Several issues and the biggie is firewall rules. You have to be waY CLEarer on your forward chain rules.
There is no effing reason why vlans can originate traffic to your trusted vlan, aint trusted anymore LOL
So I have assumed the following, EVERYONE should have access to dmz
MAIN should have access to everyone.
DONE. we can adjust when intentions are made known.
Also fixed access to the router by the admin
Also fixed interface lists you only need three.
removed second sourcenat rule stating ether1, not needed.,
model =RB760iGS
serial number =
/interface bridge
add admin-mac=D4:01:C3:6A:E4:CE auto-mac=no comment=defconf name=br1
protocol-mode=none vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=
"PlusNet Full Fibre" use-peer-dns=yes user=@plusdsl.net
/interface wireguard
add listen-port=9874 mtu=1420 name=wireguard1
/interface vlan
add interface=br1 name=DMZ_VLAN vlan-id=20
add interface=br1 name=IoT_VLAN vlan-id=50
add interface=br1 name=Main_VLAN vlan-id=5
add interface=br1 name=SCS-Wireless_VLAN vlan-id=100
add interface=br1 name=SCS_Workshop_VLAN vlan-id=30
/interface list
add name=WAN
add name=LAN
add name=Trusted
/ip pool
add name=Main_VLAN_Pool ranges=172.16.23.115-172.16.23.245
add name=DMZ_Pool ranges=172.16.24.10-172.16.24.13
add name=IoT_Pool ranges=172.16.50.100-172.16.50.200
add name=SCS-Wireless_Pool ranges=192.168.10.100-192.168.10.150
add name=SCS-Workshop_Pool ranges=192.168.3.10-192.168.3.200
/ip dhcp-server
add address-pool=Main_VLAN_Pool interface=Main_VLAN lease-time=12h name=
Main_VLAN_DHCP
add address-pool=DMZ_Pool interface=DMZ_VLAN name=DMZ_VLAN_DHCP
add address-pool=SCS-Wireless_Pool interface=SCS-Wireless_VLAN lease-time=8h
name=SCS-Wireless_DHCP
add address-pool=IoT_Pool interface=IoT_VLAN name=IoT_VLAN_DHCP
add address-pool=SCS-Workshop_Pool interface=SCS_Workshop_VLAN lease-time=8h
name=SCS-Workshop_DHCP
/disk settings
set auto-media-interface=br1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=br1 interface=ether2 pvid=5 comment="hybrid port"
add bridge=br1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether3 pvid=20
add bridge=br1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether4 pvid=5
add bridge=br1 ingress-filtering=yes frame-types=admit-only-priority-and untagged interface=ether5 pvid=30
add bridge=br1 interface=sfp1 pvid=5 comment="hybrid port"
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface bridge vlan
add bridge=br1 tagged=br1 untagged=ether2,sfp1 vlan-ids=5
add bridge=br1 tagged=br1 untagged=ether3 vlan-ids=20
add bridge=br1 tagged=br1 untagged=ether5 vlan-ids=30
add bridge=br1 tagged=br1,ether2,sfp1 vlan-ids=50,100
/interface list member
add interface=ether1 list=WAN
add interface=Main_VLAN list=LAN
add interface=DMZ_VLAN list=LAN
add interface=IoT_VLAN list=LAN
add interface=SCS-Wireless_VLAN list=LAN
add interface=SCS_Workshop_VLAN list=LAN
add interface=wireguard1 list=LAN
add interface=Main_VLAN list=Trusted
add interface=wireguard1 list=Trusted
add interface="PlusNet Full Fibre" list=WAN
/interface wireguard peers
add allowed-address=172.16.30.2/32 interface=wireguard1 name=peer5
public-key="aOnJYVQJ5YwfpV1V5D8hWwfl1QM6zXXSUQCFo5SbH28="
add allowed address=..................one for admin smartphone/ipad 172.16.30.3/32*
/ip address
add address=172.16.23.1/24 interface=Main_VLAN network=172.16.23.0
add address=172.16.24.2/28 interface=DMZ_VLAN network=172.16.24.0
add address=192.168.3.254/24 interface=SCS_Workshop_VLAN network=192.168.3.0
add address=192.168.10.254/24 interface=SCS-Wireless_VLAN network=
192.168.10.0
add address=172.16.50.1/24 interface=IoT_VLAN network=172.16.50.0
add address=172.16.30**.1/29** interface=wireguard1 network=172.16.30.0 comment="five useable IPs"
/ip dhcp-client
add comment=defconf interface=ether1 disabled=yes comment="already using pppoe"
/ip dhcp-server lease
add address=172.16.23.101 comment="Main Desktop PC" mac-address=
40:B0:76:60:89:89 server=Main_VLAN_DHCP
add address=172.16.23.105 comment="Lounge TV" mac-address=38:68:A4:6E:A8:D4
