Firewall - DNS Open? - Urgent

Hi,

I have a lot of external requests on port 53. I suspect there is an error in my firewall, but I can’t find it. Does anyone see the error?

/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=Level_03
add action=add-src-to-address-list address-list=Level_03 address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 connection-state=new dst-port=45735,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 address-list-timeout=5m chain=input comment=FtB_Level_02 connection-state=new dst-port=45735,8291 protocol=tcp src-address-list=Level_01
add action=add-src-to-address-list address-list=Level_01 address-list-timeout=5m chain=input comment=FtB_Level_01 connection-state=new dst-port=45735,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=established,related
add action=accept chain=input comment=Wireguard dst-port=13240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13241 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=53245 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1443 protocol=tcp src-address-list=local
add action=accept chain=input comment=Accept_DNS dst-port=53 in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp src-address-list=local
add action=accept chain=input comment=MGMT dst-port=45735,8291 in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45735,8291 protocol=tcp
add action=accept chain=input comment=CAPsMAN_localhost
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=drop chain=forward comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=forward comment=detect_DDoS connection-state=new jump-target=detect_DDoS
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=443 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=5222 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=5060 protocol=udp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.252.253 dst-port=2022 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_CameraNAS connection-nat-state=dstnat dst-address=172.16.1.10 dst-port=5005 protocol=tcp
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=established,related
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN src-address-list=Produktion
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=80,443 out-interface-list=!WAN protocol=tcp src-address-list=Gast
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN src-address-list=Offline
add action=return chain=detect_DDoS dst-limit=128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=30m chain=detect_DDoS
add action=accept chain=forward in-interface=VLAN_99 out-interface=VPNCOMP
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=Company src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=MGMT src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=DMZ src-address-list=Remote
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=Company src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=Music src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=IOT src-address-list=Music
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list=Company src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Music dst-address-list=Music src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BB src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BO src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_IOT dst-address-list=IOT src-address-list=Wireguard
add action=accept chain=forward dst-address-list=IOT src-address-list=Company
add action=accept chain=forward dst-address-list=Company src-address-list=IOT
add action=accept chain=forward log=yes log-prefix=AAAAAAAAAA src-address-list=MGMT
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list=DIMA src-address-list=Wireguard
add action=accept chain=forward comment=Accept_Local src-address-list=local
add action=drop chain=forward comment=Drop_Rest_all

Forgot to mention something else. When I do an external port scan, port 53 is closed.

172.16.2.20 is my WAN port. I have a modem in front of it with Expost Host.

Connection List:

413    C      udp      93.113.159.82:55980   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
414    C      udp      93.113.159.54:25223   172.16.2.20:53                    1s               0bps      0bps            2            0             142               0
415    C      udp      160.20.21.21:443      172.16.2.20:53                    1s               0bps      0bps            1            0              48               0
416    C      udp      143.92.35.106:31110   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
417    C      udp      179.125.46.114:443    172.16.2.20:53                    1s               0bps      0bps            1            0              57               0
418    C      udp      179.125.44.16:443     172.16.2.20:53                    3s               0bps      0bps            2            0              96               0
419    C      udp      122.189.171.111:36052 172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
420    C      udp      160.20.20.183:443     172.16.2.20:53                    1s               0bps      0bps            1            0              48               0
421    C      udp      143.92.35.106:19122   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
422    C      udp      93.113.159.86:17100   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
423    C      udp      179.125.46.125:443    172.16.2.20:53                    1s               0bps      0bps            1            0              57               0
424    C      udp      156.234.127.190:62084 172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
425    C      udp      93.113.159.186:56850  172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
426    C      udp      143.92.35.106:33241   172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
427    C      udp      156.234.127.190:18209 172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
428    C      udp      192.250.255.40:44021  172.16.2.20:53                    1s               0bps      0bps            1            0              71               0
429    C      udp      93.113.159.150:62256  172.16.2.20:53                    1s               0bps      0bps            1            0              71               0

Hello!

I think… this rule might be the problem:

add action=accept chain=input comment=CAPsMAN_localhost

Its amazing to me how a config full of bogus crap and designed to block all traffic but little focus on allowed traffic and built upon fear, has the one rule that leaves the front door wide open. Almost comical. I would add its harder to see such simple errors with such an overly busy and complex firewall ruleset.

Truth is the default ruleset is actually better that this monster.
Your best bet is to simplify and ensure there is no access to the input chain from the outside period.
If you want to remotely access the config, use vpn.


Highly suggest you scrap the crap and use this is a basis…

/ip firewall filter
{Input Chain}
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=Authorized src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ 
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"  { last rule to add as this will cut off access to router if above rules not in place }
{forward chain}
(default rules to keep)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  { disable or remove if not required }
add action=drop chain=forward comment="drop all else"

Note1: Use VPN to access router remotely, place required input chain rules as first of user rules…
Note2: Use firewall address list Authorized to permit only admin to access router for config purposes ( static dhcp leases and any fixed vpn IP addresses )
Note3: To add required traffic use the forward chain and insert prior to the last drop all rule!

thank you, that really helped.
Would that be better then?

add action=accept chain=input comment=CAPsMAN_localhost disabled=yes dst-port=5246 protocol=udp
add action=accept chain=input comment=CAPsMAN_localhost disabled=yes dst-port=5247 protocol=udp

What do strangers actually benefit from using my router as a DNS server?

I paid for that crap
I sought help from a Mikrotik specialist for the firewall rules and paid him for it.

Can you maybe help me with that then?

You should ask for a refund…
Clearly you seem to need
a. some VPN connectivity to config router and for workers to access local addresses? → wireguard is best and if only that I can help as limited for other types
b. clean firewall rules, which are usually accomplished by a clear set of what traffic should be allowed, simple! as the drop all rules at the end of the firewall rules provided get rid of the rest for you.
c. maybe some port forwarding if you have servers behind the router.
d. maybe some ip routes and wan connections to consider

Devil is in the details, assuming you have one bridge and a number of vlans to distribute.

I’ll ask for a refund.
I am willing to learn and also pay for a good service provider. But how are you supposed to know which one is good?

