post your config
/export file=anynameyouwish ( minus the router serial number and any public WANIP information )
model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add name=Bridge-geust
add admin-mac=xXx auto-mac=no comment=defconf name=Home
/interface ethernet
set [ find default-name=ether1 ] comment=A
set [ find default-name=ether2 ] comment=B
set [ find default-name=ether3 ] comment=C
set [ find default-name=ether4 ] comment=D
/interface wireguard
add listen-port=53535 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
"profile guest" supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=poland disabled=no distance=indoors frequency=2452 installation=\
indoor mode=ap-bridge name=2G security-profile=profile1 ssid=Dom \
station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eeeC country=poland disabled=no distance=indoors frequency=\
5700 installation=indoor mode=ap-bridge name=5G security-profile=profile1 \
ssid=Dom-ac station-roaming=enabled wireless-protocol=802.11
add keepalive-frames=disabled mac-address=ZzZ master-interface=\
2G multicast-buffering=disabled name=Guest security-profile=\
"profile guest" ssid=Guest wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.40
add name=OpenVpnpool ranges=192.168.3.2-192.168.3.6
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=Home lease-time=51w3d \
name=dhcp
add address-pool=dhcp_pool2 interface=Bridge-geust name=dhcp1
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.3.1 name=OpenVpn remote-address=\
OpenVpnpool use-encryption=required use-ipv6=no
/interface bridge port
add bridge=Home comment=defconf ingress-filtering=no interface=ether2
add bridge=Home comment=defconf ingress-filtering=no interface=ether3
add bridge=Home comment=defconf ingress-filtering=no interface=ether4
add bridge=Home comment=defconf ingress-filtering=no interface=ether5
add bridge=Home comment=defconf ingress-filtering=no interface=2G
add bridge=Home comment=defconf ingress-filtering=no interface=5G
add bridge=Bridge-geust interface=Guest
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=Home list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Mikro-Server cipher=aes256-cbc default-profile=\
OpenVpn enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.4.2/32 interface=wireguard1 public-key=\
"xyz"
/interface wireless access-list
add comment=Fone interface=5G mac-address=IiI
/ip address
add address=192.168.2.1/24 comment=defconf interface=Home network=192.168.2.0
add address=192.168.4.1/24 interface=wireguard1 network=192.168.4.0
add address=192.168.10.1/24 interface=Bridge-geust network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add rrrrrr
add ggggg
add hhhhh
add jjjjj
add kkkkk
add llllll
add pppppppp
add ooooooo
add uuuuuuuuuuuuu
add ttttttttttt
add iiiiiiiiiiiiiiiiii
add ffffffffffffff
add aaaaaaaaaaaaaaaaaaaa
add vvvvvvvvvvvvvvvvvvvv
add bbbbbbbbbbbbbbbb
add qqqqqqqqqqqqqq
add yyyyyyyyyyyyyyyyy
add dddddddddddddddd
add xxxxxxxxxxxxxxxxx
add ssssssssssssssssssssssss
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=\
192.168.2.15,62.179.1.62,62.179.1.63 gateway=192.168.2.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="Open VPN" dst-port=1194,80,8291,21 \
protocol=tcp src-address=192.168.3.2-192.168.3.6 src-port=""
add action=accept chain=input comment=Wireguard dst-port=53535,80,8291,21 \
protocol=udp src-port=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1 src-address=\
192.168.4.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=WwW
set ssh disabled=yes
set api disabled=yes
set winbox address=OoO
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ppp secret
add name=wWw profile=OpenVpn service=ovpn
add name=yYy profile=OpenVpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
that's all