Hello

google gemini say

Unfortunately, specific details about the companies that provide Deep Packet Inspection (DPI) technology to Egypt are not publicly available. This kind of information is often kept confidential for various reasons, including security and commercial interests.

However, reports and investigations by organizations like Citizen Lab and SMEX have indicated that companies like Sandvine may be involved in providing DPI technology to Egypt.

Sandvine is a Canadian company that specializes in network intelligence solutions, including DPI.

If you are interested in further information about this topic, you may wish to research reports from organizations like:

Citizen Lab: They conduct research on internet censorship and surveillance.
SMEX: A digital rights organization in the Middle East and North Africa.
Open Observatory of Network Interference (OONI) https://explorer.ooni.org : A global project that measures internet censorship.
These organizations often publish reports on internet censorship and surveillance practices in various countries, including Egypt.

Their reports may provide more insights into the companies and technologies involved.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys )

thank you anav

I always encounter this if my ISP is blocking wireguard, my workaround is to replace wireguard with SSTP

sure ! and I have one but SSTP server located to friend apartment… the question how to find SSTP server without friends… may be you know a company similar to Proton who sell SSTP server connection for personal usage?

1. What is the purpose of putting the WAN as both a member of the LAN and WAN lists???
   Typically for third party VPN we make it part of the WAN List and thus the default source nat rule also ensures
   any local users going out the wireguard interface will be natted to your assigned proton wireguard IP address and thus accepted at their end.

2. You have a config issue.
   /ip dhcp-server
   add address-pool=dhcp interface=*8 name=dhcp

3. If you dont have an IP DHCP client, and no IP address for external and no pppoe, how are you getting internet???

4. Keep your bridge network coherent.
   In other words suggest you change your ip address for it
   from:
   add address=192.168.88**.9/**24 interface=bridge network=192.168.88.0
   to:
   add address=192.168.88**.1**/24 interface=bridge network=192.168.88.0

To match the rest:
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 netmask=24

5. By the way did you manually add netmask=24 to the line above, if so please manually remove it.

6. Modify this back to the default… You seem to forget that you need to go out your local WAN, to establish the tunnel !!!
   /ip firewall nat
   add action=masquerade chain=srcnat out-interface-list=WAN

7. Not sure what your intent is with routes and routing rules but please add a table and modify to

/ip route
SINGLE ROUTE FOR YOUR ISP ROUTING TABLE=MAIN
add dst-address=0.0.0.0/0 gateway=??? routing-table=main
SINGLE ROUTE FOR YOUR WIREGUARD ROUTING-TABLE=useWG
add dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG

/routing rule
add action=lookup-only-in-table comment=“allow local traffic” min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.88.0/24 table=useWG

/routing table
add fib name=useWG

Please make the above changes and then republish your config and let us know if there is an improvement.

hello Anav

internet connection exist, IP Egypt,

excuse me, I do not understand everything fully, so, please, instruct as simple as possible

your question

#2
DHCP server now

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1


#3

the MikroTik RB750Gr3 connect by LAN ETH cable after Egypt telecom VDSL router which available by 192.168.1.1
the Egypt VDSL router switch off all restriction I can find

#7

intent all device connected to the MikroTik RB750Gr3 all external traffic thru Proton WireGuard

my case some family mobiles connected diirectly to WiFI of Egypt VDSL router and I wish my and brother laptop will connected by cable LAN ETH to MikroTik RB750Gr3 and external traffic will go thru Proton CH-159 Zurich

when use SSTP IP changed to Europe country and I intent the same by Proton WireGuard

Proton has android application has stealth mode which works well for Egypt but unfortunately hotspot did not distribute the connection correctly (the actual experience and Proton support message)
mobile has Zurich IP but laptop has Egypt IP

# 2025-02-15 16:07:52 by RouterOS 7.17
# software id = MMW4-PZNQ
#
# model = RB750Gr3
# serial number = ...

/interface bridge
add name=bridge

/interface wireguard
add listen-port=13231 mtu=1420 name=P-CH-159 private-key=<PRV KEY>

