I guess...YES, something is missing.
Please share your configuration so we can provide you with some meaningful information:
/export hide-sensitive file=anynameyoulike (and remove any personal information from it)
Hi, there here is the configfile:
# aug/02/2022 13:55:32 by RouterOS 6.48.6
#
# model = CCR1009-7G-1C-1S+
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
name="2.4GHz Standard"
/caps-man configuration
add name=Missing
/interface bridge
add name=DisplaySSID protocol-mode=none
add name=bridge_vlan100 protocol-mode=none
add name=hsia protocol-mode=none
add name=mgmt protocol-mode=none
add name=tv protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=wan1
set [ find default-name=ether2 ] comment=wan2
set [ find default-name=ether3 ] comment=Officenetz
set [ find default-name=ether4 ] comment=hsia-bridge-port
set [ find default-name=ether5 ] comment=mgmnt-bridge-port
set [ find default-name=ether6 ] comment=localbreakout
set [ find default-name=ether7 ] comment="MGMT Port2"
/interface vlan
add interface=ether3 name=vlan100 use-service-tag=yes vlan-id=100
add interface=ether5 name=vlan100_office use-service-tag=yes vlan-id=100
/caps-man datapath
add bridge=hsia client-to-client-forwarding=no local-forwarding=no name=\
hsiapath
add bridge=DisplaySSID client-to-client-forwarding=yes local-forwarding=no \
name=DisplaySSIDpath
/caps-man security
add name=hsiasec
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=DisplaySSIDsec
/caps-man configuration
add channel="2.4GHz Standard" channel.frequency=2412 country=germany \
datapath=hsiapath mode=ap name="2.4GHz CH01" security=hsiasec ssid=\
RekaDisentis
add channel="2.4GHz Standard" channel.frequency=2437 country=germany \
datapath=hsiapath mode=ap name="2.4GHz CH06" security=hsiasec ssid=\
RekaDisentis
add channel="2.4GHz Standard" channel.frequency=2462 country=germany \
datapath=hsiapath mode=ap name="2.4GHz CH11" security=hsiasec ssid=\
RekaDisentis
add channel.band=5ghz-onlyac channel.control-channel-width=20mhz \
channel.extension-channel=Ceee channel.reselect-interval=12h \
channel.save-selected=yes country="etsi 5.5-5.7 outdoor" datapath=\
hsiapath mode=ap name=5G_band rx-chains=0,1,2 security=hsiasec ssid=\
RekaDisentis tx-chains=0,1,2
add channel.band=5ghz-a/n channel.control-channel-width=20mhz \
channel.extension-channel=Ce channel.reselect-interval=12h \
channel.save-selected=yes country="etsi 5.5-5.7 outdoor" datapath=\
hsiapath mode=ap name=5G_band_an rx-chains=0,1,2 security=hsiasec ssid=\
RekaDisentis tx-chains=0,1,2
add datapath=DisplaySSIDpath name=DisplaySSID-cfg security=DisplaySSIDsec \
ssid=DisentisDisplay
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_hsia ranges=10.10.192.2-10.10.255.254
add name=pool_mgmt ranges=172.20.44.5-172.20.44.254
add name=pool_DisplaySSID ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add add-arp=yes address-pool=pool_hsia disabled=no interface=hsia lease-time=\
1d name=server_hsia
add add-arp=yes address-pool=pool_mgmt disabled=no interface=mgmt lease-time=\
12w6d name=server_mgmt
add add-arp=yes address-pool=pool_DisplaySSID disabled=no interface=\
DisplaySSID lease-time=1w name=server_DisplaySSID
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=pub
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=\
--2.4CH01 master-configuration="2.4GHz CH01" name-format=prefix-identity \
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=\
--2.4CH06 master-configuration="2.4GHz CH06" name-format=prefix-identity \
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=\
--2.4CH11 master-configuration="2.4GHz CH11" name-format=prefix-identity \
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
5G_band name-format=prefix-identity slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
5G_band_an name-format=prefix-identity slave-configurations=\
DisplaySSID-cfg
add comment=CatchAll master-configuration=Missing
/interface bridge filter
add action=drop chain=forward comment="Prevent Intra-BSS attacks" in-bridge=\
hsia out-bridge=hsia
/interface bridge port
add bridge=hsia interface=ether4
add bridge=mgmt interface=ether7
add bridge=mgmt interface=ether5
add bridge=bridge_vlan100 interface=ether3 multicast-router=disabled pvid=100
add bridge=bridge_vlan100 interface=vlan100 multicast-router=disabled
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set secure-redirects=no tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge_vlan100 tagged=ether5 vlan-ids=100
/ip address
add address=10.10.192.1/18 comment=hotspot interface=hsia network=10.10.192.0
