(1) Why is dns server set at 192.168.0.2 for dhcp settings ??? ( vice the standard 192.168.0.1 ) ?
(2) The input chain rules can be modified but are not your problem recommend…
_/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127._0.0.1
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input in-interface=wireguard1 src-address=192.168.100.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
(3) Your hairpin nat rule is non-standard it should be… ( https://forum.mikrotik.com/viewtopic.php?t=179343 )
add action=masquerade chain=srcnat comment=“Hairpin NAT” dst-address=192.168.0.0/24 src-address=192.168.0.0/24
(4) You could also consider adding the wireguard interface to the LAN interface list as a member and in that regard you can remove the input chain firewall rule as it would be considered part of the LAN access provided by the last rule in the input chain.