I am currently routing everything through a wireguard interface (public VPN, tik is client) but I also need to have a host wireguard interface (tik is host) for remote access to my LAN. Unfortunately I believe that the first wireguard connection seems to be preventing the second from working (or another issue). On both devices it shows as connected but no internet. Router does not show any traffic on the host Wireguard interface.
The VPN service I am using is Mullvad which lets you obtain randomly selected forwarded ports which is why my listen-port selection is weird those are the correct ports. I am using DDNS for connecting.
FULL Config:
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=wan
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan1 ssid=REDACTED wireless-protocol=802.11 wps-mode=disabled
/interface wireguard
add listen-port=61165 mtu=1420 name=mullvad
add listen-port=60604 mtu=1420 name=wg-host
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=wwan1 mode=dynamic-keys name=wwan1sec supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n comment=wan country="united states3" disabled=no distance=indoors frequency=auto installation=indoor name=wwan1 security-profile=wwan1sec ssid=REDACTED wireless-protocol=802.11
/interface wireless manual-tx-power-table
set wwan1 comment=wan
/interface wireless nstreme
set wwan1 comment=wan
/ip pool
add name=default-dhcp ranges=10.42.0.10-10.42.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wwan1 list=WAN
add interface=mullvad list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="mullvad servers" endpoint-address=REDACTED endpoint-port=51820 interface=mullvad public-key="REDACTED"
add allowed-address=10.10.0.2/32 comment=laptop endpoint-address="" interface=wg-host public-key="kW-REDACTED"
add allowed-address=10.10.0.3/32 comment=phone endpoint-address="" interface=wg-host public-key="aM-REDACTED"
/ip address
add address=10.42.0.1/24 comment=defconf interface=bridge network=10.42.0.0
add address=10.67.62.113 interface=mullvad network=10.67.62.113
add address=10.10.0.1/24 interface=wg-host network=10.10.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
add add-default-route=no interface=wwan1
/ip dhcp-server network
add address=10.42.0.0/24 comment=defconf dns-server=10.42.0.1 gateway=10.42.0.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=100.64.0.3
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes out-interface=!ether1
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="vpn kill switch" dst-address=!REDACTED out-interface=ether1
add action=drop chain=forward comment="vpn kill switch" dst-address=!REDACTED out-interface=wwan1
add action=accept chain=input comment=wg-host dst-port=60604 protocol=udp
/ip firewall mangle
add action=change-ttl chain=postrouting comment="avoid lte tethering detection" new-ttl=set:65 out-interface=ether1 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set rtsp disabled=no
/ip route
add comment=mullvad disabled=no distance=2 dst-address=REDACTED/32 gateway=192.168.0.1%wwan1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.54.253%ether1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.0.1%wwan1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=mullvad disabled=no distance=1 dst-address=REDACTED/32 gateway=192.168.54.253%ether1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=mullvad pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=REDACTED
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=ether1 filter-operator-between-entries=and only-headers=yes
TLDR (I think only relevant parst of config):
/interface wireguard
add listen-port=61165 mtu=1420 name=mullvad
add listen-port=60604 mtu=1420 name=wg-host
/interface list member
add interface=mullvad list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="mullvad servers" endpoint-address=REDACTED endpoint-port=51820 interface=mullvad public-key="REDACTED"
add allowed-address=10.10.0.2/32 comment=laptop endpoint-address="" interface=wg-host public-key="kW-REDACTED"
add allowed-address=10.10.0.3/32 comment=phone endpoint-address="" interface=wg-host public-key="aM-REDACTED"
/ip address
add address=10.42.0.1/24 comment=defconf interface=bridge network=10.42.0.0
add address=10.67.62.113 interface=mullvad network=10.67.62.113
add address=10.10.0.1/24 interface=wg-host network=10.10.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip firewall filter
add action=drop chain=forward comment="vpn kill switch" dst-address=!REDACTED out-interface=ether1
add action=drop chain=forward comment="vpn kill switch" dst-address=!REDACTED out-interface=wwan1
add action=accept chain=input comment=wg-host dst-port=60604 protocol=udp
/ip route
add comment=mullvad disabled=no distance=2 dst-address=REDACTED/32 gateway=192.168.0.1%wwan1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.54.253%ether1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=192.168.0.1%wwan1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=mullvad disabled=no distance=1 dst-address=REDACTED/32 gateway=192.168.54.253%ether1 pref-src="" routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=mullvad pref-src="" routing-table=main suppress-hw-offload=no
Would anyone be able to help me get this working? Apologies for my weird config. I have unusual network requirements and have limited knowledge to build a config. If you notice anything stupid or a security vulnerability please let me know.