Dont know what im doing with these rules :(

RouterOS General
1

Ive set up a bunch of these routers with Wireguard all connecting to my wireguard server.. and for the most part it is all working great but I had a moment there where my router would not create a link and then messing around with the rules. a bunch of different ways I was able to get it to work but im really getting lost as to which rules is the rule that finally did the trick.. do I have to many rules do I need to remove some. I dont know. At first I just added the wg interface to the LAN interface list and also created a trusted lan interface list and added it to that.. I dont know what im doing lol.
The VPN remote server is a pfsense box. I have running in the cloud.
I’ll paste what ive done below. far as firewall rules go and interface lists.

Flags: X - disabled, I - invalid; D - dynamic 
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 
1 X ;;; Allow Winbox From Wan For Testing ONLY!!!
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix="" 
2 ;;; Allow Wireguard Network to Router!!!!
chain=input action=accept in-interface-list=Wireguard log=no log-prefix="" 
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp src-address-list=PrivateIps log=no log-prefix="" 
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix="" 
5 ;;; defconf: drop all not coming from TrustedLAN
chain=input action=drop in-interface-list=!TrustedLan log=no log-prefix="" 
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 
8 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix="" 
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN1 log=no log-prefix=""
/interface list
add name=WAN
add name=LAN
add name=Wireguard
add name=WAN1
add name=WAN2
add name=TrustedLan
/interface list member
add interface=ether1 list=LAN
add interface=sfp-sfpplus1-WAN1 list=WAN
add interface=miamievents1 list=Wireguard
add interface=sfp-sfpplus1-WAN1 list=WAN1
add interface=200 list=LAN
add interface=wgcloud1 list=Wireguard
add interface=200 list=TrustedLan
add interface=miamievents1 list=TrustedLan
add interface=wgcloud1 list=TrustedLan
add interface=sfp-sfpplus2-WAN2 list=WAN2
2

Before I take a look, to be clear the PFSense box running in the cloud is the server.
What do you use wireguard for then…

3

its acting as a VPN server for some routers that I have that are behind NAT and networks that are not under my control. Small network in an office building for instance where we can not get a public but still have a lot of remote needs.. but I was just thinking.. Since the pFsense box is in the cloud.. I shouldn’t even need firewall rules on the client wireguard routers right.. would it be established and related connections already allowed?

4

Looks like I need at least this one to get back over the tunnel..

4    ;;; AllowWireguard
      chain=input action=accept in-interface-list=Wireguard log=no 
      log-prefix=""

the tunnel forms without it but I cant into the network without that.

On the client mikrotik

5

diagram would be helpful.
My question was more about traffic flow.
do you have users on the mT devices going somewhere( subnets on other routers or internet )
do you have users visiting the MT devices (from other routers or perhaps RW or admin )