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254

/routing table
add disabled=no fib name=useWG

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=P-CH-159 list=WAN
add interface=P-CH-159 list=LAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.88.27.232 endpoint-port=51820 interface=P-CH-159 name=peer-P-CH-159 persistent-keepalive=25s public-key=<PUB KEY>

/ip address
add address=10.2.0.2/30 interface=P-CH-159 network=10.2.0.0
add address=192.168.88.9/24 interface=bridge network=192.168.88.0

/ip dhcp-client
add add-default-route=no interface=bridge use-peer-dns=no

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=10.2.0.1

/ip firewall address-list
add address=192.168.88.0/24 list=VPN-proton

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

/ip firewall service-port
set ftp disabled=yes

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=79.135.104.30/32 gateway=192.168.1.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=P-CH-159 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG

/routing rule
add action=lookup-only-in-table comment="allow local traffic" min-prefix=0 \
    table=main
add action=lookup-only-in-table src-address=192.168.88.0/24 table=useWG

/system identity
set name=test-RB750Gr3

/system note
set show-at-login=no

We are making progress.
I understand that you have some users that are able to use the ISP VDSL device for wifi which is great.
However the MT router also needs to be able to access the ISP VDSL connection to establish the proton tunnel.
This is fine.
I just need to know how you are connected to the ISP VDSL.
Do you simply set the WANIP via IP address ( since its private you dont need to hide it)
Probably something like 192.168.1.2 ??

/ip address
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0

or via IP DHCP client
add interface=ether1 set peer dns=no
+++++++++++++++++++++++++++++++++++++++++++++++++
Assuming something like the above we can make progress.
I think the important thing is to ensure the DNS of the users going out wireguard does not leak out to ISP VDSL.
We will handle that. Also for now please change ip address of bridge to .1 instead of .9

One major error is making your bridge the IP DHCP client → this is fundamentally wrong
Ether1 is the interface connected to the ISP VDSL not the bridge. The bridge is natted behind the router and has nothing to do with WANIP termination.

You failed to remove the bad routes, please do so.

Added mangle rule which helps better performance accessing sites thru 3rd party wireguard.

/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=P-CH-159 private-key=
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=P-CH-159 list=WAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.88.27.232 endpoint-port=51820 interface=P-CH-159 name=peer-P-CH-159 persistent-keepalive=25s public-key=

/ip address
add address=10.2.0.2/30 interface=P-CH-159 network=10.2.0.0
add address=192.168.88**.1/**24 interface=bridge network=192.168.88.0

/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=10.2.0.1 gateway=192.168.88.1

/ip dns
set servers=1.1.1.1,10.2.0.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-address=10.2.0.1
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=10.2.0.1
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=P-CH-159 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall service-port
set ftp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG

/routing rule
add action=lookup-only-in-table comment=“allow local traffic” min-prefix=0
table=main
add action=lookup-only-in-table src-address=192.168.88.0/24 table=useWG
/system identity
set name=test-RB750Gr3
/system note
set show-at-login=no

thank you Anav

yes, VDSL router DHCP server static IP 192.168.1.5 for the MT test-RB750Gr3

please see attached a few

something I can not understand
ubuntu terminal ping to 149.88.27.232 OK
by WinBox tools ping - - no, timeout
how it possible?

WG did not work
Handshake for peer did not complete after 5 seconds, retrying…

newest config below

# 2025-02-15 20:54:27 by RouterOS 7.17
# software id = MMW4-PZNQ
#
# model = RB750Gr3
# serial number = ...

/interface bridge
add name=bridge

/interface wireguard
add listen-port=13231 mtu=1420 name=P-CH-159 private-key=<PRV KEY>

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254

/routing table
add disabled=no fib name=useWG

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=P-CH-159 list=WAN
add interface=P-CH-159 list=LAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.88.27.232 endpoint-port=51820 interface=P-CH-159 name=peer-P-CH-159 persistent-keepalive=25s public-key=<PUB KEY>

/ip address
add address=10.2.0.2/30 interface=P-CH-159 network=10.2.0.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0

/ip dhcp-client
add add-default-route=no disabled=yes interface=bridge use-peer-dns=no
# DHCP client can not run on slave or passthrough interface!
add add-default-route=no interface=ether1 use-peer-dns=no

