Hi there,

My apologies if this has been discussed before, but I couldn’t find a solution scrolling through all Wireguard topics.

Here is my problem. I’ve created a Wireguard tonnel from an Android phone to HAP AC3 router, which is also a WAN gateway. I can connect with Mikrotik app to the router and two other Mikrotiks working as wireless extenders in the same LAN by their local IP addresses via Wireguard (even though the app won’t discover them). However, I have no Internet access on the phone via Wireguard.

My configuration is very basic.

In the phone in a Peer section I set allowed IP to 0.0.0.0/0 and the endpoint is Mikrotik’s DDNS address. In the Interface section, I have set the address to 10.180.5.2/24 and DNS servers to 8.8.8.8 and 10.80.5.1, which is the address of the Wireguard server in Mikrotik.

In the router I’ve only added a couple of firewall rules related to Wireguard to the default config (below) and added Wireguard interface to the LAN list.

Please let me know what I’m doing wrong. Thanks!

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; allow WireGuard
chain=input action=accept protocol=udp dst-port=13231 log=no
log-prefix=“”

3 ;;; allow Wireguard traffic
chain=forward action=accept src-address=10.180.5.0/24 log=no
log-prefix=“”

4 ;;; allow IPsec NAT
chain=input action=accept protocol=udp dst-port=4500

5 ;;; allow IKE
chain=input action=accept protocol=udp dst-port=500

6 ;;; allow l2tp

7 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid in-interface-list=WAN
log=no log-prefix=“”

8 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

9 X ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=“”

10 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

11 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

12 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

13 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes
connection-state=established,related
14 ;;; defconf: accept established,related, untracked
chain=forward action=accept
connection-state=established,related,untracked

15 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

16 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface-list=WAN

Sorry, dont read snippets.
Please post config
/export file=anynameyouwish ( minus router serial # and any public WANIP information, keys etc. )

Sure. Here is the full config sans serial number and access list.
Thanks!

2023-08-23 11:11:32 by RouterOS 7.11

software id = HCKX-M4JR

model = RBD53iG-5HacD2HnD

serial number =

/interface bridge
add admin-mac=18:FD:74:2C:4D:53 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode
band=2ghz-g/n channel-width=20/40mhz-XX country=canada
default-authentication=no disabled=no frequency=auto hw-protection-mode=
rts-cts hw-protection-threshold=256 mode=ap-bridge name=2.4G ssid=E2500
wireless-protocol=unspecified wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode
band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=canada
default-authentication=no disabled=no distance=indoors frequency=5220
hw-protection-mode=rts-cts hw-protection-threshold=256 mode=ap-bridge
name=5G ssid=E2500-5 wireless-protocol=unspecified wmm-support=enabled
wps-mode=disabled
/interface wireless nstreme
set "2.4G" enable-polling=no
set "5G" enable-polling=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys
supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.89.3-192.168.89.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4G
add bridge=bridge comment=defconf interface=5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=5G list=LAN
add interface=2.4G list=LAN
/interface wireguard peers
add allowed-address=10.180.5.2/32 interface=wireguard1 persistent-keepalive=
25s public-key="..."
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=
192.168.89.0
add address=10.180.5.1/24 interface=wireguard1 network=10.180.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:54:a0:50:d3:d2:bf mac-address=
54:A0:50:D3:D2:BF server=defconf
add address=192.168.89.233 client-id=1:b0:73:9c:81:e6:b7 mac-address=
B0:73:9C:81:E6:B7 server=defconf
add address=192.168.89.229 client-id=1:74:4d:28:45:e1:53 mac-address=
74:4D:28:45:E1:53 server=defconf
add address=192.168.89.223 client-id=1:d4:ca:6d:cc:5e:8a mac-address=
D4:CA:6D:CC:5E:8A server=defconf
add address=192.168.89.237 client-id=1:d4:53:83:df:e3:b mac-address=
D4:53:83:DF:E3:0B server=defconf
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=
192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231
protocol=udp
add action=accept chain=forward comment="allow Wireguard traffic"
src-address=10.180.5.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
add address=time.google.com
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no ping-timeout=5m watch-address=1.1.1.1
/tool graphing interface
add interface=bridge store-on-disk=no
add interface=bridge
add interface=5G
add interface=2.4G
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=bridge name=tmon1 traffic=received

(1) Unless you need this for something recommend setting to NONE.
/interface detect-internet
set detect-interface-list=WAN

(2) Since the Bridge encompasses the ports… the interface list members need only be…
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN

(3) Your Wireguard IP settings are wrong, THere is no Keep alive setting in the server its only a setting used at the client devices
I thought you had
/interface wireguard peers
**add allowed-address=10.180.5.2/32 interface=wireguard1 endpoint=XXXXXX endpoint port=13231 public-key=“…” **
comment=“Android phone”[/b][/i]

(4) Your firewall rules are mixed up between forward chain and input chain, much better to organize them together…

(5) If not using IPV6, then simply disable this altogether, if you are using iPV6, I should leave as have no knowledge of it.

(6) set this to NONE, not secure
/tool mac-server
set allowed-interface-list=LAN

(7) Change your forward chain rules so they are clearer.

{forward chain}
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“WG access” in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { remove or disable if not required }
add action=drop chain=forward comment=“drop all else”
++++++++++++++++++++++++++++++++++++++++++

Android Device.
Interface Settings: IP address=10.180.5.2/32
Peer Settings: allowed IPs=0.0.0.0/0 endpoint=mynetname.net endpoint port=13231, persistent-keep alive=35se public key=“,”

I’ve made pretty much all the changes you’ve suggested. Firewall forward chain rules have been modified and rearranged. Old rules are still there but disabled. However, Internet access via Wireguard is still not working…

Please take a look at the new config below.

Thanks!

# 2023-08-23 23:21:52 by RouterOS 7.11
# software id = HCKX-M4JR
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=18:FD:74:2C:4D:53 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-g/n channel-width=20/40mhz-XX country=canada \
    default-authentication=no disabled=no frequency=auto hw-protection-mode=\
    rts-cts hw-protection-threshold=256 mode=ap-bridge name=2.4G ssid=E2500 \
    wireless-protocol=unspecified wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=canada \
    default-authentication=no disabled=no distance=indoors frequency=5220 \
    hw-protection-mode=rts-cts hw-protection-threshold=256 mode=ap-bridge \
    name=5G ssid=E2500-5 wireless-protocol=unspecified wmm-support=enabled \
    wps-mode=disabled
/interface wireless nstreme
set "2.4G" enable-polling=no
set "5G" enable-polling=no
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.89.3-192.168.89.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4G
add bridge=bridge comment=defconf interface=5G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.180.5.2/32 comment=S10E endpoint-port=13231 interface=\
    wireguard1 public-key="so65RnZTA4+bM0oQ+oWmqJM1s3c51c5xYejnUm06ZUk="
/ip address
add address=192.168.89.1/24 comment=defconf interface=bridge network=\
    192.168.89.0
add address=10.180.5.1/24 interface=wireguard1 network=10.180.5.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.89.253 client-id=1:54:a0:50:d3:d2:bf mac-address=\
    54:A0:50:D3:D2:BF server=defconf
add address=192.168.89.233 client-id=1:b0:73:9c:81:e6:b7 mac-address=\
    B0:73:9C:81:E6:B7 server=defconf
add address=192.168.89.229 client-id=1:74:4d:28:45:e1:53 mac-address=\
    74:4D:28:45:E1:53 server=defconf
add address=192.168.89.223 client-id=1:d4:ca:6d:cc:5e:8a mac-address=\
    D4:CA:6D:CC:5E:8A server=defconf
add address=192.168.89.237 client-id=1:d4:53:83:df:e3:b mac-address=\
    D4:53:83:DF:E3:0B server=defconf
/ip dhcp-server network
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
    192.168.89.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add chain=forward comment="WG access" in-interface=wireguard1 \
    out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward comment="allow Wireguard traffic" \
    src-address=10.180.5.0/24
add action=drop chain=forward comment="drop all else"
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=vpn
/system clock
set time-zone-name=America/Toronto
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
add address=time.google.com
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no ping-timeout=5m watch-address=1.1.1.1
/tool graphing interface
add interface=bridge store-on-disk=no
add interface=bridge
add interface=5G
add interface=2.4G
add interface=ether1
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool traffic-monitor
add interface=bridge name=tmon1 traffic=received

logging - logging - logging

Enable logging on any rule that has a “drop” in there, and filter for you endpoint 10.180.5.2/32
There has to be some trace of a rule that seems to stop your packets from going out.

