How do I configure wireguard in new router os 7.1?

My intention is to create a tunnel to my home network, something like Amplify teleport. So, that I can access my home mikrotik. My target is to configure my mikrotik as a wireguard server and all the devices get an IP from the DHCP server. My, router config is :

# dec/21/2021 07:13:27 by RouterOS 7.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xx.xx.xx.xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add interface=Home public-key="xxxxxxxxx"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxx
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
add interface=ether5 type=internal
/system clock
set time-zone-name=Asia/Dhaka
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=30s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
    nt count-only where comment~\"pihole_bypass\" && disabled]\r\
    \n:local piholeDNS \"192.168.188.25\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$piholeDown > 0 ) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip firewall nat enable [find comment=pihole_bypass];\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip firewall nat disable [find comment=pihole_bypass];\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/21/2021 start-time=05:31:03
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

My ios configuration is:

Interface: iphone
Public key: xxxxxx
Addresses: 192.168.88.20/24,2001         (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1

Peer:
Public key - mikrotik public key
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0

What I am doing wrong, seems like no traffic is passing through. Also, after updating to router ways I am seeing some wifi signal dropping on ios devices. Ios device showing poor internet where as one device working on a whatsapp voice call and other struggling to connect.

Hello,
In my practice, I needed a DST-NAT Rule.

My target is to configure my mikrotik as a wireguard server and all the devices get an IP from the DHCP server

I don’t think this will be a good practice to use the same IP range for both sides of the tunnel. Try to use a different subnet per network.
Edit: Wireguard won’t communicate with DHCP in any way. You have to use a static IP for your peer to connect.

The mistake your making is getting too cute with your IP addressing.
Just give the IPHONE a random IP 10.0.20.5/32
Just ensure the wireguard server references the same address.
Then it will work fine.

As for the wireguard server router.
If you want to allow remote access to Configure the router you have two options in the INPUT CHAIN.
a. make a separate rule for wg OR better
b. simply include WG in your current settings.

SINCE YOU HAVE
add action=accept chain=input comment=“Allow ADMIN to Router”
in-interface-list=LAN src-address-list=allowed_to_router

Thus ensure

1. wg interface (by name) is part of the LAN interface member list.
2. the IP 10.0.20.5/32 is added to the firewall address list of allowed_to_router

BY THE WAY do you really need UPNP… would turn that off if not absolutely necessary.


Next do you want to allow the WG interface access your LAN…
add action=accept chain=forward in-interface=WGinterface dst-address=192.168.88.0/24

Not sure why you have two rules, i hardly think you will need to configure your iphone from the LAN, or print to your iphone
As you can see so far no need to assign an IP address or anything to wiireguard.

To ensure all traffic returned from any interface on the router (lan/wan) is sent correctly back through the tunnel to your iphone,
Need:
Dst-address=10.0.20.2/32 gateway=wg interface

Since you have added the WG interface to the LAN interface list.
then you will have internet access through the tunnel out the WANIP of the router.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thank you @anav & @own3r1138 for replying. Sorry, replying late,I gave the iphone a random IP:

/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface wireguard peers
add allowed-address=10.0.20.20/32 interface=Home public-key=\

For accessing the router I had added :

/ip firewall address-list
add address=10.0.20.20 list=allowed_to_router

Wireguardg is part of the LAN.
For accessing I had already included it in the plan.

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN

I am not sure about this portion:

Not sure why you have two rules, i hardly think you will need to configure your iphone from the LAN, or print to your iphone >
As you can see so far no need to assign an IP address or anything to wiireguard.

It will be nice if you mention the duplicate rules.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
[color=#0000FF]add action=accept chain=input comment="Allow Wireguard" disabled=yes \
    dst-port=13231 protocol=udp[/color]
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=xx protocol=tcp
add action=accept chain=input in-interface-list=LAN port=xx protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
[color=#0000FF]add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home[/color]
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=xx protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=xx protocol=tcp to-addresses=\
    192.168.88.1
[color=#0040FF]add action=accept chain=dstnat dst-address=10.0.20.20 in-interface=Home[/color]

To ensure all traffic returned from any interface on the router (lan/wan) is sent correctly back through the tunnel to your iphone,
Need:

Dst-address=10.0.20.2/32 gateway=wg interface

is this is the same as

add action=accept chain=dstnat dst-address=10.0.20.20 in-interface=Home

And, finally the address list:

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=10.0.20.0/24 interface=Home network=10.0.20.0

Still, not working.

as you practice @anav replay.
I decided to remove my comment to ease your pain.

You were and still are missing route to client:

/ip route
add dst-address=10.0.20.20/32 gateway=Home

Your original config would additionally need proxy arp on bridge interface.

@own3r1138 thank you for the reply. That wasn’t necessary. I tried to test your suggestion

add action=accept chain=dstnat dst-address=10.0.20.20 in-interface=Home

but, if I change the action from accept to dstnat router requires a port. Needs more tinkering.

Thank you @Sob for the route info. I will add the route and see what happens.

Okay what is weird to me is your dhcp server setup…
The one in orange is extra, dont see why you have it, should be removed I think!!