server=Main_VLAN_DHCP
add address=172.16.23.106 comment=SonosZP mac-address=00:0E:58:10:E7:0A
server=Main_VLAN_DHCP
add address=172.16.23.107 comment="Sonos ZP2" mac-address=00:0E:58:10:E7:C0
server=Main_VLAN_DHCP
add address=172.16.23.108 comment="Sonos ZP3" mac-address=94:9F:3E:76:6D:94
server=Main_VLAN_DHCP
add address=172.16.23.109 comment="Bedroom Firestick" mac-address=
38:F7:3D:3D:9F:A9 server=Main_VLAN_DHCP
add address=172.16.23.111 comment="Sony DVD Bluray Player" mac-address=
38:B8:00:D3:5A:AC server=Main_VLAN_DHCP
add address=192.168.10.100 client-id=1:ea:8a:87:50:89:42 mac-address=
EA:8A:87:50:89:42 server=SCS-Wireless_DHCP
add address=172.16.23.110 comment="Sonos Controller Phone" mac-address=
36:F6:43:B1:B0:35 server=Main_VLAN_DHCP
add address=172.16.23.102 comment="Andy's Laptop WiFi" mac-address=
54:6C:EB:0D:EB:E3 server=Main_VLAN_DHCP
add address=172.16.23.103 comment="Lissa's Laptop" mac-address=
5C:87:9C:8C:6D:E2 server=Main_VLAN_DHCP
/ip dhcp-server network
add address=172.16.23.0/24 comment="Main LAN" dns-server=172.16.23.4 gateway=
172.16.23.1
add address=172.16.24.0/28 comment=DMZ dns-server=8.8.8.8 gateway=172.16.24.2
add address=172.16.50.0/24 comment=IoT dns-server=172.16.23.1 gateway=
172.16.50.1
add address=192.168.3.0/24 comment="SCS Workshop" dns-server=172.16.23.1
gateway=192.168.3.254
add address=192.168.10.0/24 comment="SCS Wireless" dns-server=8.8.8.8
gateway=192.168.10.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=172.16.23.1.X/32 list=Authorized comment="admin desktop"
add address=172.16.23.1.Y/32 list=Authorized comment="admin laptop"
add address=172.16.23.1.Z/32 list=Authorized comment="admin smartphone/ipad"
add address=172.16.30.2/32 list=Authorized comment="remote admin laptop"
add address=172.16.30.3/32 list=Authorized comment="remote admin smartphone/ipad"
/ip firewall filter comment="fix order"
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=9874
protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=Trusted src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp comment="users to services"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp comment="users to services"
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN dst-address=172.16.24.0/28 comment="all to DMZ"
add action=accept chain-forward in-interface-list=Trusted out-interface-list=LAN comment="main & wireguard to ALL"
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="NAT Incoming Mail " dst-address=
212..16. dst-port=587 protocol=tcp to-addresses=172.16.24.8
to-ports=587
add action=dst-nat chain=dstnat comment="NAT SMTPS Incoming Mail "
dst-address=212..16. dst-port=465 protocol=tcp to-addresses=
172.16.24.8 to-ports=465
add action=dst-nat chain=dstnat comment="NAT SMTP Incoming Mail "
dst-address=212..16. dst-port=25 protocol=tcp to-addresses=
172.16.24.8 to-ports=25
add action=dst-nat chain=dstnat comment="NAT HTTP to the web server"
dst-address=212..16. dst-port=80 protocol=tcp to-addresses=
172.16.24.8 to-ports=80
add action=dst-nat chain=dstnat comment=
"NAT HTTP to the web server for webmail" dst-address=212..16.
dst-port=8081 protocol=tcp to-addresses=172.16.24.8 to-ports=8081
add action=dst-nat chain=dstnat dst-address=212..16. dst-port=110
protocol=tcp to-addresses=172.16.24.8 to-ports=110
add action=dst-nat chain=dstnat dst-address=212..16. dst-port=143
protocol=tcp to-addresses=172.16.24.8 to-ports=143
add action=dst-nat chain=dstnat comment="NAT IMAP to mail Server "
dst-address=212..16. dst-port=993 protocol=tcp to-addresses=
172.16.24.8 to-ports=993
add action=dst-nat chain=dstnat comment="NAT HTTPS to Web Server "
dst-address=212..16. dst-port=443 protocol=tcp to-addresses=
172.16.24.8 to-ports=443
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=webfig disabled=no port=445
/system clock
set time-zone-name=Europe/London
/system identity
set name=The-Gate-New
/system note
set show-at-login=no
{MISSING AND ADDED}
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