You didnt remove the detect internet-list=WAN
Y0u modified both tool mac-server mac-winbox winbox server and tool mac-server when I said to modify just tool mac-server!
Fix those for testing…

++++++++++++++++++++++++++++++++++++
Also Try the following.
Disable the static DNS line you have and add a server
/ip dns static
add address=192.168.89.1 comment=defconf name=router.lan

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

++++++++++++++++++++++++++++++++++++++++++++++++++++

This I do not understand: Disable for now. The fact that you have a VPN range set to the Bridge Range??
add name=vpn ranges=192.168.89.2-192.168.89.255

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I dont get what you are doing, why is there PPP on the bridge lan??

Suggesting you separate the normal bridge LAN and whatever vpn or ppp you are doing for what reason unknown.
PUT IT on another subnet.

All done. As for vpn and PPP, I believe the pool gets automatically created when “vpn” option is checked in quick control panel in Winbox. I didn’t set it up manually. Anyways, it’s been deleted now.

But, still, no Internet…

1. Confirm you get a handshake, the input chain rule increases by 1.
2. Confirm you can access the Router from the android, for config purposes.
3. Confirm you have a public IP address on the WAN.

1. Yes, I get a handshake. Not sure what you mean by the input chain rule increase, sorry.
2. Yes, I can access all the devices in the local network. As a matter of fact, all the changes you have suggested were made from Mikrotik app on Android over Wireguard tunnel from afar.
3. Yes, the router is connected directly to the cable modem and I have a public IP 135…

Suggest maybe its something on the android phone thats preventing internet access…???

Problem solved. All it needed is a working srcnat masquerade rule with the Wireguard subnet. For whatever reason, creating it via terminal or through Winbox GUI didn’t work, but copying the existing rule and changing the subnet afterward worked just fine. Yet another RouterOS 7 bug, I guess.

That is why I have such separate rules masq-rules for anything that needs to go out on Internet coming from eg. Wireguard or ZeroTier “zone”
So at least this gives me logging & counters in case certain things do not work and it might be easier to “pick up” along the way.

Sorry but this does not compute.
There is no requirement for a specific or separate sourcenat of wireguard in this situation.
The standard default SourceNAT rule applies just fine! The wireguard traffic will be routed out the wireguard tunnel because the hapac is aware of subnet and interface.
I do understand the logging of traffic of wireguard but that is optional but not necessary.

For the OP where it is necessary is often the reverse case, when sending users from local subnet on the MT, out a third party Wireguard VPN provider, where they only give you one IP address and thus we sourcenat all wireguard traffic to that IP address.

If you mean, coming in on android and going out the WAN of the Mikrotik, then that is a valid assertion that masquerade needs to be done as per any user behind the hapac.
Why I am confused is because your config contains the following..

a. [i**]add interface=wireguard1 list=LAN**[/i] { Thus any rules pertaining to LAN also apply to Wireguard incoming users… }
b. add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN { Allows wg users to access dns of router }
c. _add action=accept chain=forward comment=“allow internet traffic” _ { allows wg users access to local WAN }
in-interface-list=LAN out-interface-list=WAN

FRIG NO WONDER< I missed this slight nuance but the reason… WHY DID YOU DISABLE THIS ???
d. /ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” disabled=yes
ipsec-policy=out,none out-interface-list=WAN

So, the problem was config error the whole time, sorry I didnt see that… Another reason why I personally dont like folks that keep disabled rules hanging around.
Clean config means errors found easily.

++++++++++++++++++
As an aside: If you never got rid of this rule its no longer required,
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN

I did not disable anything other that what you had suggested. This is part of the defconf (yes, I know it’s a bad practice not to erase everything and start from scratch), so it is disabled by default. The new RouterOS v7.12 B3 doesn’t even have this rule at all.

Thank you very much for your effort though!

Yup, the main thing is its fixed now and working?
I have never had a sourcenat rule disabled by default??
In any case, something to watch out for down the line.

nobody mentions this option, but for me it was the one that was missing
was going crazy trying to solve the same problem
thank you for sharing the solution!

