Yes. Bridging L2 actually pretty simple. And if you do bridge, you do NOT want "allow-managed=yes", since you put the zerotier1 interface as bridge port member & presumably the bridge (or VLAN and PVID) already have IP network.
The TL;DR for bridging is on the ZeroTier client side (e.g. iPhone, desktops, etc.), the IP assigned to ZT client and routes do NOT come from the DHCP server on the bridge – they come what's configured in my.zerotier.com. So inside the network configuration at the ZeroTier side, you need to change all the IP address and routes to use what on the Mikrotik end of the bridge.
Assuming you have account and create a new ZeroTier network for this (don't want to break whatever you have
.
On the Mikrotik side,
- create a new ZeroTier interface on the Mikrotik side for the new network, and join it the new network's ID, leave the allow-managed uncheck/=off
- add it to the main bridge as port (or assign a PVID if you using vlan-filtering=yes).
- in /ip/pool, check the Mikrotik DHCP assignment range to 192.168.88.100-192.168.88.254
- do not set any IP on the zerotier interface & no firewall rules should be required – you're bridging.
On the ZeroTier network admin page, assuming default Mikrotik config (adjust as needed for bridge/VLAN your bridging)
- remove all routes and add one for 192.168.88.0/24 to 192.168.88.1 (adjust as needed)
- use Advanced for IPv4 auto-assignment, then set that to 192.168.88.10 to 192.168.88.99
- authorize the Mikrotik under member by check the box under "Auth?"
- hit the wrench icon next to the RouterOS device... check "enable bridging" and uncheck "auto assign IP" on my.zerotier.com.
- add any other client, and authorize them, but do NOT change any of the "wrench" settings – they do NOT need the "enable brining" (since the client is more of an "edge" in bridging terms, it does NOT need this setting).
If you wanted all of the client's internet traffic tunneled, you need to add a 0.0.0.0/0 route to 192.168.88.1 in the ZeroTier network page. But this will ONLY take effect if the client device (e.g. desktop/iPhone/etc), checks the "Allow Default Route Override".
Lastly, on the Mikrotik, there is the "zt1" instance – this is what does all the tunneling/peer discovery/etc. So it's "Interfaces" selection is important. By default it's "all" & this should work fine in nearly all cases. BUT, it does create a lot of connections through the firewall since ZeroTier is always trying to discovery peers. So in generally using "WAN" may be useful. Conversely, if you do have multiple RouterOS devices using ZeroTier, all be a better choices. Or customizing an interface list with the place ZeroTier should be doing its path discovery.
Hope that helps. I've been meaning to update that doc, but it's long & every hopeful Mikrotik will invest time in improving THEIR documentation overall...