Hi,

My home network setup:

The Fritzbox is a Fritz!Box 7530 with FRITZ!OS: 8.02.
The Fritzbox has an Internet connection.
The Fritzbox runs the DHCP server.
The Fritzbox has the IP address 192.168.178.1.

Behind the Fritzbox is a MikroTik router.

The MikroTik router is a MikroTik L009UiGS-RM with RouterOS v7.18.2

No WireGuard is used on the Fritzbox, and no Surfshark either.
WireGuard® and Surfshark are used on the MikroTik.

Port 51820 (UDP) is opened on the Fritzbox and forwarded to the MikroTik router.
The MikroTik router is set as an exposed host on the Fritzbox for testing purposes.

Problem: The MikroTik router cannot establish a handshake with the Surfshark server.
Last Handshake: 00:00:00

Router config attached

additonally, to the config below I run the following cmd but nothing changed (rooter rebooted):
/ip firewall filter add chain=input action=accept in-interface=ether1 protocol=udp dst-port=51820 comment="Allow WireGuard handshake from WAN"

==============
New info 16:19 h:
seems, like UDP packets from the Internet do not reach my MikroTik router.
so maybe, the problem is no MikroTik problem.

PS C:\Users\Irvin> $udp = New-Object System.Net.Sockets.UdpClient
PS C:\Users\Irvin> $bytes = [System.Text.Encoding]::UTF8.GetBytes("test123")
PS C:\Users\Irvin> $udp.Send($bytes, $bytes.Length, "", 51820)

[admin@MikroTik] > /log print
2025-11-05 15:14:29 system,info router rebooted by mac-msg(winbox):admin@F0:A7:31:D7:22:5B
2025-11-05 15:14:30 interface,info lo link up
2025-11-05 15:14:31 interface,info surfshark link up
2025-11-05 15:14:33 bridge,info hardware offloading activated on bridge "bridge" ports: ether4,ether3,ether2
2025-11-05 15:14:33 bridge,info hardware offloading activated on bridge "bridge" ports: ether5,ether6
2025-11-05 15:14:33 bridge,info hardware offloading activated on bridge "bridge" ports: ether7,ether8,sfp1
2025-11-05 15:14:35 interface,info ether1 link up (speed 1G, full duplex)
2025-11-05 15:14:36 interface,info ether7 link up (speed 1G, full duplex)
2025-11-05 15:14:36 dhcp,info dhcp-client on ether1 got IP address 192.168.178.200
2025-11-05 15:14:39 system,info,account user admin logged in from F0:A7:31:D7:22:5B via winbox
2025-11-05 15:14:39 system,info,account user admin logged in from F0:A7:31:D7:22:5B via winbox
2025-11-05 15:15:16 system,critical,info cloud change time Nov/05/2025 15:14:58 => Nov/05/2025 15:15:16
2025-11-05 16:17:30 system,info,account user admin logged in from F0:A7:31:D7:22:5B via winbox
2025-11-05 16:19:54 system,info,account user admin logged out from F0:A7:31:D7:22:5B via winbox
2025-11-05 16:19:54 system,info,account user admin logged out from F0:A7:31:D7:22:5B via winbox
2025-11-05 16:19:55 system,info,account user admin logged out from F0:A7:31:D7:22:5B via winbox
2025-11-05 16:20:53 system,info,account user admin logged in from 192.168.88.254 via winbox
2025-11-05 16:21:22 system,info,account user admin logged in from 192.168.88.254 via winbox
2025-11-05 16:22:04 system,info filter rule added by tcp-msg(winbox):admin@192.168.88.254/terminal (*11 = /ip firewall filter add action=log chain=input dst-port=518
20 protocol=udp)

[admin@MikroTik] >

Why?
Can anyone help?

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 7.18.2 (c) 1999-2025

Press F1 for help

2025-11-05 13:31:19 system,critical,info cloud change time Nov/05/2025 13:31:00 => Nov/05/2025 13:31:19
[admin@MikroTik] > /export

2025-11-05 14:32:10 by RouterOS 7.18.2

software id = YE70-4H86

model = L009UiGS

serial number = xxxxxxx

/interface bridge
add admin-mac=04:F4:1C:3E:A5:4B auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=surfshark
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=at-vie.prod.surfshark.com endpoint-port=51820 interface=surfshark name=peer2 persistent-keepalive=25s public-key=
"m4kr4bkBJ48fGZkOr7I+a/53VQnb0U/hFbWQdK1KKGA="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.14.0.2 interface=surfshark network=10.14.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=162.252.172.57,149.154.159.92
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=surfshark
/ip route
add dst-address=37.19.195.68 gateway=192.168.178.1
add dst-address=37.19.195.68 gateway=192.168.178.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

Before I look at the config, several comments you are not hosting Wireguard you are a client connecting to a third party server and accessing internet for some of your users.
Therefore there is NO reason to port forward the assigned wireguard port from surfshark to the FRITZ or make any input chain firewall rule on the MT router.

