Here it is, I only hid public ip addresses:
# mar/05/2019 13:50:18 by RouterOS 6.43.8
# software id = TNTL-3CLS
#
# model = RouterBOARD 750 r2
# serial number = 67D20888227E
/interface bridge
add admin-mac=CC:2D:E0:3C:0C:0F auto-mac=no comment=\
"created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mtu=1400
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mtu=1380 \
name=ether2-master
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-128 name=profile_1 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc name=proposal1 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.200
add name=BIBLIOTECA-pool ranges=192.168.3.2-192.168.3.200
/ip dhcp-server
add address-pool=dhcp interface=ether3 name=dhcp
add address-pool=BIBLIOTECA-pool disabled=no interface=bridge1 name=\
BIBLIOTECA_dhcp
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=m4gu4rd4tu!! use-ipsec=\
required
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/ip address
add address=192.168.3.1/24 comment=defconf interface=bridge1 network=\
192.168.3.0
add address=xxx.xxx.xxx.218/29 interface=ether1 network=xxx.xxx.xxx.216
add address=192.168.2.1/24 disabled=yes interface=ether3 network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.100.1,8.8.8.8 \
gateway=192.168.2.1
add address=192.168.3.0/24 comment=defconf dns-server=192.168.100.1,8.8.8.8 \
gateway=192.168.3.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=input src-address=192.168.100.0/24
add action=accept chain=input src-address=192.168.1.0/24
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input connection-state="" dst-port=1701,500,4500 \
in-interface=ether1 protocol=udp src-address=195.81.178.154
add action=accept chain=forward comment=forward connection-state="" \
src-address=192.168.100.0/24
add action=accept chain=forward src-address=192.168.1.0/24
add action=accept chain=input dst-port=2200,8291 in-interface=bridge1 \
protocol=tcp src-address=192.168.3.0/24
add action=accept chain=input dst-port=2200,8291 in-interface=ether1 \
protocol=tcp src-address=xxx.xxx.xxx.40/29
add action=accept chain=input dst-port=2200,8291 in-interface=ether1 \
protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input dst-port=2200,8291 in-interface=ether1 \
protocol=tcp src-address=192.168.100.0/24
add action=drop chain=input dst-port=80,22,23,2200,8291 in-interface=ether1 \
protocol=tcp
add action=drop chain=input connection-state=!established,related disabled=\
yes in-interface=ether1
add action=accept chain=forward connection-state=established,related \
in-interface=ether1
add action=drop chain=forward disabled=yes
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes \
in-interface=ether1
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=""
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat comment="VPN Municipio" dst-address=\
192.168.100.0/24 src-address=192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.100.0/24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.3.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=\
192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.100.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=\
192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
/ip ipsec peer
add address=195.81.178.154/32 exchange-mode=aggressive profile=profile_1 \
secret=m4gu4rd4tu!!
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.100.0/24 proposal=proposal1 sa-dst-address=\
195.81.178.154 sa-src-address=xxx.xxx.xxx.218 src-address=192.168.3.0/24 \
tunnel=yes
add dst-address=192.168.1.0/24 proposal=proposal1 sa-dst-address=\
195.81.178.154 sa-src-address=xxx.xxx.xxx.218 src-address=192.168.3.0/24 \
tunnel=yes
/ip route
add distance=1 gateway=xxx.xxx.xxx.217
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address="192.168.100.0/24,192.168.3.0/24,192.168.2.0/24,192.168.1.0\
/24,xxx.xxx.xxx.40/29"
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=MikroTik
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox