Re: Setting Up Policy-Based Routing with Mikrotik Hex Refresh for Selective VPN Traffic

TL;DR
I need to set up a Mikrotik Hex Refresh to route WhatsApp/FaceTime traffic from one WiFi network through VPN while keeping all other traffic on regular ISP. Looking for configuration guidance.

My Setup
I’m trying to configure a Mikrotik Hex Refresh as my main router with selective VPN routing for specific apps (WhatsApp/FaceTime) on one network segment while keeping normal ISP routing for everything else.

Hardware Configuration:

Internet Layer:
  └─ ISP (1Gbps Fiber)
     └─ ONT (Optical Network Terminal)
        └─ Mikrotik Hex Refresh (Main Router)
           ├─ Port 1: WAN (from ONT)
           ├─ Port 2: Switch 1 (regular ISP access)
           ├─ Port 3: Switch 2 (regular ISP access)
           ├─ Port 4: Access Point (SSID: MYWIFI1 - regular ISP access)
           └─ Port 5: Access Point (SSID: MYWIFI2 - selective VPN routing)

Desired Routing Logic:

Traffic Routing:
  ├─ Ports 2,3,4 (including MYWIFI1): → Regular ISP connection
  └─ Port 5 (MYWIFI2):
     ├─ WhatsApp/FaceTime traffic → Windscribe WireGuard VPN
     └─ All other traffic → Regular ISP connection

VPN Details:
I’m using Windscribe with WireGuard. My configuration is:

[Interface]
PrivateKey = yb2xT3u98lPqkR4V6gNhUw7Zp5XJdCq0LmMv1AqEzXY=
Address = 100.101.181.14/32
DNS = 10.255.255.3

[Peer]
PublicKey = Dq8Mv0Y9LkJhX7T2bKn5Rq4Vp1Cq3NzAwLqZJg8YXYw=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = example-wg.example.com:65142
PresharedKey = pQ7xLmN9VqK4T2Cj5ZbX1R4JdCq0AwY8Mv3NzLqXYw=

WhatsApp/FaceTime IPs:
I have the following IP ranges for routing through VPN:

• WhatsApp ranges: 31.13.0.0/16, 66.220.144.0/20, 69.63.176.0/20, etc.
• Apple/FaceTime: 17.0.0.0/8

Full IP list for VPN routing:

31.13.0.0/16 
34.252.184.159/32
35.72.108.16/32
52.48.8.54/32
66.220.144.0/20
69.63.176.0/20
69.171.0.0/16
102.132.96.0/20
129.134.0.0/16
157.240.0.0/16
163.70.138.62/32
173.252.0.0/16
179.60.192.0/22
185.60.216.0/22
185.166.143.38/32
199.201.64.0/22
204.15.20.0/22
17.0.0.0/8

Questions and Concerns:

1. VPN Kill Switch: I want to disable any kill switch functionality so if the VPN goes down, traffic will fall back to regular ISP.
2. Implementation Approach: What’s the best way to implement this policy-based routing on the Mikrotik?
3. VLAN Configuration: Do I need to set up VLANs to properly isolate the networks?
4. Firewall Rules: What firewall rules would I need to make this work properly?

Any guidance or example configurations would be extremely helpful. Thank you!

Please edit your post and remove the WG keys.

Hi, those are random keys

I have this AI generated script but I would rather get it reviewed by the experts here to save countless hours of debugging later cause human intelligence is irreplaceable.

#!/bin/bash
# MikroTik WireGuard Split Tunneling Configuration Script
# For RouterOS v7 - Hex Refresh Router
# This script configures split tunneling for specific IP ranges through WireGuard VPN
# Port 5 (ether5) will route specified IPs through VPN, other ports use direct ISP connection

#####################################################################
# SECTION 1: Initial Variables and Backup
#####################################################################

# Variables - Adjust these as needed
:local WanInterface "ether1"
:local VpnLanInterface "ether5"
:local RegularLanInterfaces {"ether2"; "ether3"; "ether4"}
:local RegularLanSubnet "192.168.88.0/24"
:local RegularLanGateway "192.168.88.1"
:local VpnLanSubnet "192.168.89.0/24"
:local VpnLanGateway "192.168.89.1"
:local WindscribePrivateKey "mDZyrqE6usQe9TShD7PocHmuhOJmsa0RUmvj0lHaQWg="
:local WindscribePublicKey "YQvL8lipIGjEE4qgpjMX3FrG+CnVNFyiGgg3wkvhSw4="
:local WindscribeEndpoint "ist-405-wg.whiskergalaxy.com"
:local WindscribePort "65142"
:local WindscribePresharedKey "J4c4qMHyK9ZV9Du33tcTSIw5PjUYEyHyMOOqRzaiXM4="
:local WgAddress "100.101.181.14/32"
:local WgDns "10.255.255.3"
:local CurrentDate [/system clock get date]
:local CurrentTime [/system clock get time]

