I see wrong IP address=10.0.20.0/24. With .0 it’s network address, so it should be e.g. .1. And then the route is not needed.
You want to enable this:
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" disabled=yes dst-port=13231 protocol=udp
Yeah I noted the disabled but thought he was waiting until the rest was good.
I see he has allowed addressed on Server peer settings correctly, thus I am still looking for this wrong address..??
Okay
I see it in IP address,
add address=10.0.20.0/24 interface=Home network=10.0.20.0
But my question is why does he have to choose an IP address for the wg interface that looks like his random IP address.
Cannot it not be anything… 192.168.77.1/23 network 192.168.78.0 ???
Two things:
- Router needs route to client’s address. That’s obvious, it needs to know where to find it.
- WG in RouterOS does not automatically add routes based on allowed-address.
That’s different from e.g. Windows client, where everything specified in AllowedIPs will be automatically routed to tunnel. If you have more than one peer with allowed address 0.0.0.0/0 (or generally any overlapping subnets), Windows client will allow only one of them active at the same time, because if more were active, there’s no automatic way how to decide what should go where. This is no problem with RouterOS, because it’s manually configured by you, the professional. So you can have several active peers with overlapping subnets (edit: with different WG interfaces of course), and you decide what will go where by adding proper routes (inluding optional policy routing).
In OP’s case, it’s the same thing we discussed in another thread. Either WG interface can have 10.0.20.x/24, which creates connected route to 10.0.20.0/24, so router will know where to find 10.0.20.20. Or there must be route to 10.0.20.20 with WG interface as gateway.
Good answers my question about the random IP having to have an IP address that matches it, for the WG interface on the other end.
I find this very confusing because lets say its a subnet 192.168.30.0/24 is the peer subnet coming through,
now you want me to make an IP address of 192.168.30.1/24 network 192/.168.30.0 with interface being the wg interface?? is that correct…
So if there were multiple peers
I keep adding addresses with gwy of wg interface ???
My question remains… what are the Pros and cons when comparing
(lets say two subnets and a single IP)
3 IP addresses OR
3 IP routes clean simple
I don’t have definitive guide for all cases, someone should write one, I guess.
If it’s access to private network for individual single-device clients (phone, notebook, …), I’d go with 192.168.30.1/24 on WG interface and then each client would have 192.168.30.X/32. It’s simple and straightforward. You just add one address and everything is covered, be it for one client or hundered.
If it’s site to site, local subnet to remote subnet, you can go with your favourite addressless way and add route with dst-address= gateway= on each router. You can have additional connecting subnet, but it doesn’t really add much. Traceroute is nicer, without holes, but you can achieve that even without extra addresses, if you add pref-src=<router’s address from local subnet> to route.
In fact, the same should work even with the first case, but it still feels somehow better with addresses. Hopefully I’ll eventually find some better reason than just this feeling. 
I see what you are saying in that if you have a bunch of clients all with single IPs
Having one all encompassing address is better.
Lets say you have 192.168.9.5 / 192.168.9.15, 192.168.9.25 requiring access through the tunnel
On the server I would agree with you that this
a. ip address=192.168.9.1/24 gwy=wireguard interface network=192.168.9.0
is probably way more efficient than
b. dst-address=192.168.9.5 gwy=wireguard interface
dst-address=192.168.9.15 gwy=wireguard interface
dst-address=192.168.9.25 gwy=wireguard interface
Thank you, @anav for pointing out the unfiltered mac’s IP. I forgot to remove them. 104.16.248.249 is cloudflare address.
Okay I see your IP route…
dst-address=10.0.20.20.2 gwy=WG interface table=main.Want I want to know is if this is necessary as you have already assigned an IP address to the wg interface, hoping someone can chime in on what the effect is of assigning an IP address to the WG interface (as I normally dont)
I do prefer the method you describe, I just put them to see what happens.
Here must be a more elegant way of using pi hole and DNS then what you have attempted, sadly I am not able to help much on this front.
I really love to have my home all under the same subnet, but many people on the forum suggested pihole should be on the separate subnet (in my use case) to see all devices. Other than that , raspberry pi on the other subnet has some container needs to communicate with other devices on the network, that the reason they are allowed to each other.
I see wrong IP address=10.0.20.0/24. With .0 it’s network address, so it should be e.g. .1. And then the route is not needed.
Found that during the posting but left for consistency.
Cannot it not be anything… 192.168.77.1/23 network 192.168.78.0 ???
Tried to put 192.168.288.0 but greeted with “error-must be an ip address”.
I accidently/foolishly locked my self out of the router , by disabling “Allowed to router” rule 
. And the reset button processedure not working, though its still in service. I will get back as soon as I am up.
Yes, that rule should not be touched if you have a drop all rule in play!! Recommend you use SAFE MODE all the time when making changes.
I always forgot about the safe mode . Hopefully i wont next time
Here is the new configuration:
# jan/08/2022 01:56:39 by RouterOS 7.1.1
# software id = BM4W-X3GK
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number =
/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] advertise=\
100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=Home
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
xxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=pinet ranges=192.168.188.20-192.168.188.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=pinet interface=ether5 name=pinetDHCP
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_ISP1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether5 list=LAN
add interface=Home list=LAN
/interface wireguard peers
add allowed-address=192.168.40.2/32 interface=Home public-key=\
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.188.1/24 comment=pinet interface=ether5 network=\
192.168.188.0
add address=192.168.40.1/24 comment=wireguard interface=Home network=\
192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.188.25 \
gateway=192.168.88.1
add address=192.168.188.0/24 comment=pinet gateway=192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d query-server-timeout=100ms \
query-total-timeout=5s servers=1.1.1.1,1.0.0.1 use-doh-server=\
https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router
add address=192.168.188.20-192.168.188.254 list=allowed_to_router
add address=192.168.40.2-192.168.40.12 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=Wireguard dst-address=192.168.88.0/24 \
in-interface=Home
add action=accept chain=forward comment=Wireguard dst-address=\
192.168.188.0/24 in-interface=Home
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass disabled=yes \
dst-address=192.168.188.25 dst-port=53 protocol=udp to-addresses=\
192.168.88.1
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
104.16.248.249 pref-src="" routing-table=to_ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
pppoe-out1 pref-src="" routing-table=to_ISP1 scope=30 \
suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=\
104.16.249.249 routing-table=to_ISP1
add disabled=yes distance=1 dst-address=104.16.248.249/32 gateway=pppoe-out1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=104.16.249.249/32 gateway=pppoe-out1 \
pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
And some description what happens or doesn’t happen? I’d say you should be able to access all 192.168.88.x. If not, what do you see in “/interface/wireguard/peers/print detail”?
Thank you @Sob replying so fast 
Flags: X - disabled
0 interface=Home public-key="xxxxxxxxxxxx"
endpoint-address="" endpoint-port=0 current-endpoint-address=""
current-endpoint-port=0 allowed-address=192.168.40.2/32 rx=0 tx=0
Still nothing.
Update: Found this on the log:
denied winbox/dude connect from 192.168.40.2.
Was trying to test the connection by using winbox over cellular.
(1) I imagine this means nothing because everything is done through the pppoe client interface ?
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
(2) add a firewall rule like so…
add action=accept chain=forward comment=“ENABLE LAN to WAN”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=
192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=
192.168.188.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=
192.68.40.0/24
add action=drop chain=forward comment=“Drop All Else”
(3) The listening port on the iphone doenst seem to match up to the listening port on the MT Router server wireguard interface?? NM my bad, that would delineated on the end of the endpoint address like so xx.xx.xx.xx:13231
That’s weird. With client connected, I see current-endpoint-address=<client’s address> current-endpoint-port=<client’s port> rx= tx= last-handshake=<last communication, or whatever it is exactly>. Yours looks like there’s no connection at all. But then you could hardly have anything from 192.168.40.2 trying to connect to winbox port.
Does this rule have any hits?
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
No tx/rx for this rules.
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=
192.68.40.0/24
-didn’t get this part 
There’s no rx/tx for firewall rule, but counters for packets and bytes. It won’t be much, because most of established connection is accepted by another rule. But it should be more than zero.
Stupid question, you do have public address, right? You know what it is, and you’re aware that some address are non-public, so it’s not possible to connect to them from internet, and that it’s pretty common to have one. And you definitely have the right public one, correct?
My IP is dynamic, not static. I put a ddns address on wireguard client
Static or dynamic doesn’t matter. Public or private does. In IP->Cloud, is the Public Address the same as you see in IP->Addresses? Or if not, are you supposed do have NAT 1:1? Or did you previously use something else that requires incoming connections and did it work?