Thank you so much for the quick reply!
I couldn't find a tool where I could easily draw the diagram, so I used Google Drawing
https://docs.google.com/drawings/d/1chy ... Kro6hAhU0/
Network diagram (1).png
It's actually very simple, with just 3 separate subnets, each corresponding to one PPPoE account and some port mappings.
Right now, the router works just on the 3rd subnet (internal user network) with just a couple of port mappings.
Config attached but really is just clutter from my multiple attempts on setting interfaces, VLANs, DHCP pools and such.
# may/13/2023 01:00:05 by RouterOS 6.49.7
# software id = 8M9R-5B02
#
# model = RB3011UiAS
# serial number = E7E90F0F9E2E
/interface bridge
add admin-mac=DC:2C:6E:65:1A:C5 auto-mac=no comment=defconf name=bridge
add name=bridge54
/interface ethernet
set [ find default-name=ether1 ] name=ether01-WAN1
set [ find default-name=ether2 ] disabled=yes name=ether02-WAN2
set [ find default-name=ether3 ] disabled=yes name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether01-WAN1 keepalive-timeout=disabled name=pppoe-out1-54 use-peer-dns=yes user=CRPIS282892727
add add-default-route=yes interface=ether01-WAN1 keepalive-timeout=disabled name=pppoe-out2-55 use-peer-dns=yes user=CRPIS282892821
add add-default-route=yes disabled=no interface=ether01-WAN1 name=pppoe-out3-56 use-peer-dns=yes user=CRPIS282892834
/interface vlan
add interface=ether04 name=VLAN3-IP54 vlan-id=54
add disabled=yes interface=ether03 name=vlan1A-54 vlan-id=1
add disabled=yes interface=ether05 name=vlan1C-54 vlan-id=1
add disabled=yes interface=ether06 name=vlan2A-55 vlan-id=2
add disabled=yes interface=ether07 name=vlan2B-55 vlan-id=2
add interface=ether03 name=vlan3-ether3 vlan-id=3
add disabled=yes interface=ether04 name=vlan3-ether4 vlan-id=3
add interface=ether05 name=vlan3-ether5 vlan-id=3
add interface=ether06 name=vlan3-ether6 vlan-id=3
add interface=ether07 name=vlan3-ether7 vlan-id=3
add interface=ether08 name=vlan3-ether8 vlan-id=3
add interface=ether09 name=vlan3-ether9 vlan-id=3
add interface=ether10 name=vlan3-ether10 vlan-id=3
/interface ethernet switch port
set 2 default-vlan-id=30
set 3 default-vlan-id=54
set 4 default-vlan-id=3
set 5 default-vlan-id=3
set 6 default-vlan-id=3
set 7 default-vlan-id=3
set 8 default-vlan-id=3
set 9 default-vlan-id=3
set 10 default-vlan-id=3
set 11 default-vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp54 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=DHCP1-IP56
add address-pool=dhcp54 disabled=no interface=bridge54 lease-time=1m name=DHCP3-IP54
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether02-WAN2
add bridge=bridge54 comment="not defconf" interface=ether04
add bridge=bridge comment=defconf hw=no interface=ether05
add bridge=bridge comment=defconf interface=ether07
add bridge=bridge comment=defconf interface=ether08
add bridge=bridge comment=defconf interface=ether09
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether06
add bridge=bridge interface=ether03
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge54 vlan-ids=54
/interface detect-internet
set detect-interface-list=WAN
/interface ethernet switch vlan
add comment="IP 56" independent-learning=no ports=ether06,ether07,ether08,ether09,ether10 switch=switch2 vlan-id=3
add comment="For IP54" independent-learning=no ports=ether03,ether04,ether05 switch=switch1 vlan-id=54
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether01-WAN1 list=WAN
add interface=pppoe-out3-56 list=WAN
add interface=pppoe-out1-54 list=WAN
add disabled=yes interface=pppoe-out2-55 list=WAN
add interface=bridge54 list=LAN
/interface ovpn-server server
set enabled=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip accounting
set account-local-traffic=yes enabled=yes
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether01-WAN1
/ip dhcp-server lease
add address=192.168.0.105 client-id=0:8:f1:ea:f4:95:16:0:0:0 mac-address=08:F1:EA:F4:95:16
add address=192.168.0.127 client-id=1:8c:89:a5:3f:87:fa mac-address=8C:89:A5:3F:87:FA
add address=192.168.0.124 client-id=1:88:d7:f6:57:23:3e mac-address=88:D7:F6:57:23:3E
add address=192.168.0.100 mac-address=98:F2:B3:26:2B:0F
add address=192.168.0.125 client-id=1:d4:3d:7e:63:97:f1 mac-address=D4:3D:7E:63:97:F1
add address=192.168.0.123 client-id=1:e0:3f:49:79:49:c8 mac-address=E0:3F:49:79:49:C8
add address=192.168.0.122 client-id=1:88:d7:f6:57:23:2f mac-address=88:D7:F6:57:23:2F