add address=172.20.44.1/24 comment=mgmnt interface=mgmt network=172.20.44.0
add address=192.168.10.1/24 comment=DisplaySSID interface=DisplaySSID \
network=192.168.10.0
add address=172.16.6.1/24 interface=ether3 network=172.16.6.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=bridge_vlan100 use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no disabled=no interface=bridge_vlan100 use-peer-dns=no \
use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=hsia on-alert=":log info bad_DHCP_Server"
add disabled=no interface=DisplaySSID on-alert=\
":log info DisplaySSID - anderer DHCP Server"
/ip dhcp-server network
add address=10.10.192.0/18 dns-server=10.10.192.1 gateway=10.10.192.1 \
netmask=18 ntp-server=10.10.192.1
add address=172.20.44.0/24 dns-server=172.20.44.1 gateway=172.20.44.1 \
netmask=24 ntp-server=172.20.44.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
netmask=24 ntp-server=192.168.10.1
/ip firewall address-list
add address=172.16.60.0/24 list=RZ
add address=10.255.244.0/22 list=RZ
add address=10.255.252.0/22 list=RZ
add address=172.16.6.0 list=Office
/ip firewall filter
add chain=forward dst-address=10.10.192.0/18 src-address=172.16.60.0/24
add chain=forward dst-address=172.16.60.0/24 src-address=10.10.192.0/18
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="drop external ntp" dst-port=123 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop external ntp" dst-port=123 \
in-interface=ether2 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether2 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53 \
in-interface=ether2 protocol=tcp
add action=drop chain=forward comment="tv to mgmt" in-interface=tv \
log-prefix=DROP_FW out-interface=mgmt
add chain=input connection-state=established,related
add chain=input protocol=icmp src-address=10.10.192.0/18
add action=drop chain=forward comment="block multicast" src-address-type=\
multicast
add action=drop chain=forward comment="clients to mgmnt-lan" dst-address=\
172.20.44.0/24 src-address=10.10.192.0/18
add chain=forward comment="accept established" connection-state=established
add chain=forward comment="accept related" connection-state=related
add chain=forward comment="rz to mgmnt-lan" dst-address=172.20.44.0/24 \
src-address-list=RZ
add chain=forward comment="mgmnt-lan to rz" dst-address-list=RZ src-address=\
172.20.44.0/24
add action=drop chain=forward comment="mgmnt-lan 2 anywhere" src-address=\
172.20.44.0/24
add action=drop chain=forward comment=eventSSID2RZ dst-address=172.16.0.0/12 \
src-address=192.168.10.0/24
add action=drop chain=forward comment=eventSSID2TV dst-address=192.0.0.0/8 \
src-address=192.168.10.0/24
add action=accept chain=forward disabled=yes src-address-list=Office
add action=accept chain=forward disabled=yes dst-address-list=Office
/ip firewall mangle
add chain=prerouting dst-address-list=RZ
add action=accept chain=prerouting disabled=yes dst-address-list=RZ
add action=mark-connection chain=prerouting comment=unfiltered_clients \
connection-mark=no-mark disabled=yes dst-address-type=!local hotspot=auth \
in-interface=hsia new-connection-mark=hotspotuser passthrough=yes \
src-address=10.10.192.0/18
add action=mark-routing chain=prerouting comment=unfiltered connection-mark=\
hotspotuser disabled=yes dst-address-type="" in-interface=hsia \
new-routing-mark=hotspotuser passthrough=yes
add action=mark-routing chain=output connection-mark=hotspotuser disabled=yes \
new-routing-mark=hotspotuser passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="LB to WAN" out-interface=ether1
add action=masquerade chain=srcnat comment=localbreakout out-interface=ether1
add action=masquerade chain=srcnat comment=localbreakout disabled=yes \
out-interface=bridge_vlan100
add action=accept chain=srcnat disabled=yes out-interface=bridge_vlan100
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=10.255.244.1 \
routing-mark=hotspotuser
add disabled=yes distance=5 gateway=10.255.252.1 routing-mark=hotspotuser
add disabled=yes distance=1 dst-address=10.10.192.0/18 gateway=hsia \
routing-mark=hotspotuser
add distance=10 gateway=ether3
add distance=20 gateway=172.16.6.1
add distance=15 dst-address=172.16.60.0/24 gateway=10.255.244.1
add comment=failback distance=20 dst-address=172.16.60.0/24 gateway=\
10.255.252.1
add distance=10 dst-address=172.16.60.128/25 gateway=10.255.252.1
add check-gateway=ping comment=OpenAppTV-Server distance=1 dst-address=\
172.16.60.211/32 gateway=10.255.244.1
/system ntp client
set enabled=yes primary-ntp=172.16.60.60 secondary-ntp=172.16.60.160
/system ntp server
set enabled=yes