Perhaps since this is a single IP it may be possible to avoid mangling and use a routing rule........
Would need to see full config /export file=anynameyouwish ( minus router serial # and any public WANIP info, keys etc. )
Thans for replying.
I attach full exported files. I have replace some sensitive informations.
# may/28/2023 21:31:22 by RouterOS 7.9rc3
# software id = SENSITIVE
#
# model = CRS326-24G-2S+
# serial number = SENSITIVE
/caps-man channel
add band=2ghz-b/g/n extension-channel=disabled frequency=2412,2432 name=2.4G \
tx-power=13
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee \
frequency=5180 name=5G
/interface pptp-client
add connect-to=SENSITIVE.sn.mynetname.net dial-on-demand=yes disabled=no \
max-mru=1500 max-mtu=1500 name=pptp-out-OFFICE user=Japan_mikrotik
add connect-to=SENSITIVE.sn.mynetname.net dial-on-demand=yes name=\
pptp-out-OFFICE2 user=Japan_Mikrotik
/interface bridge
add admin-mac=SENSITIVE arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
set [ find default-name=ether6 ] arp=proxy-arp
set [ find default-name=ether7 ] arp=proxy-arp
set [ find default-name=ether8 ] arp=proxy-arp
set [ find default-name=ether9 ] arp=proxy-arp
set [ find default-name=ether10 ] arp=proxy-arp
set [ find default-name=ether11 ] arp=proxy-arp
set [ find default-name=ether12 ] arp=proxy-arp
set [ find default-name=ether13 ] arp=proxy-arp
set [ find default-name=ether14 ] arp=proxy-arp
set [ find default-name=ether15 ] arp=proxy-arp
set [ find default-name=ether16 ] arp=proxy-arp
set [ find default-name=ether17 ] arp=proxy-arp
set [ find default-name=ether18 ] arp=proxy-arp
set [ find default-name=ether19 ] arp=proxy-arp
set [ find default-name=ether20 ] arp=proxy-arp
set [ find default-name=ether21 ] arp=proxy-arp
set [ find default-name=ether22 ] arp=proxy-arp
set [ find default-name=ether23 ] arp=proxy-arp
set [ find default-name=ether24 ] arp=proxy-arp
set [ find default-name=sfp-sfpplus1 ] arp=proxy-arp
set [ find default-name=sfp-sfpplus2 ] arp=proxy-arp
/interface l2tp-client
add allow-fast-path=yes connect-to=SENSITIVE.sn.mynetname.net disabled=no \
name=l2tp-out-OFFICE use-ipsec=yes user=Japan_mikrotik_l2tp
add allow=mschap1,mschap2 allow-fast-path=yes connect-to=\
8a7708ca56c4.sn.SENSITIVE.net disabled=no name=l2tp-out-OFFICE2 \
use-ipsec=yes user=Japan_Mikrotik
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=2.4G datapath=datapath1 datapath.local-forwarding=yes \
multicast-helper=full name=config_2.4G security=security1 ssid=\
Getfeus_2.4G
add channel=5G datapath=datapath1 multicast-helper=full name=config_5G \
security=security1 ssid=Getfeus_5G
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.0.51-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/ipv6 dhcp-server
add address-pool=dhcpv6-1 interface=bridge name=server1
/ipv6 pool
add name=dhcpv6-1 prefix=2a03:7900:6::/48 prefix-length=56
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=\
192.168.0.1 remote-address=dhcp wins-server=8.8.4.4
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=OFFICE
add disabled=no fib name=OFFICE2
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac,a,an \
master-configuration=config_5G
add action=create-dynamic-enabled hw-supported-modes=b,gn,g \
master-configuration=config_2.4G
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 enabled=yes use-ipsec=\
yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.0.171 mac-address=SENSITIVE server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add comment=watcha.com list=host_watcha
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=drop chain=input comment="Prevent DNS Open Resolver Attack" \
dst-port=53 protocol=udp src-address=!192.168.0.0/16
add action=drop chain=input comment="Prevent DNS Open Resolver Attack" \
connection-state=new dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Prevent DNS Open Resolver Attack" \
connection-state=new dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Accept Perfect Dark TCP 54158" \
dst-port=54158 protocol=tcp
add action=accept chain=input comment="Accept Winbox Port from OFFICE" \
dst-port=8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment="Accept Winbox Port from OFFICE2" \
dst-port=8291 protocol=tcp src-address=192.168.2.0/24
add action=accept chain=input comment="Accept Winbox TCP 8291" dst-port=8291 \
protocol=tcp
add action=accept chain=input comment="Accept 1723(PPTP)" dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="Accept 1723(PPTP)" dst-port=1723 \
protocol=udp