I’m not completely ignorant, but I don’t really understand a few firewall rules.

We all use Wireguard, that’s no problem.

I usually have a bridge and up to 20 VLANs.
For example, the guest network should only use ports 80 and 443, there are some machines in the production network that are not allowed to be online, etc.

Can you help me work through this?

######Here I wanted to fend off DDOS attacks
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=Level_03
add action=add-src-to-address-list address-list=Level_03 address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 address-list-timeout=5m chain=input comment=FtB_Level_02 connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=Level_01
add action=add-src-to-address-list address-list=Level_01 address-list-timeout=5m chain=input comment=FtB_Level_01 connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=established,related

######we have many Wireguard VPNs, hence 3 interfaces
add action=accept chain=input comment=Wireguard dst-port=13240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13241 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=53245 in-interface-list=WAN protocol=udp

######We also have a few Ipsec tunnels, which are gradually being replaced by wireguard.
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp

######We query SNMP via the VPN, therefore with list
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp src-address-list=local

######Https on the MIkrotik from Intern
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 protocol=tcp src-address-list=local

######To allow DNS requests from internally, from the networks with the list
add action=accept chain=input comment=Accept_DNS dst-port=53 in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp src-address-list=local

######SSH has a different port and Winbox allows it. I already understood, I won't allow blocking from the Internet anymore, right?
add action=accept chain=input comment=MGMT dst-port=45131,8291 in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45131,8291 protocol=tcp

######If a router has WiFi and Capsman can be addressed. Here I have already adapted the rule with 127.0.0.1. I didn't even think of limiting it like that
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=drop chain=forward comment=Drop_detect_DDoS connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=forward comment=detect_DDoS connection-state=new jump-target=detect_DDoS

######this is forward to Opnsense (HA Proxy)
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=443 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=5222 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=5060 protocol=udp
add action=accept chain=forward comment=Accept_forward_from_dst-nat_to_OPNsense connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=2022 protocol=tcp

add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=established,related

######These PCs are only allowed to access the Internet and not the LAN
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN src-address-list=Produktion

######Guest LAN may only use ports 80 and 443
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=80,443 out-interface-list=!WAN protocol=tcp src-address-list=Gast

##### This PCs are Offline
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN src-address-list=Offline

#####DDos Rules
add action=return chain=detect_DDoS dst-limit=128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=30m chain=detect_DDoS
add action=accept chain=forward in-interface=VLAN_99 out-interface=VPNCOMP

Here are the VLAN networks, what is allowed from A to B, etc.
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=Company src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=MGMT src-address-list=Remote
add action=accept chain=forward comment=Accept_Remote_to_Company dst-address-list=DMZ src-address-list=Remote
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=Company src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=Music src-address-list=IOT
add action=accept chain=forward comment=Drop_IOT_to_Company dst-address-list=IOT src-address-list=Music
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid

#####Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list=Company src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Music dst-address-list=Music src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BB src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_DMZ dst-address-list=DMZ_BO src-address-list=Wireguard
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_IOT dst-address-list=IOT src-address-list=Wireguard
add action=accept chain=forward dst-address-list=IOT src-address-list=Company
add action=accept chain=forward dst-address-list=Company src-address-list=IOT
add action=accept chain=forward log=yes  src-address-list=MGMT
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company dst-address-list= src-address-list=Wireguard
add action=accept chain=forward comment=Accept_Local src-address-list=local
add action=drop chain=forward comment=Drop_Rest_all

Exposed DNS might be possibly abused for a DDoS attack: https://www.cloudflare.com/learning/ddos/dns-flood-ddos-attack/

I would suggest starting with getting familiar with the packet flow in RouterOS: https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS
Then learning firewalling in general.
You can try contacting a local consultant (https://mikrotik.com/consultants) and asking him/her for a basic firewall training. MTCNA certification and higher trainings is not mandatory, you can learn without them.

1. Decide on interface lists required.
   Typically use interface lists for two or more whole subnets ( single subnets can be identified by address )
   one for all subnets requiring internet W-Internet
   one for all subnets requiring access to local DNS services usually LAN subnet
   One interface for the Managment vlan (or the trusted VLAN or trusted interface that includes admins)
   Use firewall address list whenever you have less than a full subnet needing to be identified, could be a single subnet or users/devices from various subnets ( with or without entire subnet).

Take the firewall rules provided and massage:::::::

add the wireguard interfaces required just under the input chain default rules - why so many?
Define your list of admin IPs be it from fixed static leases (local) or wireguard IPs (remote) name of list=Authorized and create the firewall address list!!

In forward chain use appropriate interface list for WAN access
Add any rules where you need access between vlans before the last drop rule. or user to devices etc…
Typically admin needs access to all vlans aka src-address-list=Authorized out-interface-list=LAN

Simplify where possible.
FROM:
add action=accept chain=input comment=Wireguard dst-port=13240 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=13241 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=53245 in-interface-list=WAN protocol=udp

TO:
add action=accept chain=iinput comment=“wireguard handshake ports” dst-ports=13240,13241,53245 protocol=udp


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Give it a go and post the complete config here for review.
/export file=anynameyouwish (minus router serial #, public WANIP information, keys etc…

Assuming wireguard server for the router and all incoming remote users?
Assuming single WAN, nothing complex ??

Hi,
Sorry, I didn’t have time again.
I tried it once, but I’m not sure if it’s really any better. Can you please take a look at this?

add action=drop chain=input comment="Drop_detect_DDoS" connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment="detect_DDoS" connection-state=new jump-target=detect_DDoS
add action=drop chain=input comment="Drop_FtB_Level_03" src-address-list=Level_03
add action=add-src-to-address-list address-list=Level_03 address-list-timeout=none-dynamic chain=input comment="FtB_Level_03" connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=Level_02
add action=add-src-to-address-list address-list=Level_02 address-list-timeout=5m chain=input comment="FtB_Level_02" connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=Level_01
add action=add-src-to-address-list address-list=Level_01 address-list-timeout=5m chain=input comment="FtB_Level_01" connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment="Accept_Est_und_Rel" connection-state=established,related

add action=accept chain=input comment="Wireguard" dst-port=13240,13241,53245 in-interface-list=WAN protocol=udp

add action=accept chain=input comment="IPsec-ESP" protocol=ipsec-esp
add action=accept chain=input comment="L2TP" dst-port=500,4500 protocol=udp

add action=accept chain=input comment="SNMP" dst-port=161 protocol=udp src-address-list=local
add action=accept chain=input comment="HTTPS_ROUTER_Intern" dst-port=1449 protocol=tcp src-address-list=local
add action=accept chain=input comment="Accept_DNS" dst-port=53 in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp src-address-list=local

add action=accept chain=input comment="MGMT" dst-port=45131,8291 in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment="MGMT" dst-port=45131,8291 protocol=tcp

add action=accept chain=input comment="CAPsMAN_localhost" dst-address=127.0.0.1
add action=drop chain=input comment="Drop_Invalid" connection-state=invalid
add action=drop chain=input comment="Drop_Rest_all"

add action=accept chain=forward comment="Accept_forward_from_dst-nat_to_OPNsense" connection-nat-state=dstnat dst-address=192.168.152.253 dst-port=443,5222,5061,5060,2022 protocol=tcp,udp

add action=accept chain=forward comment="Accept_Remote_to_Company" dst-address-list=Company src-address-list=Remote
add action=drop chain=forward comment="Drop_IOT_to_Company" dst-address-list=Company src-address-list=IOT

add action=accept chain=forward comment="Accept_Est_und_Rel" connection-state=established,related
add action=drop chain=forward comment="Only_Internet" out-interface-list=!WAN src-address-list=Produktion
add action=drop chain=forward comment="GUEST_ONLY_INTERNET" dst-port=!80,443 out-interface-list=!WAN protocol=tcp src-address-list=Gast
add action=drop chain=forward comment="NO_INTERNET" out-interface-list=WAN src-address-list=Offline
add action=accept chain=forward comment="Wireguard_Roadwarrior_auf_Company" dst-address-list=Company src-address-list=Wireguard
add action=drop chain=forward comment="Drop_Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop_Rest_all"

add action=return chain=detect_DDoS dst-limit=128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=30m chain=detect_DDoS

oh, I forgot something. I still close the management networks and only allow this via VPN. But I would like to replace the firewall 1 to 1 in the first step and then the VPNs come in the second step.

I dont comment on partial configs.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys, long lease lists etc…)

sorry I didn’t get to it sooner.
Keys are wrong
Here’s an entire router:

