Hi Guys,
I have created a l2tp/ipsec tunnel from a windows 10 client (using native windows client).
It works fine except that what I would like is that only the trafic destined for the remote networks pases over the tunnel.
At his point all trafic is routed to the remote MT.
Can someone point out where my problem is please... Thanks

here is my config:

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=proposal1
/ip pool
add name=default-dhcp ranges=192.168.88.105-192.168.88.200
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=Default
/interface l2tp-server server
set enabled=yes ipsec-secret=X.X.X use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=X.X.X.186/29 interface=ether1 network=X.X.X.184
/ip firewall filter
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment= "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=X.X.X.185
/ppp secret
add local-address=192.168.188.1 name=YYYYY password=X.X.X remote-address=192.168.188.46 service=l2tp
add local-address=192.168.188.1 name=XXXXX password=X.X.X remote-address=192.168.188.47 service=l2tp

It's client-side configuration. It's buried in properties of VPN connection, in IPv4 settings, where you have to uncheck "use remote gateway" (or something like that, I don't have English Windows). Then there's another option for class-based route, which can add route to private subnet based on address the client gets from server (/24 for 192.168.x.x, /8 for 10.x.x.x, ...). If you need route also to another subnet, Windows 10 support this: I didn't personally test it with all types of VPN, only IKEv2, but it should probably work.

Thanks Sob
Worked like a charm .

Go to network connection
properties of the vpn connection
Select ipv4 properties
Advanced
unselect "Use default gateway on remote network"

If you configured your l2tp addresses in the same range as the remote network you are golden.
If it different then you need to add some persistent routes in windows (route add -P x.x.x.x mask x.x.x.x x.x.x.x)

The Add-VpnConnectionRoute command I posted should work instead of persistent route, and it should be better, because it's tied only to this specific VPN connection.

Yes you are correct...
Just another way to do it but you are right its better with your method