Thank you for the input, I was not aware of having written a novel. Anyway, here comes my config:
# apr/29/2022 08:31:45 by RouterOS 7.1.5
#
# model = CCR1009-7G-1C
/interface bridge
add admin-mac=64:D1:54:D6:02:C5 auto-mac=no fast-forward=no ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] loop-protect=off mac-address=64:D1:54:D6:02:C6 name=combo1-gateway
set [ find default-name=ether1 ] mac-address=64:D1:54:D6:02:C7
set [ find default-name=ether2 ] mac-address=64:D1:54:D6:02:C8
set [ find default-name=ether3 ] mac-address=64:D1:54:D6:02:C9
set [ find default-name=ether4 ] mac-address=64:D1:54:D6:02:CA
set [ find default-name=ether5 ] mac-address=64:D1:54:D6:02:CB
set [ find default-name=ether6 ] mac-address=64:D1:54:D6:02:CC
set [ find default-name=ether7 ] loop-protect=on mac-address=64:D1:54:D6:02:CD
/interface vlan
add interface=combo1-gateway name=vlan-ppp vlan-id=7
add interface=bridge1 name=vlan1 vlan-id=1
add interface=bridge1 name=vlan20 vlan-id=20
/interface pppoe-client
add disabled=no interface=vlan-ppp max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=\
XXXXYYYYZZZZ
/interface list
add name=mac-winbox
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=5m keepalive-timeout=5m mac-cookie-timeout=3h shared-users=2
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec policy group
add name=RoadWarrior
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h pfs-group=none
/ip pool
add name=ipsec-RW ranges=192.168.176.130-192.168.176.149
add name=Hotspot-P2 ranges=192.168.0.0/24
/ip ipsec mode-config
add address-pool=ipsec-RW name=RW-cfg split-include=192.168.177.0/24,192.168.179.0/24
/ip pool
add name=Hotspot next-pool=Hotspot-P2 ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=Hotspot interface=vlan20 lease-time=2h name=default
/port
set 0 name=serial0
set 1 name=serial1
/queue type
add kind=pcq name=pcq-download-k1 pcq-classifier=dst-address pcq-rate=16M
add kind=pcq name=pcq-upload-k1 pcq-classifier=src-address pcq-rate=11M
add cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-default
add cake-ack-filter=filter cake-bandwidth=40.0Mbps cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-up-hotspot
add cake-bandwidth=220.0Mbps cake-diffserv=besteffort cake-nat=yes cake-wash=yes kind=cake name=cake-down-hotspot
add cake-ack-filter=filter cake-bandwidth=60.0Mbps cake-diffserv=besteffort cake-nat=yes kind=cake name=cake-up-regular
add cake-bandwidth=245.0Mbps cake-diffserv=besteffort cake-nat=yes cake-wash=yes kind=cake name=cake-down-regular
/queue simple
add disabled=yes name=cake-hotspot queue=cake-up-hotspot/cake-down-hotspot target=192.168.0.0/23 total-queue=cake-default
add bucket-size=0/0 name=cake-regular queue=cake-up-regular/cake-down-regular target=192.168.0.0/16 total-queue=cake-default
add bucket-size=0/0 name=cake-child parent=cake-regular queue=cake-up-regular/cake-down-regular target=192.168.0.0/16
add bucket-size=0/0 disabled=yes max-limit=40M/220M name=\
Hotspot-Night parent=cake-regular queue=pcq-upload-default/pcq-download-default target=192.168.0.0/23 total-queue=hotspot-default
add bucket-size=0/0 max-limit=40M/220M name=Hotspot-Day \
parent=cake-regular queue=pcq-upload-k1/pcq-download-k1 target=192.168.0.0/23 total-queue=hotspot-default
/routing table
add fib name=dsl5
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 disabled=yes
add addresses=192.168.177.0/24,192.168.179.0/24 name=Intern
/system logging action
set 0 memory-lines=2000
set 1 disk-file-count=4 disk-file-name=syslog
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp,rest-api
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=ether6
add bridge=bridge1 ingress-filtering=no interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=no interface=vlan20 pvid=20
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=no interface=vlan1
/ip neighbor discovery-settings
set discover-interface-list=mac-winbox
/ip settings
set allow-fast-path=no max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,vlan1 untagged=combo1-gateway,ether1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=1
add bridge=bridge1 tagged=bridge1,ether7,vlan20 vlan-ids=20
/interface list member
add interface=ether2 list=mac-winbox
add interface=ether1 list=mac-winbox
add interface=ether3 list=mac-winbox
add interface=ether4 list=mac-winbox
add interface=ether5 list=mac-winbox