# 2023-11-27 20:51:13 by RouterOS 7.12.1

/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz frequency="" name=\
    5Ghz-Channels skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE priority=0x7000
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=WAN4
/interface l2tp-client
add allow-fast-path=yes connect-to=vpn.test.com disabled=no name=l2tp-DM \
    user=APV01
/interface wireguard
add listen-port=13239 mtu=1420 name=wireguard-VPN
add listen-port=40231 mtu=1420 name=wireguardStS_DIM
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=FIRMA interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GAST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=TELEFON interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    FIRMA vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=FIRMA
add authentication-types=wpa2-psk encryption=aes-ccm name=GAST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=2.4Ghz-Channels country=etsi datapath=FIRMA installation=indoor \
    mode=ap name=V012GHZ security=FIRMA ssid=AP-Netz
add channel=5Ghz-Channels country=etsi datapath=FIRMA installation=indoor \
    mode=ap name=V015GHZ security=FIRMA ssid=AP-Netz
add channel=2.4Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=V022GHZ security=GAST ssid=AP-Gast
add channel=5Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=V025GHZ security=GAST ssid=AP-Gast
add channel=2.4Ghz-Channels country=germany datapath=HOTSPOT mode=ap name=\
    V042GHZ security=HOTSPOT ssid=WLAN_HOTSPOT_SSID
add channel=5Ghz-Channels country=germany datapath=HOTSPOT mode=ap name=\
    V045GHZ security=HOTSPOT ssid=WLAN_HOTSPOT_SSID
add channel=2.4Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=V052GHZ security=PRIVAT ssid=AP-Team
add channel=5Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=V055GHZ security=PRIVAT ssid=AP-Team
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.9.5-10.99.9.253
add name=FIRMA ranges=192.168.9.20-192.168.9.250
add name=GAST ranges=10.178.1.10-10.178.1.100
add name=DMZ ranges=10.178.2.10-10.178.2.20
add name=HOTSPOT ranges=10.178.3.10-10.178.3.100
add name=PRIVAT ranges=192.168.114.10-192.168.114.100
add name=LTE ranges=10.178.4.10-10.178.4.20
add name=BACKUP01 ranges=10.178.5.5-10.178.5.10
add name=BACKUP02 ranges=10.178.6.10-10.178.6.20
add name=TELEFON ranges=10.178.7.10-10.178.7.100
add name=IOT ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 lease-time=1w10m name=MGT
add address-pool=FIRMA interface=VLAN_100 lease-time=1w10m name=FIRMA
add address-pool=GAST interface=VLAN_200 lease-time=1h name=GAST
add address-pool=DMZ interface=VLAN_300 lease-time=1d10m name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 lease-time=1d10m name=HOTSPOT
add address-pool=PRIVAT interface=VLAN_500 lease-time=1d10m name=PRIVAT
add address-pool=LTE interface=VLAN_600 lease-time=1d10m name=LTE
add address-pool=BACKUP01 interface=VLAN_700 lease-time=1d10m name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 lease-time=1d10m name=BACKUP02
add address-pool=TELEFON interface=VLAN_900 lease-time=1d10m name=TELEFON
add address-pool=IOT interface=VLAN_1000 lease-time=1d10m name=IOT
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=8M/8M name=queue-Gast target=10.178.1.0/24
/snmp community
add addresses=192.168.254.0/24,10.16.0.0/16,10.99.0.0/16,10.10.9.0/24 \
    authentication-protocol=SHA1 encryption-protocol=AES name=snmpv3DIM \
    security=private
/user-manager user
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:300,Tunnel-Type:13 comment=\
    Macbook disabled=yes name=22:E0:4C:A4:91:76
add attributes=Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:99,Tunnel-Type:13 \
    comment=Kamera disabled=yes name=EC:71:DB:EA:51:FD
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:100,Tunnel-Type:13 comment=\
    TV disabled=yes name=7C:0A:3F:FB:B6:2A
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-75..115 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    V012GHZ name-format=prefix-identity slave-configurations=V022GHZ,V052GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    V015GHZ name-format=prefix-identity slave-configurations=V025GHZ,V055GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN4 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add interface=WAN3 list=WAN
add interface=wireguard-VPN list=VLAN
/interface wireguard peers
add allowed-address=192.168.85.4/32 comment="Test User" disabled=yes \
    interface=wireguard-VPN public-key=\
    "AnZ146qo6tS+n9elKeqToC4cmXjfGU7BaN6MHwCZjU0="
add allowed-address=\
    10.10.9.254/32,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \
    comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com \
    endpoint-port=40231 interface=wireguardStS_DIM persistent-keepalive=25s \
    public-key="VREJdyp/MYXh17rtaOsWU8a/mCXdoTc953D39TIvWk0="
/ip address
add address=10.99.9.254/24 interface=VLAN_99 network=10.99.9.0
add address=192.168.9.1/24 interface=VLAN_100 network=192.168.9.0
add address=10.178.1.254/24 interface=VLAN_200 network=10.178.1.0
add address=10.178.2.254/24 interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 interface=VLAN_400 network=10.178.3.0
add address=192.168.114.254/24 interface=VLAN_500 network=192.168.114.0
add address=10.178.4.254/24 interface=VLAN_600 network=10.178.4.0
add address=10.178.5.254/24 interface=VLAN_700 network=10.178.5.0
add address=10.178.6.254/24 interface=VLAN_800 network=10.178.6.0
add address=10.178.7.254/24 interface=VLAN_900 network=10.178.7.0
add address=192.168.1.254/24 interface=VLAN_1000 network=192.168.1.0
add address=192.168.85.254/24 interface=wireguard-VPN network=192.168.85.0
add address=10.10.9.9/24 interface=wireguardStS_DIM network=10.10.9.0
add address=192.168.2.254/24 disabled=yes interface=VLAN_1000 network=\
    192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=WAN1
add disabled=yes interface=WAN2
/ip dhcp-server network
add address=10.99.9.0/24 dns-server=10.99.9.254 gateway=10.99.9.254
add address=10.178.1.0/24 dns-server=8.8.8.8 gateway=10.178.1.254
add address=10.178.2.0/24 dns-server=10.178.2.254 gateway=10.178.2.254
add address=10.178.3.0/24 dns-server=10.178.3.254 gateway=10.178.3.254
add address=10.178.4.0/24 dns-server=10.178.4.254 gateway=10.178.4.254
add address=10.178.5.0/24 dns-server=10.178.5.254 gateway=10.178.5.254
add address=10.178.6.0/24 dns-server=10.178.6.254 gateway=10.178.6.254
add address=10.178.7.0/24 dns-server=10.178.7.254 gateway=10.178.7.254
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.254
add address=192.168.9.0/24 dns-server=192.168.9.5 domain=apv.local gateway=\
    192.168.9.1
add address=192.168.114.0/24 dns-server=192.168.114.254 gateway=\
    192.168.114.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.9.11 name=ad-server
/ip firewall address-list
add address=10.99.0.0/16 list=local
add address=192.168.9.0/24 list=local
add address=10.178.1.0/24 list=local
add address=10.178.2.0/24 list=local
add address=10.178.3.0/24 list=local
add address=192.168.114.0/24 list=local
add address=10.178.4.0/24 list=local
add address=10.178.5.0/24 list=local
add address=10.178.6.0/24 list=local
add address=10.178.7.0/24 list=local
add address=10.178.8.0/24 list=local
add list=local
add address=8.8.8.8 list=DNS
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=vpn2.test.com list=local
add address=vpn.test.com list=local
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add address=192.168.155.0/24 list=local
add address=192.168.85.0/24 list=local
add list=192.168.249.0/24
add address=10.10.9.0/24 list=local
add address=192.168.1.0/24 list=local
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new \
    jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=\
    Level_03
add action=add-src-to-address-list address-list=Level_03 \
    address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 \
    address-list-timeout=5m chain=input comment=FtB_Level_02 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_01
add action=add-src-to-address-list address-list=Level_01 \
    address-list-timeout=5m chain=input comment=FtB_Level_01 \
    connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=input comment=Wireguard dst-port=13240,13241,53245 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address-list=local
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 \
    protocol=tcp src-address-list=local
add action=accept chain=input comment=Accept_DNS dst-port=53 \
    in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp \
    src-address-list=local
add action=accept chain=input comment=MGMT dst-port=45131,8291 \
    in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
    in-interface-list=!WAN protocol=udp src-address-list=local
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
    src-address-type=local
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-port=13239 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="FIRMA Port | WireGuard-Zugriff" \
    dst-port=40231 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=192.168.85.254 in-interface=wireguard-VPN log=yes log-prefix=\
    Wireguard
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=10.10.9.254 in-interface=wireguardStS_DIM log=yes log-prefix=\
    Wireguard
add action=drop chain=input comment="Drop everything else" log=yes \
    log-prefix="IN DROP REST -> "
add action=accept chain=forward comment=\
    "WireGuard-VPN -> VLAN_100 | Netzwerkzugriff" dst-address=\
    !192.168.85.0/24 in-interface=wireguard-VPN out-interface=VLAN_100
add action=accept chain=forward comment=\
    "WireGuard-VPN COMPANY | alle VLAN Netzwerkzugriff" dst-address=\
    !10.10.9.0/24 in-interface=wireguardStS_DIM out-interface=all-vlan
add action=accept chain=forward dst-address-list=192.168.254.0/24 \
    src-address-list=192.168.9.0/24
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=Company src-address-list=Remote
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    Company src-address-list=IOT
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=forward comment=Starface dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=5060 protocol=udp
add action=accept chain=forward comment=Starface dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=10000-13239 \
    protocol=udp
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN \
    src-address-list=Produktion
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=!80,443 \
    out-interface-list=!WAN protocol=tcp src-address-list=Gast
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN \
    src-address-list=Offline
add action=accept chain=forward comment=Wireguard_Roadwarrior_auf_Company \
    dst-address-list=Company src-address-list=Wireguard
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=drop chain=forward comment=Drop_Rest_all
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!local
add action=return chain=detect_DDoS src-address-list=local
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=udp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-13238 in-interface=WAN1 log=\
    yes protocol=udp to-addresses=192.168.9.20 to-ports=10000-13238
add action=dst-nat chain=dstnat dst-port=5061 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5061
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.254.0/24 gateway=\
    wireguardStS_DIM routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.249.0/24 gateway=\
    wireguardStS_DIM pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.155.0/24 gateway=\
    wireguardStS_DIM pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=188.144.0.0/15 gateway=192.168.9.3 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45735
set www-ssl disabled=no port=1455
set api disabled=yes
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/radius
add address=10.99.254.1 service=login
/snmp
set contact="COMPANY <mikrotik@test.com>" enabled=yes location=Berlin \
    trap-community=snmpv3AA trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=TestRouter
/system note
set note="COMPANY - Authorized Administrators only. Access to this d\
    evice is monitored." show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add name=schedule1 on-event="/system routerboard :if ( [get current-firmware] \
    != [get upgrade-firmware] ) do={ /system reboot }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=Backup on-event=Backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=00:00:00
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
/user-manager
set certificate=*0
/user-manager router
add address=10.99.1.251 name=TEST01SW01

