/ip firewall filter add action=accept chain=input comment=VPN dst-port=443,500,4500,1701 \ protocol=udp add action=accept chain=input comment=VPN protocol=ipsec-esp these two need to be above: add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=...

Yeah it's kind of annoying the backup doesn't restore the wifi interfaces. What other stuff did it not restore for you?

I usually restore from backup, reset the mac addresses of all physical interfaces and restore the wlan interfaces manually.

The config seems strange to me, but i have no knowledge of your providers network. /ip firewall nat add action=src-nat chain=srcnat dst-address-list=!77.255.244.0 to-addresses=88.122.55.66 This rule NATs all traffic that doesn't have a destination address on a list named "77.255.244.0" (wh...

You can make recursive routes over pppoe interfaces.

On the HAP i would make a bridge and add the wlan interface and the interface connected to the CCR, and on the CCR i would add a dhcp client on that interface to get an IP from your hotspot.

Looks mostly correct to me, sure it isn't a DNS issue? You have 192.168.88.1 set as DNS in your DHCP but i'm missing; /ip dns set allow-remote-requests=yes Also i think your recursive routes aren't correct; /ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway= 192.16...

I used your exact config in my lab and it works it did give some errors on the following part; /ip dhcp-server add address-pool=pool1 interface=ether2 name=server1 server-address=192.168.88.1 add address-pool=pool2 interface=ether3 name=server2 server-address=192.168.89.1 i used; /ip dhcp-server add...

I would make a mangle rule to route traffic from a specific IP in to the tunnel, i used an l2tp tunnel in my example but i think the same applies for wireguard; # jun/18/2023 13:16:30 by RouterOS 6.49.6 # software id = # # # /interface bridge add name=bridge_LAN /interface l2tp-client add connect-to...

I think ZeroTier might solve that problem;

https://help.mikrotik.com/docs/display/ROS/ZeroTier

Depending on your current config the thing you want could be quite invasive. But the best i could come up with is making a bridge and adding the interfaces that 200.x.y.57 and 200.x.y.59 are directly connected to. Then add the IP 200.x.y.58/29 to the bridge. Your new "WAN interface" will b...

This might do the trick;

/interface bridge vlan
add bridge=CORP tagged=Uplink,CORP untagged=Network-Mgmt vlan-ids=100

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

And it looks like the dhcp client on eth1 is disabled

Maybe close all those services from the internet (winbox, ssh) and use vpn for remote management or at least some whitelisting.