add interface=ether6 list=mac-winbox
add interface=vlan1 list=mac-winbox
/ip address
add address=192.168.177.3/24 interface=vlan1 network=192.168.177.0
add address=192.168.1.1/24 comment="Hotspot Gateway" interface=vlan20 network=192.168.1.0
add address=192.168.0.1/24 comment="Hotspot Gateway" interface=vlan20 network=192.168.0.0
add address=10.10.1.2/24 comment="ETH to ONT" disabled=yes interface=combo1-gateway network=10.10.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-server network
add address=192.168.0.0/23 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-size=6144KiB max-concurrent-queries=400 max-concurrent-tcp-sessions=80 query-server-timeout=6s \
query-total-timeout=13s
/ip dns static
add address=192.168.1.1 name=router
add address=192.168.1.1 name=hotspot
/ip firewall address-list
add address=192.168.177.0/24 list=XYZ
add address=192.168.179.0/24 list=XYZ
add address=80.166.12.0/24 list=ListA
add address=212.98.80.8/29 list=ListA
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.176.0/24 list=XYZ
add address=216.218.128.0/17 list=SPAM
add address=122.224.0.0/12 list=SPAM
add address=183.128.0.0/11 list=SPAM
add address=218.75.0.0/17 list=SPAM
add address=192.168.100.0/24 list=XYZ
add address=188.180.65.192/29 list=ListA
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" in-interface=pppoe-out1 protocol=ipsec-esp src-address-list=!SPAM
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 in-interface=pppoe-out1 protocol=udp \
src-address-list=!SPAM
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward connection-state=invalid in-interface=pppoe-out1
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new \
in-interface=pppoe-out1 log=yes log-prefix=!NAT
add action=drop chain=forward in-interface=pppoe-out1 log=yes log-prefix=\
!public src-address-list=not_in_internet
add action=drop chain=input connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid src-address-list=!XYZ
add action=accept chain=forward connection-state=established,related
add action=accept chain=input disabled=yes src-address-list=ListA
add action=accept chain=forward src-address-list=ListA
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=XYZ
add action=drop chain=input dst-port=22 protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address-list=XYZ
add action=accept chain=input connection-state=established,related
add action=drop chain=forward dst-address-list=XYZ log=yes log-prefix=\
!hotspot2intern src-address=192.168.0.0/23
add action=accept chain=input disabled=yes src-address=127.0.0.0/24
add action=accept chain=input dst-port=53,67,68 protocol=udp src-address=192.168.0.0/23
add action=accept chain=input dst-port=53 protocol=tcp src-address=192.168.0.0/23
add action=drop chain=forward dst-address-list=not_in_internet in-interface=\
bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1
add action=drop chain=input in-interface=pppoe-out1 log-prefix=inc-ppp
add action=drop chain=input log-prefix=inc-oth
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.0.0/23
add action=masquerade chain=srcnat comment="masquerade other clients" out-interface=pppoe-out1 src-address=192.168.177.0/24
add action=dst-nat chain=dstnat comment="3CX Port 5001 TCP" dst-port=5001 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.177.60 to-ports=5001
add action=dst-nat chain=dstnat comment="CS TCP" dst-port=8000 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.177.101 to-ports=8000
add action=dst-nat chain=dstnat comment="CS Remote Desktop TCP" dst-port=13389 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.177.101 to-ports=3389
add action=dst-nat chain=dstnat comment="3CX Port 5060 TCP" dst-port=5060 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.177.60 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX Port 5060 UDP" dst-port=5060 in-interface=pppoe-out1 protocol=udp \
to-addresses=192.168.177.60 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX Port 5090 TCP" dst-port=5090 in-interface=pppoe-out1 protocol=tcp \
to-addresses=192.168.177.60 to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Port 5090 TCP" dst-port=5090 in-interface=pppoe-out1 protocol=udp \
to-addresses=192.168.177.60 to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Port 9000-10999 UDP" dst-port=9000-10999 in-interface=pppoe-out1 protocol=\
udp to-addresses=192.168.177.60 to-ports=9000-10999