Doh, i have got stuck with the same problem now and lack of understanding on how firewall+NAT rules work is really holding me back.

@anav, i would highly appreciate if you could please help me figure out what am i missing?
i connect from iOS via wireguard tunnel just fine, i can navigate my LAN’s subnet 192.168.88.0, get access to mikrotik gateway on 192.168.88.1 and access some of the locally hosted services. But no external access to WAN internet.

# 2024-06-09 18:06:15 by RouterOS 7.15
# software id = 63WL-9G9C
#
# model = RB2011UiAS-2HnD
# serial number = 467304B1DBAF
/caps-man channel
add control-channel-width=20mhz extension-channel=Ce frequency=2442 name=\
    channel2G tx-power=13
add extension-channel=Ce frequency=5180 name=channel5G tx-power=13
/interface bridge
add admin-mac=4C:5E:0C:43:D6:3E auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(9dBm), SSID: WiFi, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=sweden distance=indoors installation=indoor mode=ap-bridge ssid=\
    "The Apartment" station-roaming=enabled wireless-protocol=802.11
/interface wireguard
add listen-port=33333 mtu=1420 name=wireguard
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath2G
add bridge=bridge client-to-client-forwarding=yes name=datapath5G
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
    group-encryption=aes-ccm name="Security config 2G"
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip \
    group-encryption=aes-ccm name="Security config 5G"
/caps-man configuration
add channel=channel2G channel.band=2ghz-b/g/n country=sweden datapath=\
    datapath2G mode=ap name=cfg2G rx-chains=0,1,2,3 security=\
    "Security config 2G" ssid="WiFi" tx-chains=0,1,2,3
add channel=channel5G channel.band=5ghz-onlyn country=sweden datapath=\
    datapath5G mode=ap name=cfg5G rx-chains=0,1,2,3 security=\
    "Security config 5G" ssid=WiFi5 tx-chains=0,1,2,3
add channel.band=5ghz-n/ac .control-channel-width=20mhz .extension-channel=\
    XXXX country=sweden datapath.client-to-client-forwarding=yes \
    .local-forwarding=yes name=cfg-5ghz-ac security="Security config 5G"
add channel.band=5ghz-onlyn .control-channel-width=20mhz .extension-channel=\
    XX country=sweden datapath.client-to-client-forwarding=yes \
    .local-forwarding=yes name=cfg-5ghz-an security="Security config 5G"
/caps-man interface
add channel=channel5G configuration=cfg5G configuration.mode=ap datapath=\
    datapath5G disabled=no mac-address=00:00:00:00:00:00 master-interface=\
    none name=capsman radio-mac=00:00:00:00:00:00 radio-name="" security=\
    "Security config 5G"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-script="# DNS TTL to set for DNS \
    entries\
    \n:local dnsttl \"00:15:00\";\
    \n\
    \n###\
    \n# Script entry point\
    \n#\
    \n# Expected environment variables:\
    \n# leaseBound         1 = lease bound, 0 = lease removed\
    \n# leaseServerName    Name of DHCP server\
    \n# leaseActIP         IP address of DHCP client\
    \n#leaseActMAC      MAC address of DHCP client\
    \n###\
    \n\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\
    ssing host names\
    \n:local ip2Host do=\\\
    \n{\
    \n  :local outStr\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\
    \n  {\
    \n    :local tmp [:pick \$inStr \$i];\
    \n    :if (\$tmp =\".\") do=\\\
    \n    {\
    \n      :set tmp \"-\"\
    \n    }\
    \n    :set outStr (\$outStr . \$tmp)\
    \n  }\
    \n  :return \$outStr\
    \n}\
    \n\
    \n:local mapHostName do={\
    \n# param: name\
    \n# max length = 63\
    \n# allowed chars a-z,0-9,-\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\
    \n  :local numChars [:len \$name];\
    \n  :if (\$numChars > 63) do={:set numChars 63};\
    \n  :local result \"\";\
    \n\
    \n  :for i from=0 to=(\$numChars - 1) do={\
    \n    :local char [:pick \$name \$i];\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\
    \n    :set result (\$result . \$char);\
    \n  }\
    \n  :return \$result;\
    \n}\
    \n\
    \n:local lowerCase do={\
    \n# param: entry\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\
    \n  :local result \"\";\
    \n  :for i from=0 to=([:len \$entry] - 1) do={\
    \n    :local char [:pick \$entry \$i];\
    \n    :local pos [:find \$upper \$char];\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\
    \n    :set result (\$result . \$char);\
    \n  }\
    \n  :return \$result;\
    \n}\
    \n\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\
    \n{\
    \n  :log error \"\$LogPrefix: empty lease address\"\
    \n  :error \"empty lease address\"\
    \n}\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  # new DHCP lease added\