add address=192.168.0.203 client-id=1:8c:b8:4a:80:98:f7 mac-address=8C:B8:4A:80:98:F7
add address=192.168.0.141 client-id=1:ec:e5:12:13:d7:f3 mac-address=EC:E5:12:13:D7:F3
add address=192.168.0.126 client-id=1:50:2b:73:c5:d:7c mac-address=74:27:EA:67:B2:8E
add address=192.168.0.133 client-id=1:0:22:58:58:11:2f mac-address=00:22:58:58:11:2F
add address=192.168.0.132 client-id=1:3c:2a:f4:37:19:e0 mac-address=3C:2A:F4:37:19:E0
add address=192.168.0.131 client-id=1:9c:ae:d3:ea:29:c6 mac-address=9C:AE:D3:EA:29:C6
add address=192.168.0.205 client-id=1:8c:25:5:ca:f7:58 mac-address=8C:25:05:CA:F7:58
add address=192.168.0.206 mac-address=10:7B:44:68:92:03
add address=192.168.0.204 client-id=1:82:cc:88:c7:16:f mac-address=82:CC:88:C7:16:0F
add address=192.168.0.121 mac-address=98:29:A6:8F:BE:71
add address=192.168.0.208 client-id=1:de:d3:d1:b8:3b:49 mac-address=DE:D3:D1:B8:3B:49
add address=192.168.0.207 client-id=1:dc:72:9b:68:ee:de mac-address=DC:72:9B:68:EE:DE
add address=192.168.0.116 client-id=1:c6:be:db:38:f7:86 mac-address=C6:BE:DB:38:F7:86
add address=192.168.0.143 mac-address=B0:95:75:E4:CD:C2
add address=192.168.0.142 mac-address=B0:95:75:E4:CE:60
add address=192.168.0.106 client-id=1:6c:1c:71:39:c1:9d mac-address=6C:1C:71:39:C1:9D
add address=192.168.0.111 client-id=1:b6:fb:ba:fe:b7:8f mac-address=B6:FB:BA:FE:B7:8F
add address=192.168.0.114 client-id=1:78:e3:6d:1a:77:38 mac-address=78:E3:6D:1A:77:38
add address=192.168.0.118 client-id=1:34:a:33:30:2:2b mac-address=34:0A:33:30:02:2B
add address=192.168.0.134 client-id=dc:a6:32:c3:44:3a comment="Server SB RPi" mac-address=DC:A6:32:C3:44:3A
add address=192.168.0.103 mac-address=2C:EA:7F:FA:9C:B4
add address=192.168.0.93 client-id=1:6c:1c:71:39:c1:9d mac-address=6C:1C:71:39:C1:9D server=DHCP1-IP56
add address=192.168.0.153 mac-address=DC:A6:32:C3:44:3A
add address=192.168.0.77 mac-address=B0:95:75:E4:CD:AA server=DHCP1-IP56
add address=192.168.0.92 mac-address=B0:95:75:E4:CE:22 server=DHCP1-IP56
/ip dhcp-server network
add address=192.168.0.0/24 comment="default subnet for internal network" gateway=192.168.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Router remote web access" dst-port=1080 protocol=tcp src-port=""
add action=accept chain=forward disabled=yes dst-address=192.168.0.153 dst-port=8444 in-interface=ether01-WAN1 protocol=tcp src-port=""
add action=accept chain=forward disabled=yes in-interface=ether01-WAN1 protocol=tcp src-port=1080
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=input comment="Router remote WinBox access" dst-port=8291 protocol=tcp
add action=accept chain=input comment=Video disabled=yes dst-port=4480 protocol=tcp src-port=80
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Router remote web access" dst-address=x.x.x.56 dst-port=1080 protocol=tcp to-addresses=192.168.0.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=x.x.x.56 dst-port=8442-8444 protocol=tcp to-addresses=192.168.0.153 to-ports=8442-8444
add action=src-nat chain=srcnat src-address=192.168.0.153 to-addresses=x.x.x.56
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment=XVR dst-address=x.x.x.56 dst-port=6060 protocol=tcp to-addresses=192.168.0.106 to-ports=443
add action=dst-nat chain=dstnat comment="Force 80 to SB Server" disabled=yes dst-address=x.x.x.56 dst-port=80 protocol=tcp to-addresses=192.168.0.153
add action=dst-nat chain=dstnat disabled=yes dst-port=4480 protocol=tcp to-addresses=192.168.0.140 to-ports=80
add action=dst-nat chain=dstnat comment="DMZ for SB Server" disabled=yes dst-address=x.x.x.56 protocol=tcp to-addresses=192.168.0.103
add action=dst-nat chain=dstnat comment="SB Server" disabled=yes dst-address=x.x.x.56 dst-port=1022 log=yes log-prefix=vlad_ protocol=tcp to-addresses=192.168.0.103 to-ports=22
add action=dst-nat chain=dstnat comment="SB Server e pe vechiul IP" disabled=yes dst-address=x.x.x.56 dst-port=22 in-interface=all-ethernet log=yes log-prefix=vlad_ protocol=tcp to-addresses=192.168.0.103 to-ports=22
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.0.0/24
/ip route
add disabled=yes distance=1 dst-address=10.0.0.54/32 gateway=pppoe-out1-54
add disabled=yes distance=1 dst-address=10.0.0.55/32 gateway=pppoe-out2-55
add distance=1 dst-address=192.168.1.0/24 gateway=pppoe-out1-54 pref-src=192.168.1.1 scope=10
/ip service
set ssh disabled=yes
/ip ssh
set forwarding-enabled=local
/lcd
set time-interval=hour
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.