Typically we concern ourselves with a subset of rules besides ensuring allowed addresses is correct
and that setting is pretty straightforward and easy and that appears correct.

a. ensure affected users are allowed to enter tunnel in a forward chain rule.
b. ensure the interface is setup to be masqueraded by sourcenat when leaving the router accomplished by making the interface part of the WAN interface list ( and then the default rule works for you ) or create a specific sourcenat rule for surfshark.
c. creating a table and route and either routing rules or mangles to force users into tunnel.
d. create necessary DNS rules so there is no leakage out local WAN, and one needs to know if surfshark has provided you with a specific DNS address or not, and if not then we would use 10.14.0.1

After looking at the config, questions arise:

1. Which users do you want to go through wireguard?
2. What DNS addresses did you identify on IP DNS?
3. Why do you have IP routes to unknown wan IPs from non-local unknown gateway private IPs ???
4. Did surfshark provide you with an DNS address?
5. Are you using IPV6 at all?

While answering that change this ip address to:
add address=10.14.0.2/24 interface=surfshark network=10.14.0.0

Thank you for your answer!

you are not hosting Wireguard you are a client connecting to a third party server and accessing internet for some of your users.

yes.

As you may have noticed, I don’t have much experience with routers or networking. I’m currently trying to configure my new MikroTik router using ChatGPT and GitHub Copilot for use with Surfshark.
If my questions or answers seem “naive” or “silly,” please bear with me. Feel free to put as much effort into your replies as you wish.
Thank you for your patience!

Which users do you want to go through wireguard?

some users yes, some users no.
Plan is, to make VLANs und decide upon them.

Did surfshark provide you with an DNS address?

DNS = 162.252.172.57, 149.154.159.92
this is the info from the config file from my account at https://surfshark.com

What DNS addresses did you identify on IP DNS?

In Mikrotik, I specified the two adresses, that surfshark gave me

Why do you have IP routes to unknown wan IPs from non-local unknown gateway private IPs ???
do I?

I think, 192.* is intern
37.19.195.68 Points to surfshark, I assume

admin@MikroTik] > /ip route print

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE

DAd 0.0.0.0/0 192.168.178.1 1
DAc 10.14.0.0/24 surfshark 0
DAc 192.168.88.0/24 bridge 0
DAc 192.168.178.0/24 ether1 0
0 As+ 37.19.195.68/32 192.168.178.1 1
1 As+ 37.19.195.68/32 192.168.178.1 1
[admin@MikroTik] >

Are you using IPV6 at all?

My network has local IPv6 support (link-local addresses), but no global IPv6 connectivity to the Internet.

change this ip address to: add address=10.14.0.2/24 interface=surfshark network=10.14.0.0
I did that, no Change.

/interface bridge
add admin-mac=04:F4:1C:3E:A5:4B auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=surfshark
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/routing table
add fib name=useSURF
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 [endpoint-address=at-vie.prod.surfshark.com](http://endpoint-address=at-vie.prod.surfshark.com) endpoint-port=51820 interface=surfshark name=peer2 persistent-keepalive=25s public-key="------"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.14.0.2/24 interface=surfshark network=10.14.0.0
/ip dhcp-client
add comment=defconf interface=ether1 add-default-route=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,162.252.172.57,149.154.159.92
/ip firewall address-list
add address=192.168.88.X list=SShark comment="pc1 for vpn"
add address=192.168.88.Y list=SShark comment="pc2 for vpn"
add address=192.168.88.Z list=SShark comment="pc3 for vpn"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \   
     out-interface-list=WAN  !src-address-list=SShark
add action=accept chain=forward comment="internet traffic VPN" in-interface-list=LAN \   
     out-interface-list=surfshark  src-address-list=SShark
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=surfshark
add action=dst-nat action=dstnat src-address-list=SShark dst-port=53 protocol=udp \
     to-address=162.252.172.57 
add action=dst-nat action=dstnat src-address-list=SShark dst-port=53 protocol=tcp \
     to-address=162.252.172.57 
add action=dst-nat action=dstnat src-address-list=SShark dst-port=53 protocol=udp \
     to-address=149.154.159.92
add action=dst-nat action=dstnat src-address-list=SShark dst-port=53 protocol=tcp \
     to-address=149.154.159.92
/ip route
add dst-address=0.0.0.0/0 gateway=surfshark  routing-table=useSURF 
add dst-address=162.252.172.57 gateway=surfshark routing-table=main comment=DNS
add dst-address=149.154.159.92 gateway=surfshark routing-table=main comment=DNS
/routing rule
add min-prefix=0  action=lookup-only-in-table  table=main
add src-address=192.168.88.X  action=lookup-only-in-table  table=useSURF
add src-address=192.168.88.Y  action=lookup-only-in-table  table=useSURF
add src-address=192.168.88.Z  action=lookup-only-in-table  table=useSURF
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

config_v2_no_keys.rsc (4.9 KB)

config_v1.rsc (4.9 KB)

I copied the commands into config_v1.rsc and made some small adjustments to fix syntax errors.
The result is config_v2_no_keys.rsc (keys replaced).