(1) Where is bridge vlan-filtering=yes ??
/interface bridge
add name=BRIDGE priority=0x7000

(2) Allowed IPs is not quite right, fixed…
add allowed-address=
10.10.9.0/24,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24
comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com
endpoint-port=40231 interface=wireguardStS_DIM persistent-keepalive=25s
public-key=“VREJdyp/MYXh17rtaOsWU8a/mCXdoTc953D39TIvWk0=”

(3) This should be removed. vlan1000 is already identified in the address list 192.168.1…
add address=192.168.2.254/24 disabled=yes interface=VLAN_1000 network=
192.168.2.0

(4) This local list entry for firewall address list is not complete.
add list=192.168.249.0/24

(5) These local list entry makes no sense there is no such vlan or local subent
add address=10.178.8.0/24 list=local
add address=10.99.0.0/16 list=local
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add address=192.168.155.0/24 list=local

(6) Firewall rules are so full of bloat.
Suggest looking here as a starter, and ONLY, add traffic that needs to flow…
https://forum.mikrotik.com/viewtopic.php?t=180838

(7) Its not clear to me what you are doing with the four WANs wrt IP routes.

Hello

is this so ok?

(1)
/interface bridge
add name=BRIDGE priority=0x7000 vlan-filtering=yes
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1

(2)
Why not Subnet 16?

(3)
What do you mean? where is that twice?

(4)
what is missing here?

(5)
These are our networks, i.e. on the other side of the VPN

(6)
Unfortunately I don’t have the time. Can you please help me with that? First I need a good firewall. We have a lot of problems at the moment.
As I said, I would pay for that too.

(7)
We have customers who have 2 DSL connections and an LTE connection as a backup.
In fact, in 99%, 3 WAN connections would be completely sufficient.

(1) YES, THAT IS THE WAY.

(2) WHAT ARE YOU TALKING ABOUT SUBNET 16? Point #2 was pointing that your allowed Ip 10.10.9.X/32 was wrong… The correct version is blue.

(3) If you look at the config line its clearly an /ip address entry. Its disabled which is good, I am saying just get rid of it.

(4) What do you mean what is missing from this firewall address list entry?? add list=192.168.249.0/24
There is an address but you called it LIST, and there is no actual LIST (aka with a name). Not sure why you find this hard?

(5) WRONG WRONG WRONG… you put them as LOCAL addresses and they are not. You are mixing up remote and local addresses.
I do not know for what purpose.

The only time you should be using firewall address lists is when you have a group of users and not quiite a full subnet, or users from various subnets, with or without whole subents.
If you have full subnets use interface lists instead.

(6) I have litttle time too.

(7) What I meant was to identify the purpose of each WAN, which traffic is intended for which wans etc… So need far more detail.

OK, I’ve revised everything a bit now. Is it more understandable now?