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=10.2.0.1 gateway=192.168.88.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,10.2.0.1

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=P-CH-159 protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.88.0/24 to-addresses=10.2.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=192.168.88.0/24 to-addresses=10.2.0.1

/ip firewall service-port
set ftp disabled=yes

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip route
add dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=P-CH-159 routing-table=main scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment="allow local traffic" min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.88.0/24 table=useWG

/system identity
set name=test-RB750Gr3
/system note
set show-at-login=no

OK, from the beginning

ISP Egypt telecom VDSL router
gateway 192.168.1.1
few devices connected directly to Egypt telecom router and work OK
MT RB750Gr3 static IP 192.168.1.5 connected by LAN Ethernet cable MT ether1 to Egypt telecom router

laptop 192.168.1.8 by DHCP from ISP VDSL router - connected to MT RB750Gr3 by cable ether5

MT static 192.168.88.1 gateway 192.168.1.1

internet OK WG not
Handshake for peer…

1. You have to pay closer attention to detail
   where did I put this for interface list??

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=P-CH-159 list=WAN
add interface=P-CH-159 list=LAN

I clearly noted this should be the correct setup:
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=P-CH-159 list=WAN

2. If you state that you get a fixed/static private IP from the ISP VDSL modem router, then dont use IP DHCP client as I stated in an earlier post.
   it should be
   /ip dhcp client
   disabled=yes

/ip address
add address=10.2.0.2/30 interface=P-CH-159 network=10.2.0.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0

3. Your still keeping extra routes and they are screwing your connectivity… for the last time, keep it simple and clear.
   /ip route
   add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main comment=“used by the router to establish tunnel”
   add dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG comment=“used by subnet to reach internet”

and no other routes!!

4. REMOVE ETHER1 FROM THE BRIDGE PORTS I missed this obvious error earlier, my apologies.
   /interface bridge port
   add bridge=bridge interface=ether1
   add bridge=bridge interface=ether2
   add bridge=bridge interface=ether3
   add bridge=bridge interface=ether4
   add bridge=bridge interface=ether5

5. Why is allow remote requests still on your config.???
   /ip dns
   set allow-remote-requests=yes servers=1.1.1.1,10.2.0.1

the config I provided was as follows:
/ip dns
set servers=1.1.1.1,10.2.0.1

Please try with the config as requested and report connectivity and ping requests.

thank you Anav

please see attached screens and config

the MT status became (automatically) router (not bridge) - after ether1 removed from bridge - your comment #4
after this the LAN from laptop do not connected RB750Gr3, breaks after a while
something has not been done yet so that 2 routers are one after the other ?
may be can change back to bridge by quick set?
I can not understand what to do correctly and only can return back to bridge - ether1 as member of bridge
please advise

192.168.88.0 changed to 192.168.99.0
no dhcp server no dhcp client
ping to 149.88.27.232 and 8.8.8.8 OK

and your comments
#1 yes
#2 yes
#4 yes (bridge to router status, LAN connection lost after a while)
#5 yes

#3 can not remove route 10.2.0.0/30 192.168.0.0/8 192.168.99.0/24
it appear automatically after IP address active


Handshake for peer did not complete after 20 attempts, giving up

question
ether2 ether3 ether4 not in the list and empty, not connected now to any device
if ether2 will connected to other laptop - is it OK ? to add
/interface list member
add interface=ether2 list=LAN

# 2025-02-16 07:32:40 by RouterOS 7.17
# software id = MMW4-PZNQ
#
# model = RB750Gr3
# serial number = 

/interface bridge
add name=bridge

/interface wireguard
add listen-port=13231 mtu=1420 name=P-CH-159 private-key=<PRV-KEY>

/interface list
add name=WAN
add name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/routing table
add disabled=no fib name=useWG

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface list member
add interface=ether5 list=LAN
add interface=P-CH-159 list=WAN
add interface=ether1 list=WAN

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.88.27.232 endpoint-port=51820 interface=P-CH-159 name=peer-P-CH-159 persistent-keepalive=25s public-key=<PUB-KEY>

