Hello there!

Here comes again the noob kindly asking for help
I have been trying to get a secured config to my shinny new RB5009 and mostly things are working but still some issues I ask your help.
Mostly the issues are about: tv is with iptv box and sometimes the audio/video freezes or stops for like 15-30s and then resumes; makes webex meetings it drops connection about every 2 minutes and then after 30s or so resumes; need to understand why having 2 wireguard clients both connect and i see traffic in and out but on the second client is does not work the same as the other.

My setup:

Internet(with "fixed" ip)---->fritzbox172.16.1.1/29---->mikrotik172.16.1.2/29---->lanswitch
The only exposed port is the wireguard one from fritz to the mikrotik.
iptv box in interface5 directly
ipv6 is disabled but i still see it in the network (using ntopng).

What puzzles me the most is having 2 wireguard peers with i think the same config(different pub key) that connect and reach the LAN but for example one the homeassistant client works and the other it does not but can access by browser).

Below my current config:

[user@routername] > export
# 2024-04-05 15:25:03 by RouterOS 7.14.2
# software id = S******U
#
# model = RB5009UG+S+
# serial number = **********
/interface bridge
add admin-mac=78:9A:18:74:70:9A auto-mac=no comment=defconf igmp-snooping=yes name=bridge port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=FritzBox-Internet name=ether1-WAN
set [ find default-name=ether2 ] comment="LAN Port" name=ether2-LAN-*****
set [ find default-name=ether5 ] comment="**** Box"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.178.30-192.168.178.120
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=bridge lease-time=23h name=defconf
/queue simple
add limit-at=25M/150M max-limit=25M/150M name=priority priority=1/1 target=192.168.178.81/32 time=0s-0s,
add limit-at=80M/1G max-limit=80M/1G name=general parent=priority target=192.168.178.0/24
/zerotier
set zt1 comment="ZeroTier Central controller - htt ps:/ /m y.z ero tier. com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-LAN-***** internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32,192.168.178.0/24 client-address=192.168.100.2/24 client-dns=192.168.178.1,192.168.178.116,1.1.1.2 client-endpoint=1-------8 comment=***** interface=wireguard1 preshared-key=\
"cJ3------="
add allowed-address=192.168.100.3/32,192.168.178.0/24 client-address=192.168.100.3/24 client-dns=192.168.178.1,192.168.178.116,1.1.1.2 client-endpoint=1-------8 comment=***** interface=wireguard1 preshared-key=\
"0Js------="
/ip address
add address=192.168.178.1/24 comment=defconf interface=bridge network=192.168.178.0
add address=172.16.1.2/29 interface=ether1-WAN network=172.16.1.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.178.36 client-id=1:5********* comment="K-------e" mac-address=5**********C server=defconf
add address=192.168.178.87 client-id=1:f********* comment="F------p" mac-address=F**********E server=defconf
/*****
many fixed ips
*****/
/ip dhcp-server network
add address=192.168.178.0/24 comment=defconf dns-server=192.168.178.116,192.168.178.1 domain=local.arpa gateway=192.168.178.1 netmask=24 ntp-server=192.168.178.1
/ip dns
set servers=192.168.178.116
/ip dns static
add address=192.168.178.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.178.0/24 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 disabled=yes list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 disabled=yes list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=192.168.178.0/24 list="MGMT - Ranges"
/ip firewall filter
add action=drop chain=input comment="BLOCK - Winbox from WAN" dst-port=8291 in-interface=ether1-WAN protocol=tcp
add action=fasttrack-connection chain=input hw-offload=yes
add action=accept chain=input comment="ALLOW INPUT-defconf" connection-state=established,related,untracked
add action=reject chain=input comment=DROP-INPUT-Invalid connection-state=invalid log=yes log-prefix=4-DROP-INPUT-INVALID- reject-with=icmp-network-unreachable
add action=accept chain=input comment="ALLOW ICMP from LAN" dst-address=127.0.0.1 protocol=icmp
add action=accept chain=input comment="ALLOW-*****Laptop IN" disabled=yes dst-address=192.168.178.38
add action=accept chain=input comment="ALLOW - WAN to Router WireGuard" dst-port=13231 log-prefix="WAN to Router WireGuard" protocol=udp
add action=accept chain=input comment="ALLOW - WireGuard subnet traffic in" src-address=192.168.100.0/24
add action=accept chain=input comment="ALLOW - ****PC to Router" dst-address=192.168.178.1 in-interface=bridge log-prefix=ACCEPT_ICMP_ src-address=192.168.178.87
add action=accept chain=input comment="Accept NTP from LAN" dst-address=192.168.178.1 dst-port=123 in-interface=bridge protocol=udp src-address=192.168.178.0/24 src-port=123
add action=accept chain=input dst-address=192.168.178.1 in-interface=lo src-address=192.168.178.1
add action=reject chain=input comment="11-INPUT - Last DROP" in-interface-list=!LAN log=yes log-prefix=11-DROP-INPUT- reject-with=icmp-network-unreachable
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow LAN to WAN" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=ALLOW-WGtoLAN dst-address=192.168.178.0/24 in-interface=wireguard1
add action=accept chain=forward comment=ALLOW-PortForwarding connection-nat-state=dstnat
add action=accept chain=forward comment="***** PC" dst-address=172.16.1.1 src-address=192.168.178.87
add action=accept chain=forward comment=ALLOW-******LAPTOP disabled=yes src-address=192.168.178.38
add action=drop chain=forward comment="13-DROP - INVALID FWD" connection-state=invalid log=yes log-prefix=13-DROP-FWD-Invalid-
add action=accept chain=forward disabled=yes dst-address=192.168.178.116 src-address=192.168.178.134
add action=drop chain=forward comment="14-DROP - NOT from LAN to WAN" in-interface=bridge log=yes log-prefix=14-DROP-NOTLAN-TOWAN out-interface=!bridge src-address=!192.168.178.116 src-address-list=not_in_internet
add action=drop chain=forward comment="15-DROP - FROM WAN not DSTNAT" connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN log=yes
add action=drop chain=forward comment="16-DROP - FROM LAN not LAN" in-interface=bridge log=yes log-prefix=21-DROP-LANtoWAN src-address=!192.168.0.0/16
add action=reject chain=forward comment=21-DROP-ALL-FWD- log=yes log-prefix=21-DROP-FWD-ALL reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment=FritzBox disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.178.**/32 port=2200
set api address=192.168.178.1**/32
set winbox address=192.168.178.0/24
set api-ssl address=192.168.178.1**/32
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set enabled=yes interfaces=ether1-WAN
/ip traffic-flow ipfix
set nat-events=yes
/ip traffic-flow target
add dst-address=192.168.178.116 src-address=192.168.178.1 version=ipfix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/snmp
set contact=***** location="******" trap-target=192.168.178.1 trap-version=2
/system clock
set time-zone-name=Europe/******
/system identity
set name=routername
/system logging
set 0 topics=info,!wireguard
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=******pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=p1ptowan filter-dst-ip-address=!192.168.178.0/24 filter-src-ip-address=192.168.178.***/32 memory-limit=1000KiB