    \n  /ip dhcp-server\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  :log info \"\$LogPrefix: DNS domain is \$domain\"\
    \n\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\
    leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\
    \n\
    \n #Hostname cleanup\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\
    nerated host name '\$hostname'\"\
    \n  }\
    \n  :set hostname [\$lowerCase entry=\$hostname]\
    \n  :set hostname [\$mapHostName name=\$hostname]\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\
    \n\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\
    not create static DNS name\"\
    \n    :error \"Empty domainname for '\$leaseActIP'\"\
    \n  }\
    \n\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\
    \n\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\
    AC and server=\$leaseServerName] 0] ]) do={\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\
    \n      :do {\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\
    \_comment=\$token;\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns r\
    egistration of \$fqdn with \$leaseActIP\"}\
    \n    }\
    \n\
    \n} else={\
    \n# DHCP lease removed\
    \n  /ip dns static remove [find comment=\$token];\
    \n}\
    \n" lease-time=10m name=DhcpWithScript
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
set *0 interface-list=LAN
set *FFFFFFFE interface-list=LAN
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg2G
add action=create-dynamic-enabled hw-supported-modes=an,ac \
    master-configuration=cfg5G
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256-cbc default-profile=\
    default-encryption enabled=yes port=9606 require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.87.2/24 comment="ilja macbook" interface=\
    wireguard name=peer1 public-key=\
    "snMBiNdXULctRPfQFiXq7ylrOPzsOGY6y60QUcM/tkU="
add allowed-address=192.168.87.3/24 comment="ilja iPhone 12Pro" \
    endpoint-port=33333 interface=wireguard name=peer2 public-key=\
    "AgfQTMgy1PDoKewb4hOE8BtiD/3xZ5DoKXYTzfGuZg8="
/interface wireless cap
#
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge \
    enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=87.96.165.183/25 interface=ether1 network=87.96.165.128
add address=192.168.87.1/24 comment=wireguard interface=wireguard network=\
    192.168.87.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.88.21 comment="manually added" name=iphone-ll
/ip firewall address-list
add address=467304b1dbaf.sn.mynetname.net comment="IP-Cloud feature" list=\
    WAN-IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow WireGuard VPN to enter local network" dst-port=33333 protocol=udp
add action=accept chain=input comment="Allow OpenVPN" dst-port=9606 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow Wireguard traffic" disabled=\
    yes src-address=192.168.87.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
    192.168.88.0/24 protocol=tcp src-address=192.168.88.0/24 to-addresses=\
    192.168.88.10
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Traefik HTTP" dst-address-type="" \
    dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.5 \
    to-ports=9080
add action=dst-nat chain=dstnat comment="Traefik HTTPS" dst-address-type=\
    local dst-port=443 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.88.5 to-ports=9443
add action=dst-nat chain=dstnat comment="Hairpin - Traefik HTTP" \
    dst-address-list=WAN-IP dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.88.5 to-ports=9080
add action=dst-nat chain=dstnat comment="Hairpin - Traefik HTTPS" \
    dst-address-list=WAN-IP dst-address-type=local dst-port=443 protocol=tcp \
    to-addresses=192.168.88.5 to-ports=9443
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=9606 in-interface=\
    ether1 log-prefix=openvpn protocol=tcp to-addresses=192.168.88.1
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=tcp \
    to-ports=53
add action=redirect chain=dstnat comment=DNS dst-port=53 protocol=udp \
    to-ports=53
/ip service
set www port=82
set www-ssl certificate=*7
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set always-allow-password-login=yes
/lcd interface pages
set 0 interfaces=wlan1
/ppp secret
add comment="Ilja's OpenVPN" local-address=192.168.88.1 name=leikoilja \
    profile=default-encryption remote-address=192.168.88.151 service=ovpn
add comment="Jess OpenVPN" local-address=192.168.88.1 name=jess profile=\
    default-encryption remote-address=192.168.88.152 service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="MikroTik Hub"
/system note
set show-at-login=no
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
# Warning: cpu not running at default frequency
set auto-upgrade=yes cpu-frequency=700MHz silent-boot=yes
/system script
add comment=\
    "from https://www.ctrl.blog/entry/routeros-dhcp-lease-script.html" \
    dont-require-permissions=no name="DHCP to DNS" owner=leikoilja policy=\
    ftp,read,write,policy,test,password,sniff,sensitive,romon source="# DNS TT\
    L to set for DNS entries\
    \n:local dnsttl \"00:15:00\";\
    \n\
    \n###\
    \n# Script entry point\
    \n#\
    \n# Expected environment variables:\
    \n# leaseBound         1 = lease bound, 0 = lease removed\
    \n# leaseServerName    Name of DHCP server\
    \n# leaseActIP         IP address of DHCP client\
    \n#leaseActMAC      MAC address of DHCP client\
    \n###\
    \n\
    \n:local leaseServerName \"DhcpWithScript\"\
    \n\
    \n\
    \n# \"a.b.c.d\" -> \"a-b-c-d\" for IP addresses used as replacement for mi\
    ssing host names\
    \n:local ip2Host do=\\\
    \n{\
    \n  :local outStr\
    \n  :for i from=0 to=([:len \$inStr] - 1) do=\\\
    \n  {\
    \n    :local tmp [:pick \$inStr \$i];\
    \n    :if (\$tmp =\".\") do=\\\
    \n    {\
    \n      :set tmp \"-\"\
    \n    }\
    \n    :set outStr (\$outStr . \$tmp)\
    \n  }\
    \n  :return \$outStr\
    \n}\
    \n\
    \n:local mapHostName do={\
    \n# param: name\
    \n# max length = 63\
    \n# allowed chars a-z,0-9,-\
    \n  :local allowedChars \"abcdefghijklmnopqrstuvwxyz0123456789-\";\
    \n  :local numChars [:len \$name];\
    \n  :if (\$numChars > 63) do={:set numChars 63};\
    \n  :local result \"\";\
    \n\
    \n  :for i from=0 to=(\$numChars - 1) do={\
    \n    :local char [:pick \$name \$i];\
    \n    :if ([:find \$allowedChars \$char] < 0) do={:set char \"-\"};\
    \n    :set result (\$result . \$char);\
    \n  }\
    \n  :return \$result;\
    \n}\
    \n\
    \n:local lowerCase do={\
    \n# param: entry\
    \n  :local lower \"abcdefghijklmnopqrstuvwxyz\";\
    \n  :local upper \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\";\
    \n  :local result \"\";\
    \n  :for i from=0 to=([:len \$entry] - 1) do={\
    \n    :local char [:pick \$entry \$i];\
    \n    :local pos [:find \$upper \$char];\
    \n    :if (\$pos > -1) do={:set char [:pick \$lower \$pos]};\
    \n    :set result (\$result . \$char);\
    \n  }\
    \n  :return \$result;\
    \n}\
    \n\
    \n:local token \"\$leaseServerName-\$leaseActMAC\";\
    \n:local LogPrefix \"DHCP2DNS (\$leaseServerName)\"\
    \n\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do=\\\
    \n{\
    \n  :log error \"\$LogPrefix: empty lease address\"\
    \n  :error \"empty lease address\"\
    \n}\
    \n\
    \n:if ( \$leaseBound = 1 ) do=\\\
    \n{\
    \n  # new DHCP lease added\
    \n  /ip dhcp-server\
    \n  #:local dnsttl [ get [ find name=\$leaseServerName ] lease-time ]\
    \n  network\
    \n  :local domain [ get [ find \$leaseActIP in address ] domain ]\
    \n  #:log info \"\$LogPrefix: DNS domain is \$domain\"\
    \n\
    \n  :local hostname [/ip dhcp-server lease get [:pick [find mac-address=\$\
    leaseActMAC and server=\$leaseServerName] 0] value-name=host-name]\
    \n  #:log info \"\$LogPrefix: DHCP hostname is \$hostname\"\
    \n\
    \n #Hostname cleanup\
    \n  :if ( [ :len \$hostname ] <= 0 ) do=\\\
    \n  {\
    \n    :set hostname [ \$ip2Host inStr=\$leaseActIP ]\
    \n    :log info \"\$LogPrefix: Empty hostname for '\$leaseActIP', using ge\
    nerated host name '\$hostname'\"\
    \n  }\
    \n  :set hostname [\$lowerCase entry=\$hostname]\
    \n  :set hostname [\$mapHostName name=\$hostname]\
    \n  #:log info \"\$LogPrefix: Clean hostname for FQDN is \$hostname\";\
    \n\
    \n  :if ( [ :len \$domain ] <= 0 ) do=\\\
    \n  {\
    \n    :log warning \"\$LogPrefix: Empty domainname for '\$leaseActIP', can\
    not create static DNS name\"\
    \n    :error \"Empty domainname for '\$leaseActIP'\"\
    \n  }\
    \n\
    \n  :local fqdn (\$hostname . \".\" .  \$domain)\
    \n  #:log info \"\$LogPrefix: FQDN for DNS is \$fqdn\"\
    \n\
    \n    :if ([/ip dhcp-server lease get [:pick [find mac-address=\$leaseActM\
    AC and server=\$leaseServerName] 0] ]) do={\
    \n      # :log info message=\"\$LogPrefix: \$leaseActMAC -> \$hostname\"\
    \n      :do {\
    \n        /ip dns static add address=\$leaseActIP name=\$fqdn ttl=\$dnsttl\
    \_comment=\$token;\
    \n      } on-error={:log error message=\"\$LogPrefix: Failure during dns r\
    egistration of \$fqdn with \$leaseActIP\"}\
    \n    }\
    \n\
    \n} else={\
    \n# DHCP lease removed\
    \n  /ip dns static remove [find comment=\$token];\
    \n}\
    \n\
    \n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user group
add name=homeassistant policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,\
    !write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"

