The firewall an the nat are full of useless rules, and the default drop-all-at-the-end are deleted...
<put wireguard rule here>
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
All useless, if the previous rule is on place:
add action=drop chain=forward comment="Block traffic from WAN to LAN" in-interface-list=WAN out-interface-list=LAN
add action=drop chain=input comment="Block Admin from WAN" dst-port=21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log-prefix=Block-Admin protocol=tcp
add action=accept chain=input comment="Allow Admin from LAN" dst-port=22,8291 in-interface-list=LAN log-prefix=admin-LAN protocol=tcp
must be put before mssing rule
add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 protocol=udp
useless, the router already allow traffic between CIDR. 192.168.1.0/24 and 192.168.33.0/25 are NOT classes and NOT separate LANs.
add action=accept chain=forward comment="Allow traffic from main-network to old-network" dst-address=192.168.1.0/24 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from old-network to main-network" dst-address=192.168.33.0/25 src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow traffic from main-network to iot-network" dst-address=192.168.44.0/27 src-address=192.168.33.0/25
add action=accept chain=forward comment="Allow traffic from iot-network to main-network" dst-address=192.168.33.0/25 log=yes log-prefix=iot-to-main src-address=192.168.44.0/27
If are present switches, the firewall can not block any communications between different CIDR if different VLANs for each CIDR are not present.
I UPDATE the post with default firewall rules: