Basic cleanup of a complex config

May I please have help refining / improving my rather extensive router configuration? I have attached the (hopefully) sanitized config file. I’ll split this into two posts, hoping that it will help with readability. I’m sorry this is long, but hope the added info helps you understand how I’m using my router and understand my config better.

• I have CCR1009-7G-1C-1S+ that currently supports Dual WAN w/ PCC. Failover is recursive route based on 3 DNS checks.
  
  
  
• It will have efficiency and potentially security (firewall rule) problems to an experienced eye and I would appreciate help in cleaning it up.
  
  
  
• In addition to any firewall rule improvements, are my recursive routes setup correctly? I’ve tried numerous times to wrap my head around routing config, and the most dangerous thing is someone who thinks they’ve finally figured it out. I’m maybe not quite at that point, but I think I’m almost getting it.
  
  
  
• What I have so far works pretty well overall, but I know there are likely issues with it where I don’t know what I don’t know. The issues aren’t for lack of trying to understand, so if you see something stupid in this config, please know I’m still trying to learn and would appreciate an explanation far more than just shaking the “no-no” finger at me.
  
  
  
• Although I have a lot of firewall and mangle rules, they don’t seem to be adversely affecting the performance of my router. CPU usage is between 1 and 3% when I watch it. I’m not seeing any bottlenecking at the firewall.
  dualWANfailoverCleanBufferBloat.txt (38.8 KB)

Things to be aware of:

• My 2 ISPs are somewhat simple wireless radios / wireless routers. No PPPoE or other WAN stuff here. I do have a static IP on one of them and the other just uses DHCP. My MikroTik is in the DMZ for the WAN2 connection, so all ports management is done on my Mikrotik Router.
  
  
  
• I’ve tried to make my port forwarding apply to both WAN connections. I normally access my network remotely with wireguard using a static IP on WAN1
  
  
  
• You might ask me for a network diagram: Last time I tried to draw a network diagram of my network, I stopped because it was far more complicated to see it visually than to understand the simple fact: All devices are simply connected to my router as clients. It doesn’t really matter how many devices are connected via an AP, 2 different daisy chained Point-to-Point (P-to-P) 60GHz gigabit radios, or hardwired into an unmanaged switch. My furthest P-to-P connection is 6 miles away and there is about 4ms of latency to the router over there.
  
  
  
• Buffer bloat on my primary connection is 0 to 2ms due to cake-download and -upload queues for the Dual WANs. VoIP phone calls, and online meetings are stable and usually have good audio because of this. So my config has grown, but it does a lot for me.
  
  
  
• WAN1 ISP is less than 0.2miles or 0.3km from me with good line of site. The other ISP is 5G based. Both run between 150Mbps and 250Mbps when operating normally. The link between my router and WAN2 is going to get fixed. Currently the medium it is travelling is noisy. Nothing a new STP CAT7 cable won’t fix.
  
  
  
• I have a fairly large network of devices and a few routers behind this Mikrotik. I haven’t implemented VLANs or subnets yet, but I have started to think about that. I added a 192.168.20.0 network as my first test in that area and had some success, though it isn’t being utilized right now.