add action=accept chain=input comment="Accept 1723(PPTP)" protocol=gre
add action=accept chain=input comment="Accept 47(PPTP)" dst-port=47 protocol=\
tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="CAPsMAN self" dst-port=5246,5247 \
protocol=udp src-address=127.0.0.1
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=VPN port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="Block Winbox Port from Internet" \
dst-port=8291 protocol=tcp src-address=!192.168.0.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="HP Note-OFFICE2" \
dst-address=!192.168.0.0/16 new-routing-mark=OFFICE2 passthrough=yes \
src-mac-address=SENSITIVE
add action=mark-routing chain=prerouting comment=Desktop-OFFICE disabled=yes \
dst-address=!192.168.0.0/16 new-routing-mark=OFFICE passthrough=yes \
src-mac-address=SENSITIVE
add action=mark-routing chain=prerouting comment=MiPad5-OFFICE2 disabled=yes \
dst-address=!192.168.0.0/16 new-routing-mark=OFFICE2 passthrough=yes \
src-address=192.168.0.73
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0 src-address=\
192.168.1.0
add action=dst-nat chain=dstnat dst-port=54158 in-interface=all-ethernet \
protocol=tcp to-addresses=192.168.0.254 to-ports=54158
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=pptp-out-OFFICE
add action=masquerade chain=srcnat out-interface=l2tp-out-OFFICE2
add action=netmap chain=dstnat dst-address=192.168.0.254 dst-port=9 protocol=\
udp to-addresses=192.168.0.253 to-ports=9
/ip route
add comment="PPTP OFFICE" disabled=no distance=1 dst-address=192.168.1.0/24 \
gateway=l2tp-out-OFFICE pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="PPTP OFFICE2" disabled=no dst-address=192.168.2.0/24 gateway=\
l2tp-out-OFFICE2
add comment="Mangle Routing(OFFICE2)" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=l2tp-out-OFFICE2 pref-src=0.0.0.0 routing-table=OFFICE2 \
scope=30 suppress-hw-offload=no target-scope=10
add comment="Mangle Routing(OFFICE)" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=l2tp-out-OFFICE pref-src="" routing-table=OFFICE scope=\
30 suppress-hw-offload=no target-scope=10
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=ether6 type=internal
add interface=ether7 type=internal
add interface=ether8 type=internal
add interface=ether9 type=internal
add interface=ether10 type=internal
add interface=ether11 type=internal
add interface=ether12 type=internal
add interface=ether13 type=internal
add interface=ether14 type=internal
add interface=ether15 type=internal
add interface=ether16 type=internal
add interface=ether17 type=internal
add interface=ether18 type=internal
add interface=ether19 type=internal
add interface=ether20 type=internal
add interface=ether21 type=internal
add interface=ether22 type=internal
add interface=ether23 type=internal
add interface=ether24 type=internal
add interface=sfp-sfpplus1 type=internal
add interface=sfp-sfpplus2 type=internal
add interface=ether1 type=external
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 request=address
/ipv6 nd
add interface=bridge managed-address-configuration=yes other-configuration=\
yes
/ipv6 nd prefix
add autonomous=no interface=bridge
/ppp secret
add name=OFFICE-mikrotik profile=default-encryption
add name=SENSITIVE-01 profile=default-encryption
add name=SENSITIVE-02 profile=default-encryption
add local-address=192.168.2.1 name=OFFICE2-mikrotik profile=\
default-encryption
add name=Japan_Auto1
/system clock
set time-zone-name=Asia/Tokyo
/system identity
set name=Shed-CRS326
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/system script
add dont-require-permissions=no name=resolvehostnames owner=admin policy=\
read,write source="# define variables\r\
\n:local list\r\
\n:local comment\r\
\n:local newip\r\
\n:local oldip\r\
\n\r\
\n# Loop through each entry in the address list.\r\
\n:foreach i in=[/ip firewall address-list find] do={\r\
\n\r\
\n# Get the first five characters of the list name\r\
\n :set list [:pick [/ip firewall address-list get \$i list] 0 5]\r\
\n\r\
\n# If they're 'host_', then we've got a match - process it\r\
\n :if (\$list = \"host_\") do={\r\
\n\r\
\n# Get the comment for this address list item (this is the host name to u\
se)\r\
\n :set comment [/ip firewall address-list get \$i comment]\r\
\n :set oldip [/ip firewall address-list get \$i address]\r\
\n\r\
\n:log info \"Variable \$address\"\r\
\n\r\
\n# Resolve it and set the address list entry accordingly.\r\
\n : if (\$newip != \$oldip) do={:set newip [:resolve \$comment]\r\
\n /ip firewall address-list set \$i address=\$newip}\r\
\n }\r\
\n }"