hex as Wireguard client

I’ve got a Mikrotik hex and want to set it up as the Wireguard client and route all the traffic from the local network through the VPN tunnel.

|    Mikrotik.                    
| local: 192.168.88.1  
| wireguard: 10.66.66.8
| wan: 192.168.2.10
    |
    |
    |
|  router lan-internet ----- ISP 
|   192.168.2.1.          
   | 
   |
   |
   |
| wireguard server.      
| external: 63.15.16.17 
| 10.66.66.1                  
  |
  |
  internet

I added all the Wireguard settings, set the wireguard interface address to 10.66.66.8 and added new routes:

	dst-address=10.66.66.1/32  gateway=wireguard
        dst-address=0.0.0.0/0  gateway=wireguard

Seems like Wireguard is working correctly because I can see the connection from 10.66.66.8 on the server and also I can ping 10.66.66.1 from the Mikrotik
But local traffic is not routed through the Wireguard tunnel for some reason.
How do I know what’s going on and how do I fix that?

Here’s all the routes I have:

[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY      DISTANCE
0  Xs 0.0.0.0/0        wireguard1          1
1  As 0.0.0.0/0        192.168.2.1         1
2  As 10.66.66.1/32    wireguard1          1
  DAc 10.66.66.8/32    wireguard1          0
  DAc 192.168.2.0/24   ether1              0
  DAc 192.168.88.0/24  bridge              0

Since you want to route all traffic over the tunnel, foresee a route with 0.0.0.0/0 towards gateway wireguard with a distance lower then your default route towards your isp.

You may also have to increase distance on that default ISP route to make the other one fit in.

I use my hex as a wireguard client behind a CCR1009. Works great.
This link should be read and all the answers are there… (including 3rd party vpn - para 7) - https://forum.mikrotik.com/viewtopic.php?p=906311#p906311
Post your config if you continue to have problems.
BIG THREE

• peer setttings
• firewall rules (incl. source-nat)
• ip routes.

I can’t increase the distance of the default route as it’s dynamic and it has distance 1, so I can’t create a rule that has a distance less than it

Post your hex config
/export file=anynameyouwishexceptlarsa

and post your wireguard settings for the other end which is ??? (another Mt device or third party provider).

(just use a fake number or use letters for actual endpoint IP and port but be consistent so they match up if on both.)

DHCP client, second tab, increase distance

# may/12/2022 20:26:34 by RouterOS 7.2.1
# software id = 6Q3C-KADY
#
# model = RB750Gr3
# serial number = CC210F29A42D
/interface bridge
add admin-mac=DC:2C:6E:AA:EF:43 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=12321 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=62.63.62.63 \
    endpoint-port=12321 interface=wireguard1 persistent-keepalive=25s \
    public-key="?????="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.8 interface=wireguard1 network=10.66.66.0
/ip dhcp-client
add comment=defconf default-route-distance=2 interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=main suppress-hw-offload=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 pref-src=\
    "" routing-table=main suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[Interface]
PrivateKey = @@@@@=
Address = 10.66.66.8/32
Address = fd42:42:42::8/128
DNS = 1.1.1.1
DNS = 8.8.8.8

[Peer]
PublicKey = ?????=
PresharedKey = #####=
Endpoint = 62.63.62.63:12321
PersistentKeepalive = 23
AllowedIPs = 0.0.0.0/0
AllowedIPs = ::/0

Actually, the tunnel goes through the DSL router and ISP, but I didn’t show that on the diagram.

Diagram is excellent it was assumed the separate path to the wireguard server was simply to illustrate its transparent nature through the ISP router etc, once the connection was established.

(1) Minor - IP address needs fixing… This may be purely cosmetic but its recommended on MT devices to provide the standard setup.
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.66.66.8/24 interface=wireguard1 network=10.66.66.0

(2) My biggest issue is the routing setup. Its very confusing as you have a private IP from the provider, Why do you have multiple table main routes for the provider??

Are we to assume its a fixed IP or not? In any case…
Route-1ISP = /ip dhcp-client add comment=defconf default-route-distance=2 interface**=ether1**
Route**-2**ISP = add dst-address=0.0.0.0/0 gateway=192.168.2.1

Different distances too… What are you trying to do give your router an ulcer?

If its a fixed IP, then remove the IP DHCP Client method, add the address of the router in IP address and keep the manual route you have.

/ip address
add address=192.168.2.23/24   interface=ether1 network=192.168.2.0
/ip route
dst-address=0.0.0.0/0  gateway=192.168.2.1  
dst-address=0.0.0.0/0  gateway=wireguard1  table=useWG
/routing table add name=useWG  fib
/routing rule add src-address=192.168.88.0/24    action=lookup-only-in-table table=useWG

Note: If you want users to be able to use local ISP if wireguard tunnel goes down then use action=LOOKUP.


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So in general one has to take care of
IP routes - DONE
Firewall rules - DONE ( your firewall rules do not block LAN to WG traffic )
WG settings - DONE

BUT SOMETHING IS NOT RIGHT STILL - Lets think about it, if you had read the reference, you would have picked up on this.
Answer the question ---------------------->
What IPs is the WG server expecting (based on its allowed IPs).
Correct answer --------------------------->
Yes, its expecting all traffic to be from 10.66.66.8/32

So for third party VPNs we also have to consider SOURCE NATTING the traffic entering the tunnel so that its accepted at the other end.
Thus add this sourcenat rule.10.66.66.8
add action=masquerade chain=srcnat out-interface=wireguard1

Note: You could also add the wireguard1 interface, to the INTERFACE LIST of WAN and this would have the same effect and would use the current default rule you have in place.
/interface list member
add interface=wireguard1 list=WAN

Do I understand correct that the purpose of adding another routing table is to use it (and not main) for all the traffic from 192.168.88.0 network? If yes, then why just don’t use main and route all the traffic to wireguard? Because if wireguard is down, then main table would be used?

I haven’t expected that NAT is needed for the wireguard interface, but now it seems like it’s obvious that it should be NATed. But I didn’t get if that is enough just to add the wireguard interface to the WAN list, or the firewall rule is still required?

And could you please clerify the rule: it’s just:

/ip/firewall add action=masquerade chain=srcnat out-interface=wireguard1

You’ve mentioned: “add this sourcenat rule.10.66.66.8” – should 10.66.66.8 somehow be the parameter of that rule, or it just based on the out-interface param?

Thank you a lot!

Well yes, how do you suppose to send out your LAN network to the Wireguard interface unless you tell it to.
The router still needs access via table main for the initial connection etc. and if the wireguard tunnel goes down you may wish to give users to the local ISP connection but that is your choice.
If you use action=lookup, then if the wireguard interface is down the router will search the main table.

Think about it, the allowed IPs at the server is 10.66.66.8, and therefore anything hitting the server with 192.168.88.X will be rejected, so masquerade is required.
You have already identifed the IP address of the wireguard interface as 10.66.66.8/24 and thus when you sourcnat out the interface, all source IPs will be natted to 10.66.66.8,
which will be accepted by the server. In other words, source-nat takes the IP address of the outgoing interface when your masquerading.
Same as you WANIP …

As stated if you simply add the wireguard interface to the WAN list, then it will do the same thing as creating the second rule.

It works now, thank you so much for help. It seems like the firewall NAT rule was the thing I’ve missed in all my previous trials.

Good evening everyone!
Thanks a lot for this topic - it helps me a lot!

But i have a couple questions. Can you help me ?

I have a Mikrotik hAP ac.
The network configuration absolutely the same as described in this topic:

1. I have an ISP router what provide DHCP Server
2. My Mokrotik connected to this router as DHCP Client though ether1 with IP 192.168.2.0/24
3. ether2,3,4,5 and wlan1 connected to the bridge and provide normal internet with DHCP Server and IP’s 192.168.88.0/24
4. Configured wireguard_client with VPN’s gateway 10.66.66.1 and client IP 10.66.66.23.
5. Configured separated bridge-wg with only wlan2 with DHCP server and ip’s 192.168.90.0/24 (i want to pass all traffic from wlan2 through wireguard VPN)

My questions:

1. When i connected to the Mikrotik’s wlan2 (5g) (where configured wireguard) - I can reach only 60mbps download speed. But when use the same wifi, but wireguard client runned on my machine (not on Mikrotik) - a have full width 100mbps (limit of my provider).
   What I found - when wireguard client runned on the Mikrotik and speed limited for 60mbps - CPU usage on Mikrotik - 100%
   What is it?
   I can’t believe that so effective Wireguard protocol has eaten up all the resources only by 60mbps!
   Maybe I configured something wrong?
   Can you check my config, maybe something can be optimised?
2. I created 192.168.88.123/24 and 192.168.90.123/24 ip’s to be able to ping form one network to internet. Without creating of this ip’s - i was not able to ping it like this ping 1.1.1.1 src-address=192.168.90.123
   Is really necessary to create ip’s every time for test?
3. I created the nat masquerade for wireguard_client but when i switching it off - all continued to works (internet via wifi-wlan2-wireguard). Maybe it is not needed?