add action=dst-nat chain=dstnat comment="ONT" dst-port=8072 in-interface=vlan1 protocol=tcp to-addresses=192.168.100.1 \
to-ports=80
add action=dst-nat chain=dstnat comment="hue Web" dst-port=8083 in-interface=vlan1 protocol=tcp to-addresses=\
192.168.1.3 to-ports=80
add action=dst-nat chain=dstnat comment="LHG Winbox" dst-port=8085 in-interface=vlan1 protocol=tcp to-addresses=\
192.168.1.7 to-ports=8291
add action=dst-nat chain=dstnat comment="LHG Web" dst-port=8086 in-interface=vlan1 protocol=tcp to-addresses=\
192.168.1.7 to-ports=80
add action=dst-nat chain=dstnat comment="LHG ssh" dst-port=8087 in-interface=vlan1 protocol=tcp to-addresses=\
192.168.1.7 to-ports=22
add action=masquerade chain=srcnat comment="masquerade access ONT" out-interface=combo1-gateway
/ip firewall service-port
set sip disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
set [ find default=yes ] limit-uptime=1h
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg peer=peer1 policy-template-group=RoadWarrior \
username=USERA
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=RW-cfg peer=peer1 policy-template-group=RoadWarrior \
username=USERB
/ip ipsec policy
add dst-address=192.168.176.0/24 group=RoadWarrior src-address=192.168.177.0/24 template=yes
add dst-address=192.168.176.0/24 group=RoadWarrior src-address=192.168.179.0/24 template=yes
/ip route
add comment="WAN 1" disabled=no dst-address=0.0.0.0/0 gateway=192.168.177.2 routing-table=dsl5
add comment="WAN 2" disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out1
add comment="Site 2" disabled=no dst-address=192.168.179.0/24 gateway=192.168.177.100 scope=10
add disabled=yes dst-address=192.168.100.0/24 gateway=combo1-gateway
add disabled=yes distance=1 dst-address=10.10.1.0/24 gateway=combo1-gateway pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.179.0/24,192.168.177.0/24,80.166.12.0/24,192.168.176.0/24 port=1864
set ssh address=192.168.179.0/24,192.168.177.0/24,192.168.176.0/24
set api address=80.166.12.0/24
set winbox address=192.168.179.0/24,192.168.177.0/24,192.168.176.0/24,80.166.12.0/24
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/radius
add address=127.0.0.1 disabled=yes service=hotspot timeout=2s
/routing rule
add action=lookup disabled=yes interface=vlan20
/snmp
set enabled=yes trap-community=Intern trap-interfaces=vlan20
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CCR
/system logging
set 0 topics=info,!firewall,!dhcp,!ntp
set 1 action=disk
set 2 action=disk disabled=yes
set 3 topics=critical,!ntp
add action=disk topics=critical,!ntp
add action=remote topics=info,!firewall
add action=remote topics=warning
add action=remote topics=error
add action=remote topics=critical,!ntp
add topics=warning
add disabled=yes topics=firewall
add action=remote topics=firewall
add topics=store,write
add action=remote topics=write,store
add topics=script
add topics=ipsec,info,!debug,!packet
add action=syslog prefix=XYZ topics=firewall
add action=syslog prefix=XYZ topics=hotspot,account
add action=syslog prefix=XYZ topics=firewall
add action=syslog prefix=XYZ topics=hotspot,account
/system ntp server
set manycast=yes
/system ntp client servers
add address=0.de.pool.ntp.org
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name=Queue-Day on-event="/system script run Queue-Day" policy=read,write,test start-date=jun/23/2020 start-time=07:00:00
add interval=1d name=Queue-Night on-event="/system script run Queue-Night" policy=read,write,test start-date=jun/23/2020 start-time=\
23:30:00
/system script
add dont-require-permissions=no name=Queue-Day owner=sachariew policy=read,write,test source=\
"/queue simple enable Hotspot-Day; /queue simple disable Hotspot-Night"
add dont-require-permissions=no name=Queue-Night owner=sachariew policy=read,write,test source=\
"/queue simple enable Hotspot-Night; /queue simple disable Hotspot-Day"
/tool graphing interface
add allow-address=192.168.179.0/24 interface=combo1-gateway store-on-disk=no
add interface=vlan20 store-on-disk=no
add allow-address=192.168.179.0/24 interface=pppoe-out1 store-on-disk=no
/tool graphing queue
add allow-address=192.168.179.0/24 allow-target=no simple-queue=Hotspot-Night store-on-disk=no
add allow-address=192.168.179.0/24 allow-target=no simple-queue=Hotspot-Day store-on-disk=no
/tool graphing resource
add allow-address=192.168.179.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox