Проверил все настройки, маршруты, фильтры и прочие наты. Локальные машины из подсети 192.168.30.1 не видят, даже не пингуют друг друга. Вот конфиг:
/interface bridge
add fast-forward=no name=bridge-local protocol-mode=none
add fast-forward=no name=hs-bridge
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no mac-address=00:24:54:B5:22:6C name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
/interface vlan
add interface=ether4-slave-local name=vlan1 vlan-id=10
/caps-man datapath
add bridge=hs-bridge name=open-LF
add bridge=bridge-local name=close
/caps-man security
add name=az-hotspot
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=tech1 passphrase=***************
/caps-man configuration
add datapath=open-LF mode=ap name=az-hotspot rx-chains=0,1,2 security=az-hotspot ssid=AriZone tx-chains=0,1,2
add datapath=close hide-ssid=yes mode=ap name=tech1 rx-chains=0,1,2 security=tech1 ssid=tech1 tx-chains=0,1,2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=hidden supplicant-identity="" \
wpa-pre-shared-key=*************** wpa2-pre-shared-key=***************
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto hide-ssid=yes mode=ap-bridge \
security-profile=hidden ssid=tech1 wireless-protocol=802.11
/ip hotspot user profile
set [ find default=yes ] rate-limit=2m/2m shared-users=unlimited
add name=trial rate-limit=2m/2m shared-users=unlimited
/ip hotspot profile
add hotspot-address=172.16.0.1 login-by=http-chap,trial name=hsprof1 trial-uptime-limit=1h trial-uptime-reset=0s trial-user-profile=trial
add hotspot-address=172.16.0.1 login-by=http-chap,trial name=hsprof2 trial-uptime-limit=1h trial-uptime-reset=0s trial-user-profile=trial
/ip pool
add name=default-dhcp ranges=192.168.30.10-192.168.30.254
add name=hs-pool-10 ranges=172.16.0.2-172.16.0.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp always-broadcast=yes authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=4w2d10m \
name=default src-address=192.168.30.1
add address-pool=hs-pool-10 authoritative=after-2sec-delay disabled=no interface=hs-bridge lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-10 disabled=no interface=hs-bridge name=hotspot1 profile=hsprof1
/caps-man access-list
add action=accept interface=all signal-range=-95..120
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=az-hotspot slave-configurations=tech1
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=vlan1
/interface wireless cap
#
set discovery-interfaces=bridge-local enabled=yes interfaces=wlan1
/ip address
add address=192.168.30.1/24 comment="default configuration" interface=bridge-local network=192.168.30.0
add address=172.16.0.1/24 comment="hotspot network" interface=hs-bridge network=172.16.0.0
add address=10.29.17.140/22 interface=ether1-gateway network=10.29.16.0
/ip dhcp-server network
add address=172.16.0.0/24 comment="hotspot network" dns-server=172.16.0.1 gateway=172.16.0.1
add address=192.168.30.0/24 comment="default configuration" dns-server=192.168.30.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes servers=10.29.0.1
/ip firewall address-list
add address=1.1.1.1 list=admin
add address=2.2.2.2 list=admin
/ip firewall filter
add action=drop chain=input disabled=yes dst-port=21,22,23 in-interface=all-ppp log-prefix=scummers protocol=tcp src-address-list=!admin
add action=drop chain=input disabled=yes dst-port=8728 in-interface=all-ppp log=yes log-prefix=scummers protocol=tcp src-address-list=!admin
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=yes src-address=172.16.0.0/24
add action=netmap chain=dstnat dst-port=82 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.30.2 to-ports=80
add action=netmap chain=dstnat dst-port=8292 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.30.3 to-ports=8291
/ip hotspot user
add name=admin password=***************
/ip route
add distance=1 gateway=10.29.16.1
add distance=1 dst-address=10.29.16.1/32 gateway=ether1-gateway
/ip service
set ftp disabled=yes
/system clock
set time-zone-name=Europe/Samara
/system identity
set name=AriZone