If the Mikrotik device is the Server Peer (one with public IP) sourcenat for wireguard is not required if your wireguard is made part of the LAN interface list which it should.

• In this regard, LAN devices including wireguard get access to DNS services on the input chain.
• LAN devices get access to WAN in forward chain]
• If you need access to config router then also need an input chain rule for that........
• NO Sourcenat rule is required because you are already sourcenatting all traffic out the main WAN.

IF you are sending users from the LAN out of the router to a third party Server, then yes, typically one needs to sourcenat such traffic to the IP address given to you by the provider so that all traffic from users any lan, looks like its comign from one IP address.

@leik., will have a look.

1. Suggest set this to none.
   /interface detect-internet
   set detect-interface-list=all

2. Why is this setting included in your peer 2 ?? Remove it.
   endpoint-port=33333

3. Forward chain rules …modify too.

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“WG to LAN” in-interface=wireguard dst-address=192.168.88.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”


4. Fix Port Forwarding rules you have wrong format and some duplicates and modified hairpin as well.
/ip firewall nat
add action=masquerade chain=srcnat comment=“HAIRPIN NAT” dst-address=
192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Traefik HTTP” dst-address-list=WAN-IP
dst-port=80 protocol=tcp to-addresses=192.168.88.5 to-ports=9080
add action=dst-nat chain=dstnat comment=“Traefik HTTPS” dst-address-list=WAN-IP
dst-port=443 protocol=tcp to-addresses=192.168.88.5 to-ports=9443

Are you sure open vpn should be sent to 192.168.88.1 ???
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=9606 dst-address-list=WAN-IP
log-prefix=openvpn protocol=tcp to-addresses=192.168.88.1 ???


DST REDIRECT RULE for port 53 are removed for troubleshooting for now.
Why did you do it, what is the requirements or use case trying to achieve ???

5. Using www is generally not a good idea ( not secure ), using for web config??
   /ip service
   set www port=82

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Nothing I see that should be preventing access to the WAN for wireguard if you are using 0.0.0.0/0 on the client settings ( on smartphone etc. )
The only possibility I can think of is that your complex DNS setup is somehow getting in the way.,