With this config i get a lot of:

19-DROP-FWD-Invalid- forward: in:ether1-WAN out:bridge, connection-state:invalid src-mac 3c:37:12:b4:3a:fa, proto TCP (RST), 142.250.185.138:443->192.168.178.83:43664, len 40

4-DROP-INPUT-INVALID- input: in:ether1-WAN out:(unknown 0), connection-state:invalid src-mac 3c:37:12:b4:3a:fa, proto TCP (RST), 99.80.126.217:443->172.16.1.2:56380, len 40
4-DROP-INPUT-INVALID- input: in:ether1-WAN out:(unknown 0), connection-state:invalid src-mac 3c:37:12:b4:3a:fa, proto TCP (RST), 142.250.185.170:443->172.16.1.2:46408, len 40


Ahh
Also the config for the queue is not working, i had setup 2 queues for prioritizing iptv and they both red in the config box and no traffic on them.

Kind bump
Mostly i would love to have someone critic my FW rules to see if i am doing something wrong.

-Disable ipv6 and remove all associated fw rules if not using ipv6.
-FIrewall rules are a bloated mess concerned with blocking things more than allowing only needed traffic, but not the issue here.

Your wireguard is configured incorrectly. Allowed IPs is used to decribe the remote side ( either subnets your local users are going to, or remote subnets visiting your router ). As for the Peer (server for handshake) needs very little in the allowed Peer setup..

From:
/interface wireguard peers
add allowed-address=192.168.100.2/32,192.168.178.0/24 client-address=192.168.100.2/24 client-dns=192.168.178.1,192.168.178.116,1.1.1.2 client-endpoint=1-------8 comment=***** interface=wireguard1 preshared-key=\
"cJ3------="
add allowed-address=192.168.100.3/32,192.168.178.0/24 client-address=192.168.100.3/24 client-dns=192.168.178.1,192.168.178.116,1.1.1.2 client-endpoint=1-------8 comment=***** interface=wireguard1 preshared-key=\
"0Js------="

TO:
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 preshared-key=\
"cJ3------="
add allowed-address=192.168.100.3/3 interface=wireguard1 preshared-key=\
"0Js------="

"FIrewall rules are a bloated mess concerned"

Not surprised honestly.

Thanks a lot for replying and i will do my best to go step by step improving/learning.
I removed the lan subnet as you mentioned and yes the 1st peer for wg is working and have access to the LAN.

Also made sure IPV6 is disabled and deleted all IPV6 FW rules - i also disabled ipv6 in the fritzbox previously.
What cracks me is i have some google mini and they use ipv6 - see it in ntop - and not sure what to do with them but that's another story
Like i will get 2 CAP AX tomorrow and will fight capsman

But i still have the issue with the second peer.
It connects and never see rx traffic, as far as i can tell the config is the same, pub key of wireguard is correct and it has it's own pub and priv key.
I believe i have tried and re-created the peer keys and scan the config again in the mobile wireguard client.

Have you any hint on how i can troubleshoot this situation further?

Not really only to say the problem is likely on the remote device. Either the public Key is wrong from the MT device, or some other setting......
Of course the public key of the remote device may be incorrectly input to the allowed IP peer setttings on the mT as well.

The fact that device 1 works great tellls me the tunnel setup is up and running................ and thus not any other settings on the Router itself.

@llamajaja
Agree makes all the sense, i am going to give this a good look and re-create all for the second device and come back.
Thanks

Ok

So i got 2 new shinny CAP ax and somehow managed to make them work with capsman
Also decided to fully reset my rb5009 to make sure i would start clean and with not the mess i made on the fw rules and some other bits.
Incredible all is working, i have almost 60 smart devices, from those 30 use wifi, others zigbee and all is working.

Now i go fight wireguard again I do not remember how i managed to make it work for the 1st peer
Well, time to bang the head on documentation but is sure i am missing some stupid bit...

And wireguard 1 is working, going for peer 2