.168.77.10-192.168.77.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge_lan name=mybridged
add address-pool=myvpn disabled=no interface=bridge_vpn name=myvpn
/interface ovpn-client
add certificate=schleicher cipher=aes256 connect-to=\
my host disabled=yes mac-address=xx:xx:xx:xx:xx:xx \
name=openvpn_home port=443 profile=default-encryption user=schleicher
/interface bridge port
add bridge=bridge_wan interface=ether1
add bridge=bridge_wan interface=pwr-line1
add bridge=bridge_wan interface=wlan1
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=wlan3
add bridge=bridge_vpn interface=openvpn_home
add bridge=bridge_lan interface=wlan2
add bridge=bridge_lan interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge_lan list=LAN
add interface=ether2 list=LAN
add interface=wlan1 list=WAN
add interface=wlan3 list=LAN
add interface=ether1 list=WAN
add interface=wlan2 list=LAN
add interface=bridge_wan list=WAN
add interface=wlan4 list=LAN
add interface=bridge_vpn list=LAN
/interface wireless connect-list
add interface=wlan1 security-profile=Buffalo_C_2_4 ssid=Buffalo_C_2_4
add interface=wlan1 security-profile=IslaDeMuerta ssid=IslaDeMuerta
/ip address
add address=192.168.88.1/24 interface=bridge_lan network=192.168.88.0
add address=192.168.77.1/24 interface=bridge_vpn network=192.168.77.0
/ip dhcp-client
add disabled=no interface=bridge_wan
/ip dhcp-server network
add address=192.168.77.0/24 comment=MyVPN dns-server=10.10.10.22 domain=\
duron.sarabriga.net gateway=192.168.77.1
add address=192.168.88.0/24 comment=MyBridged dns-server=192.168.88.1 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=bridge_vpn \
new-routing-mark=redirect-to-openvpn passthrough=yes src-address=\
192.168.77.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
# no interface
add action=masquerade chain=srcnat out-interface=openvpn_home
/ip route
add distance=1 dst-address=10.0.0.0/8 gateway=openvpn_home routing-mark=\
redirect-to-openvpn scope=10
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MAP
/system leds
set 3 type=on
set 4 type=on
/system scheduler
add name=autorun-client-mode on-event="/system script run client-mode" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=client-mode owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
wait 3s after startup to run script\r\
\n:delay 3\r\
\n\r\
\n#ensure that master wireless is set as station\r\
\n/interface wireless set wlan1 mode=station ssid=\"\" security-profile=de\
fault;\r\
\n:log info \"Set wlan1 network as station\";\r\
\n\r\
\n#wait 15s for wireless to have time to connect\r\
\n:delay 15;\r\
\n\r\
\n#check if wireless is connected to a network\r\
\nlocal connectstatus [/interface get wlan1 running]\r\
\n\r\
\n#if wireless is connected to something, don't do anything. Else set mast\
er wireless as AP\r\
\nif \$connectstatus do={\r\
\n:log info \"Network active, keep on keeping on\";\r\
\n} else={\r\
\n/interface wireless set wlan1 mode=ap-bridge ssid=\"MAP\" security-profi\
le=AccessPoint;\r\
\n:log info \"Network not active, setting master network to AP\";}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment="Check Internet" down-script="system leds set 3 type=off" host=\
8.8.8.8 interval=30s up-script="system leds set 3 type=on"
add comment="Check OpenVPN" down-script="system leds set 4 type=off" host=\
10.10.10.1 interval=30s up-script="system leds set 4 type=on"
Some things i got already working properly and others not...
Seperating the different networks with firewalling isn't done yet at all.
I have some question to the config, maybe someone can answer those:
1. For the wifi interface wlan1 (client) which is connecting to the access points i choosed the mode station, what is the difference compared to station bridge and station peusdobridge?
Should i prefer one of the other two modes or stay with station?
2. On the virtual wlan2 i set the mode to bridge, which is wrong i guess, i want to have “level 2” access to the wireless network (bridge with the physical wlan), which mode i need for that?
3. I tried to setup routing and masquerading only for the MyVPN wlan, but i can also reach the hosts inside the vpn when i connect via the MyBridged wlan.
How do i have to change the routing and masquerading rules, or do i have to block this via firewall?