When I run it, I get the error message:

device already added as bridge port

It seems there might be an initialization step missing at the beginning of the script.

My steps:

• Reset the router
• Ran /import config_v2.rsc
• Result: see log below

[admin@MikroTik] > /import config_v2.rsc
Flags: D - dynamic; X - disabled, R - running
0 R ;;; defconf
name="bridgeLocal" mtu=auto actual-mtu=1500 l2mtu=1596 arp=enabled arp-timeout=auto mac-address=04:F4:1C:3E:A5:4A
protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=04:F4:1C:3E:A5:4A ageing-time=5m
priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
port-cost-mode=long mvrp=no max-learned-entries=auto
Flags: I - INACTIVE; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON

INTERFACE BRIDGE HW PVID PRIORITY HORIZON

;;; defconf
0 ether1 bridgeLocal yes 1 0x80 none
;;; defconf
1 IH ether2 bridgeLocal yes 1 0x80 none
;;; defconf
2 IH ether3 bridgeLocal yes 1 0x80 none
;;; defconf
3 IH ether4 bridgeLocal yes 1 0x80 none
;;; defconf
4 IH ether5 bridgeLocal yes 1 0x80 none
;;; defconf
5 IH ether6 bridgeLocal yes 1 0x80 none
;;; defconf
6 IH ether7 bridgeLocal yes 1 0x80 none
;;; defconf
7 IH ether8 bridgeLocal yes 1 0x80 none
;;; defconf
8 IH sfp1 bridgeLocal yes 1 0x80 none
Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS

NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS

0 RS ether1 ether 1500 1600 8158 04:F4:1C:3E:A5:4A
1 S ether2 ether 1500 1596 8154 04:F4:1C:3E:A5:4B
2 S ether3 ether 1500 1596 8154 04:F4:1C:3E:A5:4C
3 S ether4 ether 1500 1596 8154 04:F4:1C:3E:A5:4D
4 S ether5 ether 1500 1596 8154 04:F4:1C:3E:A5:4E
5 S ether6 ether 1500 1596 8154 04:F4:1C:3E:A5:4F
6 S ether7 ether 1500 1596 8154 04:F4:1C:3E:A5:50
7 S ether8 ether 1500 1596 8154 04:F4:1C:3E:A5:51
8 S sfp1 ether 1500 1596 8154 04:F4:1C:3E:A5:52
;;; defconf
9 R bridgeLocal bridge 1500 1596 04:F4:1C:3E:A5:4A
10 R lo loopback 65536 00:00:00:00:00:00
Flags: X - disabled; R - running
Script Error: failure: device already added as bridge port
[admin@MikroTik] >

First, looking at V2, good job!
Observations.

1. The first issue I noticed was that you missed the NOT symbol in the firewall rule. --> !
   You put:

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
   out-interface-list=WAN  src-address-list=SShark

I had written it:

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
   out-interface-list=WAN  src-address-list=!SShark

In other words that first allow rule for internet traffic allows all LAN except those identified in the firewall address list to go out the local WAN. We use the rule after that for the wireguard users.

I dont see anything else that stands out.
can you confirm that 162.252.172.57 andd 149.154.159.92 were the DNS addresses
provided by surfshark?

2. Since you are going out to a third party rule its often recommended to add a mangle rule which I forgot to mention, it takes care of any MTU issues one may experience (smoother browsing).

/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=surfshark protocol=tcp tcp-flags=syn tcp-mss=1381-65535

In the meantime I will see what else could be the issue.
The error your showing makes no sense. I dont see anything that would cause it.

Yes. Here ist the line directly from the config from surfshark with “Use this configuration with WireGuard client”

DNS = 162.252.172.57, 149.154.159.92

config_v3_no_keys.rsc (5.1 KB)
This is my new config file. Changes:

1. src-address-list=!SShark
2. added mangle command

>>The error your showing makes no sense. I dont see anything that would cause it.

my understanding:

after resetting the router, there is already an interface of type "bridge".
but the script tries to add another interface of type "Bridge".

if I do a hard reset with the reset button, the message is: Script Error: failure: device already added as bridge port
if I do a reset with "/system reset-configuration no-defaults=yes", the message is: Script Error: failure: already have interface with such name

Not sure what you mean, once the config has been written get rid of any script commands.
I always enter config manually so, not clear to me

I did the following steps:

• Performed a hardware reset on the router using the front-side button
• Ran the commands manually from the attached config_v4_no_keys.rsc script one by one (it includes the commands from your earlier post plus an initial “/export” to check the router status)
• Collected and attached the logs from running those commands (see attached config_v4_log.txt)
• Now I’m getting this error (as you can see in the log):

failure: device already added as bridge port

Any idea what might be causing it or how to fix it?

Thanks in advance!

config_v4_log.txt (3.7 KB)

config_v4_no_keys.rsc (5.1 KB)

The config as per your second attachment looks fine to me.
I will investigate if having two DNS forcings to two diff addresses might cause an issue.

In the log, I dont understand why you are showing ether1 as a bridge port???