Mikrotik CRS NAT-Performance

/interface bridge
add admin-mac=08:55:31:5E:00:7F auto-mac=no ingress-filtering=no name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=ether3_33
set [ find default-name=ether4 ] name=ether4_99
set [ find default-name=ether5 ] name=ether5_11
set [ find default-name=ether6 ] name=ether6_11
set [ find default-name=ether7 ] name=ether7_11
set [ find default-name=ether8 ] name=ether8_22
set [ find default-name=ether9 ] name=ether9_22
set [ find default-name=ether10 ] name=ether10_33
set [ find default-name=ether11 ] name=ether11_33
set [ find default-name=ether12 ] name=ether12_33
set [ find default-name=ether13 ] name=ether13_33
set [ find default-name=ether14 ] name=ether14_33
set [ find default-name=ether15 ] name=ether15_bonding
set [ find default-name=ether16 ] name=ether16_bonding
set [ find default-name=ether17 ] name=ether17_44
set [ find default-name=ether18 ] name=ether18_44
set [ find default-name=ether19 ] name=ether19_44
set [ find default-name=ether20 ] name=ether20_44
set [ find default-name=ether21 ] name=ether21_44
set [ find default-name=ether22 ] name=ether22_44
set [ find default-name=ether23 ] name=ether23_11
set [ find default-name=ether24 ] name=ether24_wifi-trunk
/interface wireguard
add listen-port=51888 mtu=1420 name=wg_xxx
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan11 vlan-id=11
add interface=bridge name=vlan22 vlan-id=22
add interface=bridge name=vlan33 vlan-id=33
add interface=bridge name=vlan44 vlan-id=44
add interface=bridge name=vlan99 vlan-id=99
/interface ethernet switch
set 0 l3-hw-offloading=yes name=switch
/interface ethernet switch port
set 0 l3-hw-offloading=no
set 1 l3-hw-offloading=no
/interface list
add name=LAN
add name=WAN
add name=listBridge
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool11 ranges=10.98.11.10-10.98.11.49
add name=pool22 ranges=10.98.22.10-10.98.22.49
add name=pool33 ranges=10.98.33.10-10.98.33.49
add name=pool44 ranges=10.98.44.10-10.98.44.49
add name=pool99 ranges=10.98.99.10-10.98.99.49
/ip dhcp-server
add address-pool=pool11 interface=vlan11 lease-script=":local DHCPtag\r\  
    SCRIPT  =dhcp11
add address-pool=pool22 interface=vlan22 lease-script=":local DHCPtag\r\  
    SCRIPT =dhcp22
add address-pool=pool33 interface=vlan33 lease-script=":local DHCPtag\r\  
    DHCP =dhcp33
add address-pool=pool44 interface=vlan44 lease-script=":local DHCPtag\r\  
    DHCP=dhcp44
add address-pool=pool99 interface=vlan99 lease-script=":local DHCPtag\r\  
    DHCP=dhcp99
/port
set 0 name=serial0
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \  
    identity="ajfödsfjdsfaödjsfsöa" name=zt1 port=9993  
/zerotier interface
add inxxxnce=zt1 mac-address=1E:61:67:54:F5:E4 name=zerotier1 network=\
    jdsaöfsdjfaflfasdfdsöa
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether3_33 pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether4_99 pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether5_11 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether6_11 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether7_11 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether8_22 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether9_22 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether10_33 pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether11_33 pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether12_33 pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether13_33 pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether14_33 pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether15_bonding pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether16_bonding pvid=33
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether17_44 pvid=44
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether18_44 pvid=44
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether19_44 pvid=44
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether20_44 pvid=44
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether21_44 pvid=44
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether22_44 pvid=44
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=no interface=ether23_11 pvid=11
add bridge=bridge ingress-filtering=no interface=ether24_wifi-trunk
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge ingress-filtering=no interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether24_wifi-trunk vlan-ids=33
add bridge=bridge tagged=ether24_wifi-trunk,bridge vlan-ids=44
add bridge=bridge tagged=bridge,ether24_wifi-trunk vlan-ids=11
add bridge=bridge tagged=bridge untagged=ether24_wifi-trunk vlan-ids=1
add bridge=bridge tagged=bridge vlan-ids=99
add bridge=bridge tagged=bridge vlan-ids=22
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add interface=bridge list=LAN
add interface=bridge list=listBridge
/interface wireguard peers
add allowed-address=192.168.66.0/24,10.98.200.0/29 endpoint-address=\
    fdasdffsafsa.goip.de endpoint-port=51888 interface=wg_XXX public-key=\
    "HxChs13Xxxxxxxxxxxxxxxy4JxxqewzgdsurQIi4Fg="  
/ip address
add address=10.98.1.1/26 interface=vlan1 network=10.98.1.0
add address=10.98.11.1/26 interface=vlan11 network=10.98.11.0
add address=10.98.22.1/26 interface=vlan22 network=10.98.22.0
add address=10.98.33.1/26 interface=vlan33 network=10.98.33.0
add address=10.98.44.1/26 interface=vlan44 network=10.98.44.0
add address=10.98.99.1/26 interface=vlan99 network=10.98.99.0
add address=10.98.200.1/30 interface=wg_xxx network=10.98.200.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=WAN1
add interface=WAN2
/ip dhcp-server lease
add address=10.98.33.9 mac-address=00:09:A7:04:55:04 server=dhcp33
add address=10.98.44.2 mac-address=B4:22:00:0B:6B:BC server=dhcp44
add address=10.98.33.4 mac-address=B4:22:00:23:71:50 server=dhcp33
add address=10.98.22.2 mac-address=7C:2F:80:E0:7A:9C server=dhcp22
add address=10.98.33.6 mac-address=5C:85:7E:4A:D8:21 server=dhcp33
add address=10.98.33.7 mac-address=52:54:00:D0:6C:14 server=dhcp33
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=10.98.1.0/26 gateway=10.98.1.1 netmask=26
add address=10.98.11.0/26 gateway=10.98.11.1
add address=10.98.22.0/26 dns-server=10.98.33.2 gateway=10.98.22.1
add address=10.98.33.0/26 dns-server=10.98.33.2 gateway=10.98.33.1
add address=10.98.44.0/26 gateway=10.98.44.1
add address=10.98.99.0/26 dns-server=10.98.33.2 gateway=10.98.99.1
/ip dns
set servers=10.98.33.2
/ip firewall filter
add action=accept chain=forward comment="allow zerotier" in-interface=zerotier1  
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="allow ICMP" disabled=yes in-interface=\  
    WAN1 protocol=icmp
add action=accept chain=input comment="allow Winbox" disabled=yes in-interface=\  
    WAN1 port=8291 protocol=tcp
add action=accept chain=input comment="accept established,related" \  
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow SSH" in-interface=WAN1 port=22 \  
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=WAN1  
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=WAN1
add action=dst-nat chain=dstnat disabled=yes in-interface=WAN1 log=yes port=\
    51888 protocol=udp to-addresses=10.98.33.6 to-ports=51888
/ip route
add dst-address=192.168.66.0/24 gateway=wg_xxx
add check-gateway=ping comment=WAN1 disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=WAN1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add check-gateway=ping comment=WAN1 disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=WAN2 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=WAN1-Check distance=1 dst-address=8.8.8.8 gateway=WAN1 scope=30 \
    target-scope=10
add comment=WAN1-Check distance=1 dst-address=8.8.4.4 gateway=WAN2 scope=30 \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=xxx_CRS326-24G-2S+
/system ntp server
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports="p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17\  
    ,p18,p19,p20,p21,p22,p23,p24,p25,p26" identity=MikroTik static-ip-address=\  
    10.98.0.254
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool netwatch
add comment=WAN1 down-script="/ip route disable [find comment=\"WAN1\"]" host=\  
    8.8.8.8 interval=5s up-script="/ip route enable [find comment=\"WAN1\"]"  
add comment=WAN1 down-script="/ip route disable [find comment=\"WAN1\"]" host=\  
    8.8.4.4 interval=5s up-script="/ip route enable [find comment=\"WAN1\"]"