Good morning, and thank you in advance. I am having problems with a mikrotik router to access the local network connected to this mikrotik when I am connected through the vpn wireguard. From the router itself I have access without problem to the two networks, both to the one generated for wireguard (192.168.153./24) and to the lan network (192.168.53./24) and to a nas device that is in the 230, but from outside I can't reach this nas, if I ping against the lan gateway of the router (192.168.153.1) but I can't reach the nas, I've tried several configurations with routes and route tables as suggested in other threads unsuccessfully. Next I copy the configuration of the router. Thank you so much.

jun/06/2023 08:59:14 by RouterOS 7.9.2

software id = H19H-HGSF

model = RB2011UiAS-2HnD

serial number = 608B05B5EE79

/interface bridge
add admin-mac=E4:8D:8C:19:91:D6 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=MikroTik-Tesa station-roaming=enabled wireless-protocol=802.11
/interface wireguard
add listen-port=13231 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.53.100-192.168.53.150
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wireguard public-key="tIrWRkeo3HMun91OoGXnJkrKEUD649wtcZlYqC1udmI="
add allowed-address=192.168.153.2/32 comment="iPhone Jorge" interface=wireguard public-key="6u7uETfSOgsMuDi22hBqLCWbPNq5OP3jWttfbh7pgXA="
add allowed-address=192.168.153.3/32,192.168.53.0/24 comment=Laptop-Jorge interface=wireguard public-key="VUyWjOpCV/Sd087UNcHmctgJ7XeOLmU6Srp7ESD0KBo="
add allowed-address=192.168.153.4/32 comment=Veeam-Proima interface=wireguard public-key="eSidaeF7pXqWuufe60orc1E87IVVU0XsT1ZWx7wy1EQ="
/ip address
add address=192.168.53.1/24 comment=defconf interface=ether2 network=192.168.53.0
add address=192.168.20.2/24 interface=ether1 network=192.168.20.0
add address=192.168.153.1/24 interface=wireguard network=192.168.153.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.53.0/24 comment=defconf gateway=192.168.53.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.53.1 name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.153.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.20.1
add dst-address=192.168.53.0/24 gateway=192.168.153.1
add dst-address=192.168.153.0/24 gateway=192.168.53.1
/routing rule
add action=lookup-only-in-table dst-address=192.168.53.0/24 table=main
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN