I have a router with two WAN ports: ether1 with a static IP and ether2 with a dynamic IP. My clients connect to ether4 and browse the internet using ether2. My problem is that I can't connect via WireGuard to the public IP address of ether1. I tried routing configuration, specifically targeting incoming connections on ether1, and I also tried assigning a new VRF to my WireGuard1 interface and targeting packets connecting to UDP port 12321. However, I still don't have a WireGuard connection; it's showing the route "out:unknown".
RouterOS 7.21
Here's one possibility: Mark incoming connections in mangle prerouting table (in interface=ether1, state=new, action=mark connection). Exclude marked connections from fasttrack. Create a separate routing table with default gateway via ether1. Create a rule in mangle output to set routing mark for marked connections to the new routing table.
WireGuard is special and mangle alone is not enough, if you choose the mangle way, you'll need to combine with NAT too.
See in this thread whether the situation is similar to yours and apply the simple solution from it:
If your configuration is not like that, then look a the beginning of my post in that thread where I linked to the two possible ways to deal with more complex situations (one using NAT and one using VRF).
Wont even bother guessing without seeing the config.
/export file=anynameyouwish (minus router serial#, any public WANIP information, keys, dhcp lease lists )