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 gateway=192.168.88.1 (Bridge network OK!)
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24 (Ether5 network OK!)
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=
192.168.88.1 netmask=24

It just means that client 192.168.188.25 has special config different from others.

Couldn’t recall what was it, but here is the post that I made http://forum.mikrotik.com/t/mikrotik-pihole-unbound/148772/1 But, removed the orange one any way, Probably, this is the one http://forum.mikrotik.com/t/alternate-dns-for-specific-ip-on-lan-is-it-possible/125145/1
So, is it ok if I combine this two rules

add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24 
add address=192.168.188.25/32 comment=route dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24

into a single one:

add address=192.168.188.0/24 comment=route dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24

On closer look, that last entry is weird, not just because it exists, but because it gives gateway 192.168.88.1 to 192.168.188.25/24 device, which can’t work. So I guess that 192.168.188.25 doesn’t really use DHCP and you can remove it. Don’t change the second one, that’s ok. But aside from this, it would be ok to have such entry to give different parameters to one client.

@sob lets recap

I said:…
Okay what is weird to me is your dhcp server setup…
The one in orange is extra, dont see why you have it, should be removed I think!!

You said…
It just means that client 192.168.188.25 has special config different from others.

Then you saw the light, and said…
On closer look, that last entry is weird, not just because it exists, but because it gives gateway 192.168.88.1 to 192.168.188.25/24 device, which can’t work. So I guess that 192.168.188.25 doesn’t really use DHCP and you can remove it.

Please next time you read my posts…
WEAR YOUR GLASSES!! ;-PP

Sorry, it’s past experience. When you say that something is wrong, it can either mean that it’s really wrong, or that it’s perfectly fine and you just haven’t seen such thing before. The problem was that I misread numbers and mixed 88 with 188. One network has 192.168.188.25 as DNS resolver, so it would make sense to have exception for 192.168.188.25, to not give it itself as resolver. Except it’s really different networks.

Ok, the orange one is gone

In my limited experience, if it smells like a pig, and dresses like a pig and walks like a pig, its a pig!

@shafiqrahman: And how is it going otherwise? Does it work with added route?

Nope, nothing. wg ios successfully found my router external IP. But, no traffic in wg interface.

Please post your latest config on MT server router
/export hide-sensitive file=anynameyouwant
(and hide any public IPs showing if any, including on firewall address lists).

Also jot down your IOS settings
WIREGUARD INTERFACE
&
PEER INTERFACE

(for public keys just put aabb for one pair and xxyyy for the other pair to represent them.

(for endpoint IP address (just state WANIP)

# jan/05/2022 18:35:54 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
    100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no distance=indoors \
    frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency=5765 frequency-mode=manual-txpower installation=outdoor mode=\
    ap-bridge ssid=xxx station-roaming=enabled wireless-protocol=802.11 \
    wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=xxxx rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=xxxx
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=10.0.20.20/32 interface=Home public-key=\
    xxxxxxxx
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
    192.168.188.0
add address=10.0.20.0/24 interface=Home network=10.0.20.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
    gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
    query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.x-192.168.88.xxx list=allowed_to_router
add address=192.168.188.x-192.168.188.xxx list=allowed_to_router
add address=10.0.20.20 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" disabled=yes \
    dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=xx protocol=tcp
add action=accept chain=input in-interface-list=LAN port=xx protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
    in-interface=Home
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid

add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
    192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
    dst-address=192.168.188.25 dst-port=53 protocol=tcp to-addresses=\
    192.168.88.1

/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
    pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
    104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=10
add dst-address=10.0.20.20/32 gateway=Home
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2133
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/system logging
add topics=wireless,debug
add disabled=yes topics=dns
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=2d name=reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/07/2020 start-time=05:05:00
add interval=30s name=bypass on-event=":local piholeDown [/ip firewall nat pri\
    nt count-only where comment~\"pihole_bypass\" && disabled]\r\
    \n:local piholeDNS \"192.168.188.25\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$piholeDown > 0 ) do={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip firewall nat enable [find comment=pihole_bypass];\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip firewall nat disable [find comment=pihole_bypass];\r\
    \n    } on-error={}\r\
    \n}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=may/21/2021 start-time=05:31:03
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Okay looking at your mac settings, you make it clear that you only want your mac to be able to connect to the local subnet on the MT Server Router of 192.168.88.0/24.

(if those are real public IPs on ip routes for the router, ensure you remove them from the post).

set winbox address=192.168.88.0/24 (this aint going to let you access winbox remotely… you need to put in the 10.0.20.20 address or whatever it is…

/tool mac-server mac-winbox
set allowed-interface-list=none SHOULD be set to LAN.


Okay I see your IP route…
dst-address=10.0.20.20.2 gwy=WG interface table=main.

Want I want to know is if this is necessary as you have already assigned an IP address to the wg interface, hoping someone can chime in on what the effect is of assigning an IP address to the WG interface (as I normally dont)

By the way I think your whole setup is bogus and your narrow minded need to get DNS on pihole has created a wrong approach.
You have two separate LANs and yet allow full access from one to the other. What is the point of having two separate LANS then.

THere must be a more elegant way of using pi hole and DNS then what you have attempted, sadly I am not able to help much on this front.