# Create backup before making changes
:log info "Starting WireGuard split tunnel configuration script"
:log info "Creating backup before making changes"
/system backup save name="backup_before_wg_config_$CurrentDate-$CurrentTime"
:delay 2s

# Print script start message
:put "Starting WireGuard Split Tunnel configuration script"
:put "=====================================================\n"
:put "This script will configure your Mikrotik router for WireGuard VPN with split tunneling"
:put "Devices on ether5 will use VPN for specified IP ranges, other devices will use direct ISP connection\n"
:delay 2s

#####################################################################
# SECTION 2: Basic Network Setup
#####################################################################

:put "SECTION 2: Basic Network Setup"
:put "------------------------------"

# Configure WAN interface
:put "Configuring WAN interface on $WanInterface..."
/ip dhcp-client remove [find interface=$WanInterface]
/ip dhcp-client add interface=$WanInterface disabled=no
:delay 1s

# Verify WAN interface received IP
:local wanIp [/ip address get [/ip address find interface=$WanInterface] address]
:if ([:len $wanIp] = 0) do={
    :put "ERROR: WAN interface did not receive an IP address. Check your internet connection."
    :log error "WAN interface did not receive an IP address. Script execution aborted."
    :error "Script terminated due to WAN interface error"
}
:put "WAN interface successfully configured with IP: $wanIp"

# Create bridge for regular LAN interfaces
:put "Creating bridge for regular LAN interfaces..."
/interface bridge remove [find name="bridge-lan"]
/interface bridge add name="bridge-lan"
:foreach lanInterface in=$RegularLanInterfaces do={
    /interface bridge port remove [find interface=$lanInterface]
    /interface bridge port add interface=$lanInterface bridge="bridge-lan"
    :put "Added $lanInterface to bridge-lan"
}

# Configure IP addresses
:put "Configuring IP addresses for LAN interfaces..."
/ip address remove [find interface="bridge-lan"]
/ip address remove [find interface=$VpnLanInterface]
/ip address add address=$RegularLanGateway interface="bridge-lan"
/ip address add address=$VpnLanGateway interface=$VpnLanInterface
:delay 1s

# Verify addresses were properly assigned
:if ([:len [/ip address find interface="bridge-lan"]] = 0) do={
    :put "ERROR: Failed to assign IP address to bridge-lan"
    :log error "Failed to assign IP address to bridge-lan. Script execution aborted."
    :error "Script terminated due to bridge-lan address assignment error"
}
:if ([:len [/ip address find interface=$VpnLanInterface]] = 0) do={
    :put "ERROR: Failed to assign IP address to $VpnLanInterface"
    :log error "Failed to assign IP address to $VpnLanInterface. Script execution aborted."
    :error "Script terminated due to $VpnLanInterface address assignment error"
}
:put "IP addresses successfully assigned"

# Configure DHCP servers
:put "Configuring DHCP servers..."
# Remove existing DHCP config
/ip pool remove [find name="dhcp-lan-pool"]
/ip pool remove [find name="dhcp-vpn-pool"]
/ip dhcp-server remove [find name="dhcp-lan"]
/ip dhcp-server remove [find name="dhcp-vpn"]
/ip dhcp-server network remove [find address=$RegularLanSubnet]
/ip dhcp-server network remove [find address=$VpnLanSubnet]

# Create DHCP pools and servers
/ip pool add name="dhcp-lan-pool" ranges=192.168.88.10-192.168.88.254
/ip pool add name="dhcp-vpn-pool" ranges=192.168.89.10-192.168.89.254
/ip dhcp-server add name="dhcp-lan" interface="bridge-lan" address-pool="dhcp-lan-pool"
/ip dhcp-server add name="dhcp-vpn" interface=$VpnLanInterface address-pool="dhcp-vpn-pool"
/ip dhcp-server network add address=$RegularLanSubnet gateway=$RegularLanGateway dns-server=$RegularLanGateway
/ip dhcp-server network add address=$VpnLanSubnet gateway=$VpnLanGateway dns-server=$WgDns
:delay 2s