# 2023-12-03 11:21:51 by RouterOS 7.12.1

/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz frequency="" name=\
    5Ghz-Channels skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] disabled=yes name=WAN4
/interface l2tp-client
add allow-fast-path=yes connect-to=vpn.test.de disabled=no name=l2tp-DM \
    user=APV01
/interface wireguard
add comment=test listen-port=40231 mtu=1420 name=WIREGUARD_MGMT
add comment="VPN to 2nd customer location" listen-port=13239 mtu=1420 name=\
    WIREGUARD_VPN01
/interface vlan
add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99
add comment=COMPANY interface=BRIDGE name=VLAN_100 vlan-id=100
add comment=GUEST interface=BRIDGE name=VLAN_200 vlan-id=200
add comment=DMZ interface=BRIDGE name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=BRIDGE name=VLAN_400 vlan-id=400
add comment=PRIVAT interface=BRIDGE name=VLAN_500 vlan-id=500
add comment=LTE interface=BRIDGE name=VLAN_600 vlan-id=600
add comment=BACKUP01 interface=BRIDGE name=VLAN_700 vlan-id=700
add comment=BACKUP02 interface=BRIDGE name=VLAN_800 vlan-id=800
add comment=PHONE interface=BRIDGE name=VLAN_900 vlan-id=900
add comment=IOT interface=BRIDGE name=VLAN_1000 vlan-id=1000
add comment=PRINTER interface=BRIDGE name=VLAN_1100 vlan-id=1100
add comment=SONOS interface=BRIDGE name=VLAN_1200 vlan-id=1200
add comment=CAMERA interface=BRIDGE name=VLAN_1300 vlan-id=1300
add comment=PRODUCTION interface=BRIDGE name=VLAN_1400 vlan-id=1400
add comment=SERVER interface=BRIDGE name=VLAN_1500 vlan-id=1500
add comment=MISCELLANEOUS01 interface=BRIDGE name=VLAN_1600 vlan-id=1600
add comment=MISCELLANEOUS02 interface=BRIDGE name=VLAN_1700 vlan-id=1700
add comment=MISCELLANEOUS03 interface=BRIDGE name=VLAN_1800 vlan-id=1800
add comment=MISCELLANEOUS04 interface=BRIDGE name=VLAN_1900 vlan-id=1900
add comment=MISCELLANEOUS05 interface=BRIDGE name=VLAN_2000 vlan-id=2000
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    COMPANY vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no comment=GUEST \
    local-forwarding=no name=GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=COMPANY
add authentication-types=wpa2-psk encryption=aes-ccm name=GUEST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=2.4Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY2GHZ security=COMPANY ssid=COMPANY
add channel=5Ghz-Channels country=etsi datapath=COMPANY installation=indoor \
    mode=ap name=COMPANY5GHZ security=COMPANY ssid=COMPANY
add channel=2.4Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST2GHZ security=GUEST ssid=GUEST
add channel=5Ghz-Channels country=etsi datapath=GAST installation=indoor \
    mode=ap name=GUEST5GHZ security=GUEST ssid=GUEST
add channel=2.4Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT2GHZ security=HOTSPOT ssid=HOTSPOT
add channel=5Ghz-Channels country=etsi datapath=HOTSPOT installation=indoor \
    mode=ap name=HOTSPOT5GHZ security=HOTSPOT ssid=HOTSPOT
add channel=2.4Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE2GHZ security=PRIVAT ssid=PRIVATE
add channel=5Ghz-Channels country=etsi datapath=PRIVAT installation=indoor \
    mode=ap name=PRIVATE5GHZ security=PRIVAT ssid=PRIVATE
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.9.5-10.99.9.253
add name=COMPANY ranges=192.168.9.20-192.168.9.250
add name=GUEST ranges=10.178.1.10-10.178.1.100
add name=DMZ ranges=10.178.2.10-10.178.2.20
add name=HOTSPOT ranges=10.178.3.10-10.178.3.100
add name=PRIVAT ranges=192.168.114.10-192.168.114.100
add name=LTE ranges=10.178.4.10-10.178.4.20
add name=BACKUP01 ranges=10.178.5.5-10.178.5.10
add name=BACKUP02 ranges=10.178.6.10-10.178.6.20
add name=PHONE ranges=10.178.7.10-10.178.7.100
add name=IOT ranges=192.168.1.10-192.168.1.200
add name=PRODUCTION ranges=192.168.44.10-192.168.44.100
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 lease-time=1w10m name=MGT
add address-pool=COMPANY interface=VLAN_100 lease-time=1w10m name=COMPANY
add address-pool=GUEST interface=VLAN_200 lease-time=1h name=GUEST
add address-pool=DMZ interface=VLAN_300 lease-time=1d10m name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 lease-time=1d10m name=HOTSPOT
add address-pool=PRIVAT interface=VLAN_500 lease-time=1d10m name=PRIVAT
add address-pool=LTE interface=VLAN_600 lease-time=1d10m name=LTE
add address-pool=BACKUP01 interface=VLAN_700 lease-time=1d10m name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 lease-time=1d10m name=BACKUP02
add address-pool=PHONE interface=VLAN_900 lease-time=1d10m name=PHONE
add address-pool=IOT interface=VLAN_1000 lease-time=1d10m name=IOT
add address-pool=PRODUCTION interface=VLAN_1400 lease-time=1d30m name=\
    PRODUCTION
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add max-limit=8M/8M name=queue-Gast target=10.178.1.0/24
/snmp community
add addresses=192.168.254.0/24,10.16.0.0/16,10.99.0.0/16,10.10.9.0/24 \
    authentication-protocol=SHA1 encryption-protocol=AES name=snmpv3DIM \
    security=private
/user-manager user
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:300,Tunnel-Type:13 comment=\
    Macbook disabled=yes name=22:E0:4C:A4:91:76
add attributes=Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:99,Tunnel-Type:13 \
    comment=Kamera disabled=yes name=EC:71:DB:EA:51:FD
add attributes=\
    Tunnel-Medium-Type:6,Tunnel-Private-Group-ID:100,Tunnel-Type:13 comment=\
    TV disabled=yes name=7C:0A:3F:FB:B6:2A
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-75..115 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    COMPANY2GHZ name-format=prefix-identity slave-configurations=\
    GUEST2GHZ,PRIVATE2GHZ,HOTSPOT2GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    COMPANY5GHZ name-format=prefix-identity slave-configurations=\
    GUEST5GHZ,PRIVATE5GHZ,HOTSPOT5GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE interface=sfp-sfpplus1
/interface list member
add comment=DSL interface=WAN1 list=WAN
add comment="DSL Backup" interface=WAN2 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
add comment="LTE Backup" interface=WAN3 list=WAN
add interface=WIREGUARD_VPN01 list=VLAN
/interface wireguard peers
add allowed-address=192.168.85.0/24 comment="2nd Customer Location" \
    interface=WIREGUARD_VPN01 public-key=\
    "BnZ546q66tS+A9elKeqToC5cmXjfGU7AaN6MHwCZjU0="
add allowed-address=\
    10.10.9.254/32,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \
    comment="MGMT test" endpoint-address=vpn.test.de endpoint-port=40231 \
    interface=WIREGUARD_MGMT persistent-keepalive=25s public-key=\
    "XREJdyp/MYRh57rtVOsXU8a/mLXdoTc953D39TIvW60="
/ip address
add address=10.99.9.254/24 interface=VLAN_99 network=10.99.9.0
add address=192.168.9.1/24 interface=VLAN_100 network=192.168.9.0
add address=10.178.1.254/24 interface=VLAN_200 network=10.178.1.0
add address=10.178.2.254/24 interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 interface=VLAN_400 network=10.178.3.0
add address=192.168.114.254/24 interface=VLAN_500 network=192.168.114.0
add address=10.178.4.254/24 interface=VLAN_600 network=10.178.4.0
add address=10.178.5.254/24 interface=VLAN_700 network=10.178.5.0
add address=10.178.6.254/24 interface=VLAN_800 network=10.178.6.0
add address=10.178.7.254/24 interface=VLAN_900 network=10.178.7.0
add address=192.168.1.254/24 interface=VLAN_1000 network=192.168.1.0
add address=192.168.85.254/24 interface=WIREGUARD_VPN01 network=192.168.85.0
add address=10.10.9.9/24 interface=WIREGUARD_MGMT network=10.10.9.0
add address=192.168.44.254/24 interface=VLAN_1400 network=192.168.44.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=DSL interface=WAN1
add comment="BACKUP DSL" interface=WAN2
add comment="LTE BACKUP" interface=WAN3
/ip dhcp-server network
add address=10.99.9.0/24 comment=VLAN99_MGMT dns-server=10.99.9.254 gateway=\
    10.99.9.254
add address=10.178.1.0/24 comment=VLAN200_GUEST dns-server=8.8.8.8 gateway=\
    10.178.1.254
add address=10.178.2.0/24 comment=VLAN300_DMZ dns-server=10.178.2.254 \
    gateway=10.178.2.254
add address=10.178.3.0/24 comment=VLAN400_HOTSPOT dns-server=10.178.3.254 \
    gateway=10.178.3.254
add address=10.178.4.0/24 comment=VLAN600_LTE dns-server=10.178.4.254 \
    gateway=10.178.4.254
add address=10.178.5.0/24 comment=VLAN700_BACKUP01 dns-server=10.178.5.254 \
    gateway=10.178.5.254
add address=10.178.6.0/24 comment=VLAN800_BACKUP02 dns-server=10.178.6.254 \
    gateway=10.178.6.254
add address=10.178.7.0/24 comment=VLAN900_PHONE dns-server=10.178.7.254 \