/ip address
add address=10.2.0.2/30 interface=P-CH-159 network=10.2.0.0
add address=192.168.99.1/24 interface=bridge network=192.168.99.0
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0

/ip dhcp-client
add add-default-route=no disabled=yes interface=bridge use-peer-dns=no

/ip dns
set servers=1.1.1.1,10.2.0.1

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=P-CH-159 protocol=tcp tcp-flags=syn

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.99.0/24 to-addresses=10.2.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=192.168.99.0/24 to-addresses=10.2.0.1

/ip firewall service-port
set ftp disabled=yes

/ip hotspot profile
set [ find default=yes ] html-directory=hotspot

/ip route
add comment="used by subnet to reach internet" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
add comment="used by the router to establish tunnel" dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main

/routing rule
add action=lookup-only-in-table comment="allow local traffic" min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.99.0/24 table=useWG

/system clock
set time-zone-name=Africa/Cairo
/system identity
set name=test-RB750Gr3
/system note
set show-at-login=no

We will get there, it sometimes takes a while, but we will not quit.

The config below should work if the Upstream router is indeed providing the IP address of the MT router of 192.168.1.5
Can you confirm it is a fixed/static IP?

Other than the single error below. It looks good!!

**_# model = RB750Gr3

/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=P-CH-159 private-key=
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN__/interface list member
add interface=ether5 list=LAN Should be → interface=bridge
add interface=P-CH-159 list=WAN
add interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=149.88.27.232 endpoint-port=51820 interface=P-CH-159 name=peer-P-CH-159 persistent-keepalive=25s public-key=
/ip address
add address=10.2.0.2/30 interface=P-CH-159 network=10.2.0.0
add address=192.168.99.1/24 interface=bridge network=192.168.99.0
add address=192.168.1.5/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add add-default-route=no disabled=yes interface=bridge use-peer-dns=no
/ip dns
set servers=1.1.1.1,10.2.0.1
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=P-CH-159 protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.99.0/24 to-addresses=10.2.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=192.168.99.0/24 to-addresses=10.2.0.1
/ip firewall service-port
set ftp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add comment=“used by subnet to reach internet” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=P-CH-159 routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
add comment=“used by the router to establish tunnel” dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
/routing rule
add action=lookup-only-in-table comment=“allow local traffic” min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.99.0/24 table=useWG
/system clock
set time-zone-name=Africa/Cairo
/system identity
set name=test-RB750Gr3
/system note
set show-at-login=no**_

The other thing to check is to ensure.
a. Proton provides you with a private key, which you are supposed to use when first making the wireguard interface on the MT router.

Normally we create our own interface name and let the router create both a private and a public key.
However for a third party VPN we do not let the router make or use its randomly generated private key!

The required understand for third party VPN setups is that the public key generated by the router is directly related to that private key and will always be the same given the same private key is used in the interface creation process. The 3rd party company knows this so they tell you which private key to use, and therefore they already have the public key and there is no requirement or reliance upon the user to send the company their public generated key to use in 3r party device client peer settings.

So please confirm you used the proton supplied private key when you generated the wireguard interface on the MT.
If so great!!!

b. Proton supplied you with their public key which you should have used on the peer settings on the mT which identify the proton peer.
Have you double checked to ensure that this was entered properly??
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Everything else seems accurate.

how it looks now 25-02-16 16:00 Cairo time

Yeah that view still shows ether5 as being member of LAN interface list, it should be bridge

Another issue I see? Have you been using quickset. That can wreck a router config real fast.
Quickset should only be used once and then not returned to.

In any case dont touch it.
What you dont have is any firewall rules… and we need to introduce those for proper security.

After you fix the above issue.

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment=“accept all from LAN” in-interface-list=LAN
add action=drop chain=input disabled=yes comment=“drop all else” { to be enabled when config is working }

add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“users to WG” in-interface-list=LAN out-interface=P-CH-159
add action=drop chain=forward comment=“drop all else”

thank you Anav

The config below should work if the Upstream router is indeed providing the IP address of the MT router of 192.168.1.5
Can you confirm it is a fixed/static IP?

yes