Remember you had problems making tunnel? You made everything great. everything was working. Except - you had to remove "out. interface" in firewall -> nat. That's it. Working config of devices: Server - 192.168.70.0/1 # oct/17/2019 00:21:00 by RouterOS 6.45.6 # software id = B9PQ-JM1N # # model = RB750r2 # serial number = 8B380A4071DA /interface bridge add admin-mac=74:4D:28:24:CE:01 auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=ether1 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether2 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether3 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether4 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether5 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip pool add name=dhcp ranges=192.168.70.10-192.168.70.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf /ppp profile add bridge=bridge change-tcp-mss=yes local-address=192.168.200.20 name=\ openvpn remote-address=192.168.200.10 use-compression=no use-encryption=\ required add bridge=bridge local-address=dhcp name=VPN_DHCP remote-address=dhcp /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 /ip neighbor discovery-settings set discover-interface-list=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN /interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 \ default-profile=VPN_DHCP enabled=yes mode=ethernet /ip address add address=192.168.70.1/24 comment=defconf interface=ether2 network=\ 192.168.70.0 /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\ ether1 /ip dhcp-server network add address=192.168.70.0/24 comment=defconf gateway=192.168.70.1 netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.70.1 name=router.lan /ip firewall address-list add address=srv.auu.ge list=kot add address=work.auu.ge list=kot add address=deamed.auu.ge list=kot add address=dolidze.auu.ge list=kot add address=eliava.auu.ge list=kot add address=work2.auu.ge list=kot /ip firewall filter add action=accept chain=input comment="ALLOW REMOTE WINBOX" dst-port=8291 \ protocol=tcp src-address-list=kot add action=accept chain=input comment="ALLOW OPENVPN" dst-port=1194 protocol=\ tcp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" add action=dst-nat chain=dstnat dst-port=5445 protocol=tcp to-addresses=\ 192.168.200.10 to-ports=5445 /ip route add distance=1 dst-address=192.168.88.0/24 gateway=192.168.200.10 /ppp secret add name=midlerO password=E30bae74 profile=VPN_DHCP service=ovpn add name=jt-bridge password=E30bae74 profile=openvpn service=ovpn /system clock set time-zone-name=Asia/Tbilisi /system identity set name=JT /system ntp client set enabled=yes primary-ntp=129.6.15.30 secondary-ntp=52.166.120.77 /system scheduler add interval=5m name=IPPost on-event=\ "/tool fetch url=\"https://all.auu.ge/mikrotik/getip/\?device=JT\"" \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ start-date=oct/15/2019 start-time=17:22:48 /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN Client - 192.168.88.0/1 # oct/17/2019 00:22:05 by RouterOS 6.45.6 # software id = CAX1-8P0S # # model = RBwAPR-2nD # serial number = AE850AE91B9B /interface lte set [ find ] mac-address=AC:FF:FF:00:00:00 name=lte1 /interface bridge add admin-mac=74:4D:28:ED:D9:B7 auto-mac=no comment=defconf name=bridge /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \ country=georgia disabled=no distance=indoors frequency=auto installation=\ outdoor mode=ap-bridge ssid="JT III Floor" wireless-protocol=802.11 /interface ovpn-client add certificate=cert_export_CLIENT1.crt_0 cipher=aes256 connect-to=jt.auu.ge \ mac-address=02:14:2F:47:33:00 mode=ethernet name=OVPN-BRIDGE password=\ E30bae74 user=jt-bridge /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface lte apn set [ find default=yes ] apn=3g.ge /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\ dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=592125665 \ wpa2-pre-shared-key=592125665 /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf /interface bridge port add bridge=bridge comment=defconf interface=ether1 add bridge=bridge comment=defconf interface=wlan1 /ip neighbor discovery-settings set discover-interface-list=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=lte1 list=WAN /ip address add address=192.168.88.1/24 comment=defconf interface=ether1 network=\ 192.168.88.0 /ip dhcp-server lease add address=192.168.88.2 comment=DVR mac-address=00:02:69:0B:D7:7B server=\ defconf add address=192.168.88.3 comment=NVR mac-address=00:18:AE:7D:CF:4E server=\ defconf add address=192.168.88.7 comment="IPCAM 4" mac-address=00:18:AE:7E:A6:DB \ server=defconf add address=192.168.88.6 comment="IPCAM 3" mac-address=00:18:AE:7E:A6:E1 \ server=defconf add address=192.168.88.4 comment="IPCAM 1" mac-address=00:18:AE:7E:A6:D9 \ server=defconf add address=192.168.88.5 comment="IPCAM 2" mac-address=00:18:AE:7E:A6:DE \ server=defconf /ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" add action=dst-nat chain=dstnat dst-address=192.168.200.10 dst-port=5445 \ protocol=tcp to-addresses=192.168.88.2 to-ports=5445 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set pptp disabled=yes /ip route add distance=1 dst-address=192.168.70.0/24 gateway=192.168.200.20 /system clock set time-zone-name=Asia/Tbilisi /system identity set name=JT-S /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN