No fw rules/nat needed it seems. I pulled out the connecting ports in 10.10.0.3 switch from the bridge interface in DC2 and created a private 192.168.4.10/192.168.4.20 router-to-router(switch) on each side. And added route from each oposite sides network to eachothers gw.

Can't find any issues so far :)

input: in:bridge out:(unknown 0), connection-state:new src-mac dc:2c:6e:a4:ce:df, proto UDP, 10.10.0.249:5678->255.255.255.255:5678, len 193

Log from switch in DC2: This occur during ping from DC1 - so it has passed the router I inserted and arrives at the switch in DC2! But it doesn't actually reply on those pings...

I had a small Mikrotik router laying around with 10 Gbps fiber and I put it on one of the data centers, between the switches in the to places as you see on drawing. I used DHCP to get the IP you see on Port 3 of the Router. So far so well.

I can ping the DC2's Switch IP-address 10.10.0.3 from DC1/router in DC1 without issues and I can run bandwidth-test between the two switches in the two data centers. However, I can't ping from Router against any IP-addresses in the 10.10.0.0/24 network at all (except the bridge IP on SW2 10.10.0.3) - even though I have been given a router DHCP IP-address in correct subnet.

Am I correct that I do need to both do some nat/masquerading and firewall rules to accomplish this - should it be the only thing missing?

PS: The mikrotik is in bridge mode with all ports - including the one that connects to Port 3 on router - is on the same bridge. Equipment inside the data center can ping the bridge-IP.

When I cleared all settings and tried to get it back to single broadcast domain (at least better than reducing speed for the backup-traffic- connection), it seems like some switches in DC1 wants to send wrong traffic to Mikrotik in DC2 and cause issues with the normal operations in DC1 since that's not the way to send data. I can't get any traffic to access the earlier private shared subnet behind Mikrotik (only from DC2 to DC1 works 100% and only ping from DC1 to Mikrotik in DC2 works).

but broadcast traffic is everywhere.

Well yeah if you just connect vlan 99 into a dumb switch or one with out vlans setup then yeah multicast and broadcast is going everywhere because you have one big L2 there.

You need to setup the switch in DC 1 to isolate your L2 networks. Be it you route between the L3 networks you put on them is up to you. But sure you could put devices in dc1 either on the vlan you setup on this switch and vlan 99..

You don't route VLANs. You route subnets. Route the traffic between sites and recreate the VLAN at the other end. I assume you have different subnets at each end.