    gateway=10.178.7.254
add address=192.168.1.0/24 comment=VLAN1000_IOT dns-server=8.8.8.8 gateway=\
    192.168.1.254
add address=192.168.9.0/24 comment=VLAN100_COMPANY dns-server=192.168.9.5 \
    domain=test.local gateway=192.168.9.1
add address=192.168.114.0/24 comment=VLAN500_PRIVATE dns-server=\
    192.168.114.254 gateway=192.168.114.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add comment="Black List (SSH)" list="Black List (SSH)"
add comment="Black List (Winbox)" list="Black List (Winbox)"
add comment="Black List (Port Scanner WAN)" list=\
    "Black List (Port Scanner WAN)"
add comment="Black List (Port Scanner LAN)" list=\
    "Black List (Port Scanner LAN)"
add address=m.test.de list=MGMT
add address=vpn.test.de list=MGMT
add address=192.168.254.0/24 list=MGMT
add address=192.168.155.0/24 list=MGMT
add address=10.178.1.0/24 list=DNS
add address=192.168.9.0/24 list=DNS
add address=10.99.9.0/24 list=DNS
add address=10.178.7.0/24 list=DNS
add address=192.168.9.0/24 list=COMPANY
add address=192.168.1.0/24 list=IOT
add address=192.168.44.0/24 list=PRODUCTION
add address=10.178.1.0/24 list=GUEST
add address=192.168.9.10 list=OFFLINE
add address=127.0.0.1 list=FIREWALL
add address=192.168.85.0/24 list=REMOTE
add address=10.10.9.0/24 list=MGMT
add address=10.178.2.0/24 list=OFFLINE
add address=10.178.5.0/24 list=OFFLINE
add address=10.178.6.0/24 list=OFFLINE
/ip firewall filter
add action=drop chain=input comment=Drop_detect_DDoS connection-state=new \
    dst-address-list=ddosed src-address-list=ddoser
add action=jump chain=input comment=detect_DDoS connection-state=new \
    jump-target=detect_DDoS
add action=drop chain=input comment=Drop_FtB_Level_03 src-address-list=\
    Level_03
add action=add-src-to-address-list address-list=Level_03 \
    address-list-timeout=none-dynamic chain=input comment=FtB_Level_03 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_02
add action=add-src-to-address-list address-list=Level_02 \
    address-list-timeout=5m chain=input comment=FtB_Level_02 \
    connection-state=new dst-port=45131,8291 protocol=tcp src-address-list=\
    Level_01
add action=add-src-to-address-list address-list=Level_01 \
    address-list-timeout=5m chain=input comment=FtB_Level_01 \
    connection-state=new dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=input comment=Wireguard dst-port=13240,13241,53245 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=IPsec-ESP protocol=ipsec-esp
add action=accept chain=input comment=L2TP dst-port=500,4500 protocol=udp
add action=accept chain=input comment=SNMP dst-port=161 protocol=udp \
    src-address-list=MGMT
add action=accept chain=input comment=HTTPS_ROUTER_Intern dst-port=1449 \
    protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=Accept_DNS dst-port=53 \
    in-interface-list=!WAN log=yes log-prefix=DNS protocol=udp \
    src-address-list=DNS
add action=accept chain=input comment=MGMT dst-port=45131,8291 \
    in-interface-list=!WAN protocol=tcp src-address-list=MGMT
add action=accept chain=input comment=MGMT dst-port=45131,8291 protocol=tcp
add action=accept chain=input comment=CAPsMAN_localhost dst-address=127.0.0.1
add action=drop chain=input comment=Drop_Invalid connection-state=invalid
add action=drop chain=input comment=Drop_Rest_all
add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \
    in-interface-list=!WAN protocol=udp src-address-list=FIREWALL
add action=accept chain=input comment="CAPsMAN accept all local traffic" \
    src-address-type=local
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-port=13239 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="FIRMA Port | WireGuard-Zugriff" \
    dst-port=40231 log=yes log-prefix=WireGuard protocol=udp
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=192.168.85.254 in-interface=WIREGUARD_VPN01 log=yes \
    log-prefix=Wireguard
add action=accept chain=input comment="WAN -> FW | WireGuard-Zugriff" \
    dst-address=10.10.9.254 in-interface=WIREGUARD_MGMT log=yes log-prefix=\
    Wireguard
add action=drop chain=input comment="Drop everything else" log=yes \
    log-prefix="IN DROP REST -> "
add action=accept chain=forward comment=\
    "WireGuard-VPN -> VLAN_100 | Network Access" dst-address=\
    !192.168.85.0/24 in-interface=WIREGUARD_VPN01 out-interface=VLAN_100
add action=accept chain=forward comment=\
    "WireGuard-VPN test | all VLAN Network Access" dst-address=\
    !10.10.9.0/24 in-interface=WIREGUARD_MGMT out-interface=all-vlan
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=REMOTE
add action=accept chain=forward comment=Accept_Remote_to_Company \
    dst-address-list=COMPANY src-address-list=MGMT
add action=drop chain=forward comment=Drop_IOT_to_Company dst-address-list=\
    COMPANY src-address-list=IOT
add action=accept chain=forward comment=Accept_Est_und_Rel connection-state=\
    established,related
add action=accept chain=forward comment=Starface dst-port=5060 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=5060 protocol=udp
add action=accept chain=forward comment=Starface dst-port=5061 protocol=tcp
add action=accept chain=forward comment=Starface dst-port=10000-13239 \
    protocol=udp
add action=drop chain=forward comment=Only_Internet out-interface-list=!WAN \
    src-address-list=PRODUCTION
add action=drop chain=forward comment=GUEST_ONLY_INTERNET dst-port=!80,443 \
    out-interface-list=!WAN protocol=tcp src-address-list=GUEST
add action=drop chain=forward comment=NO_INTERNET out-interface-list=WAN \
    src-address-list=OFFLINE
add action=drop chain=forward comment=Drop_Invalid connection-state=invalid
add action=drop chain=forward comment=Drop_Rest_all
add action=return chain=detect_DDoS dst-limit=\
    128,128,src-and-dst-addresses/20s src-address-list=!COMPANY
add action=return chain=detect_DDoS src-address-list=COMPANY
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    30m chain=detect_DDoS
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    30m chain=detect_DDoS
add action=accept chain=input comment=\
    "Allow existing and related connections" connection-state=\
    established,related
add action=drop chain=input comment="Blockiere ungltige Verbindungen" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP (Ping)" protocol=icmp
add action=drop chain=input comment="Block than others from WAN" \
    in-interface-list=WAN
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=WAN1 log=yes \
    protocol=udp to-addresses=192.168.9.20 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000-13238 in-interface=WAN1 log=\
    yes protocol=udp to-addresses=192.168.9.20 to-ports=10000-13238
add action=dst-nat chain=dstnat dst-port=5061 in-interface=WAN1 log=yes \
    protocol=tcp to-addresses=192.168.9.20 to-ports=5061
add action=masquerade chain=srcnat comment=DSL out-interface=WAN1
add action=masquerade chain=srcnat comment="DSL Backup" out-interface=WAN2
add action=masquerade chain=srcnat comment="LTE Backup" out-interface=WAN3
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.254.0/24 gateway=\
    WIREGUARD_MGMT routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.249.0/24 gateway=\
    WIREGUARD_MGMT pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.155.0/24 gateway=\
    WIREGUARD_MGMT pref-src="" routing-table=main scope=10 \
    suppress-hw-offload=no target-scope=10
add disabled=no dst-address=188.144.0.0/15 gateway=192.168.9.3 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=45131
set www-ssl disabled=no port=1455
set api disabled=yes
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/radius
add address=10.99.254.1 service=login
/snmp
set contact="test <mikrotik@test.de>" enabled=yes trap-community=snmpv3test \
    trap-version=3
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system note
set note="test - Authorized Administrators only. Access to this d\
    evice is monitored." show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system scheduler
add name=schedule1 on-event="/system routerboard :if ( [get current-firmware] \
    != [get upgrade-firmware] ) do={ /system reboot }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add interval=1w name=Backup on-event=Backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=1970-01-01 start-time=00:00:00
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
/user-manager
set certificate=*0
/user-manager router
add address=10.99.1.251 name=ROUTER