Thanks a lot for help.
Below you can find my config.

# may/28/2022 23:11:52 by RouterOS 7.2.3
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add admin-mac=11:11:11:11:11:11 auto-mac=no comment=defconf name=bridge
add name=bridge-wg
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=\
    no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=PK-2 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany \
    disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=PK-5 \
    wireless-protocol=802.11
/interface wireguard
add listen-port=11111 mtu=1420 name=wireguard_client
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.90.2-192.168.90.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=bridge-wg name=dhcp1
/routing table
add disabled=no fib name=wg-table
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge-wg comment=defconf interface=wlan2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=111.111.111.111 endpoint-port=11111 interface=\
    wireguard_client persistent-keepalive=23s public-key="some_secret"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.66.66.23/24 interface=wireguard_client network=10.66.66.0
add address=192.168.90.1/24 interface=bridge-wg network=192.168.90.0
add address=192.168.88.123/24 comment="Test from bridge" interface=bridge network=192.168.88.0
add address=192.168.90.123/24 comment="test form wg wifi" interface=bridge-wg network=192.168.90.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard_client
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.66.66.1 routing-table=wg-table \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=\
    udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=\
    546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=\
    bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" \
    ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.66.66.0/24 table=wg-table
add action=lookup-only-in-table disabled=no src-address=192.168.90.0/24 table=wg-table
/system clock
set time-zone-name=Europe/Berlin

1 best to start your own new thread, referencing this one
2 wireguard is 100% cpu, no hw offloading.
3 cpu on hap ac is less performant then hex, so what you see can be perfectly normal for that device.

What is server and what is client in this wireguard setup.
a. Hex is MT client?
b. Server is?

The WG Server is VPS. The WG Client - Mikrotik hAP ac.

If I connect to VPS directly with a client on my machine (MacBook) (wifi from Mikrotik hAP ac) - speed limit is 100mbps (maximum from ISP)
But if I move WG Client to Mikrotik hAP ac with configuration in my previous post - the speed limit is 60mbps and CPU loaded to 100%.
It really looks like CPU limits or some problems with my configuration of the Mikrotik (firewall, routing …)

I tried to include ether5 port to the bridge-wg to connect to the Mikrotik through the cable and reached the same 60mbps limit.
This is not a wireless problem…

Interesting is it possible to predict the speed with the same configuration for hEX S and RB5009UG+S+IN or RB2011UiAS-2HnD-IN and RB4011iGS+5HacQ2HnD-IN and

When going from VPS to Mac, hap ac only transfers data. It does this well.
When using hap ac as endpoint, see my previous remark point 2 and 3.

As far as predicting. I seem to recall someone here already managed to push 1gb using rb4011.

One last question I have. After applying all the rules, Mikrotik web admin interface moved from 192.168.88.1 to 10.66.66.8 no matter that it gives 192.168.88.x to DHCP clients.
Why did that happen? How do I set the address back to 192.168.88.1?

Post latest config please…

# may/30/2022 23:06:58 by RouterOS 7.2.1
# software id = 6Q3C-KADY
#
# model = RB750Gr3
# serial number = CC210F29A42D
/interface bridge
add admin-mac=DC:2C:6E:AA:EF:43 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=12321 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=62.63.62.63 \
    endpoint-port=12321 interface=wireguard1 persistent-keepalive=23s \
    public-key="="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.8 interface=wireguard1 network=10.66.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=useWG
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add
add action=lookup src-address=192.168.88.0/24 table=useWG
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(1) If you go back to post #8 I told you to fix the IP address of the wireguard… This assuming that the MT server thinks your assigned IP address is 10.66.66.8/32 correct!

Still not done
add address=10.66.66.8 interface=wireguard1 network=10.66.66.0
Should be
add address=10.66.66.8**/24** interface=wireguard1 network=10.66.66.0

(2) Where is the IP Route for the router to get to the ISP router? I dont see add default route in IP DHCP client, so thus you should have made one manually.
dst-address=0.0.0.0/0 gwy=192.168.2.1 table=main

(3) Also you have an empty routing rule started… just remove it.
/routing rule
add
add action=lookup src-address=192.168.88.0/24 table=useWG

—> Other than that looks fine on this end…