I will have a look. I am actually hoping that you are understanding the config better and learning as you go and gaining confidence in your own skills!

Observations:

1. You have many vlans identified but not fully configured, assumed this was future plans and removed them from the config for the moment ( noise ).

2. Product vlan not on interface list member of VLAN and also missing from dhpc-server network settings.

3. We can keep fastrack for rest of config and just isolate it for the queue for guest…

4. Firewall rules totally redone, simplified.

5. I do not understand your wireguard situation.
   Can I assume VPN-01 is the case where this router is the server for handshake??? Clients unknown… ( you need to fill in the wireguard blanks here at client device)
   Can I assume VPN MGMT is the case where this router is the client for handshake?? and the Server Router is elsewhere type unknown, wireguard config unknown??? ( you need to fill in the blanks here)

a. for example. this is wrong if VPN01 is acting as a server. Any client from the server should be X/32 for the wireguard associated address. If it was another router with subnets, then one could add the remote subnets as well…
Each client gets its own peer config line!!
/interface wireguard peers
add allowed-address=192.168.85.0/24 comment=“2nd Customer Location”
interface=WIREGUARD_VPN01 public-key= “B0=”

b. for example if VPN MGT means that there is a server elsewhere and this router was acting as a client for handshake…
then your Allowed IPs are wrong. The associated wireguard address to the server should be in the format of subnt 0/24

add allowed-address=
10.10.9.254/32,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24
comment=“MGMT test” endpoint-address=vpn.test.de endpoint-port=40231
interface=WIREGUARD_MGMT persistent-keepalive=25s public-key=“X=”

d. Knowing that you only are required to have an input chain for the listening port IF, IF IF the router is acting as a server for handshake… you should be able to see why this is confusing…
add action=accept chain=input comment=Wireguard dst-port=*13240,13241,53245 *
in-interface-list=WAN protocol=udp

Which tells the reader you think all three wireguard ports, ( and only two identified in the config itself adding to more confusion) are required and thus you have three different wireguard interfaces and the router is acting as server in all three cases.

Thus you need to provide much more clarity for the wireguard requirements!!!