# Verify DHCP servers were created
:if ([:len [/ip dhcp-server find name="dhcp-lan"]] = 0 || [:len [/ip dhcp-server find name="dhcp-vpn"]] = 0) do={
    :put "ERROR: Failed to create DHCP servers"
    :log error "Failed to create DHCP servers. Script execution aborted."
    :error "Script terminated due to DHCP server creation error"
}
:put "DHCP servers successfully configured"
:put "Basic network setup completed successfully\n"
:delay 1s

#####################################################################
# SECTION 3: WireGuard Configuration
#####################################################################

:put "SECTION 3: WireGuard Configuration"
:put "---------------------------------"

# Remove existing WireGuard interface if exists
:put "Setting up WireGuard interface..."
/interface wireguard remove [find name="wireguard1"]
/interface wireguard add name="wireguard1" mtu=1420 listen-port=13231

# Set private key for WireGuard
/interface wireguard set wireguard1 private-key=$WindscribePrivateKey
:delay 1s

# Verify WireGuard interface was created
:if ([:len [/interface wireguard find name="wireguard1"]] = 0) do={
    :put "ERROR: Failed to create WireGuard interface"
    :log error "Failed to create WireGuard interface. Script execution aborted."
    :error "Script terminated due to WireGuard interface creation error"
}

# Add IP address to WireGuard interface
:put "Assigning IP address to WireGuard interface..."
/ip address remove [find interface="wireguard1"]
/ip address add address=$WgAddress interface="wireguard1"
:delay 1s

# Remove existing WireGuard peers
:put "Configuring WireGuard peer..."
/interface wireguard peers remove [find interface="wireguard1"]

# Add WireGuard peer with Windscribe details
/interface wireguard peers add interface="wireguard1" \
    public-key=$WindscribePublicKey \
    allowed-address=0.0.0.0/0,::/0 \
    endpoint-address=$WindscribeEndpoint \
    endpoint-port=$WindscribePort \
    preshared-key=$WindscribePresharedKey \
    persistent-keepalive=25
:delay 2s

# Verify WireGuard peer was added
:if ([:len [/interface wireguard peers find interface="wireguard1"]] = 0) do={
    :put "ERROR: Failed to add WireGuard peer"
    :log error "Failed to add WireGuard peer. Script execution aborted."
    :error "Script terminated due to WireGuard peer configuration error"
}
:put "WireGuard interface and peer configured successfully\n"
:delay 1s

#####################################################################
# SECTION 4: Split Tunneling Configuration
#####################################################################

:put "SECTION 4: Split Tunneling Configuration"
:put "---------------------------------------"

# Create address list for VPN routes
:put "Creating address list for VPN-routed traffic..."
/ip firewall address-list remove [find list="VPN-Routes"]
/ip firewall address-list
add list="VPN-Routes" address=31.13.0.0/16 comment="Facebook"
add list="VPN-Routes" address=34.252.184.159/32
add list="VPN-Routes" address=35.72.108.16/32
add list="VPN-Routes" address=52.48.8.54/32
add list="VPN-Routes" address=66.220.144.0/20 comment="Facebook"
add list="VPN-Routes" address=69.63.176.0/20 comment="Facebook"
add list="VPN-Routes" address=69.171.0.0/16 comment="Facebook"
add list="VPN-Routes" address=102.132.96.0/20 comment="Facebook"
add list="VPN-Routes" address=129.134.0.0/16 comment="Facebook"
add list="VPN-Routes" address=157.240.0.0/16 comment="Facebook/Instagram"
add list="VPN-Routes" address=163.70.138.62/32
add list="VPN-Routes" address=173.252.0.0/16 comment="Facebook"
add list="VPN-Routes" address=179.60.192.0/22 comment="Facebook"
add list="VPN-Routes" address=185.60.216.0/22 comment="Facebook"
add list="VPN-Routes" address=185.166.143.38/32
add list="VPN-Routes" address=199.201.64.0/22 comment="Facebook"
add list="VPN-Routes" address=204.15.20.0/22 comment="Facebook"
add list="VPN-Routes" address=17.0.0.0/8 comment="Apple"
:delay 1s

# Verify address list was created
:local vpnRoutesCount [/ip firewall address-list find list="VPN-Routes" count]
:if ($vpnRoutesCount = 0) do={
    :put "ERROR: Failed to create VPN-Routes address list"
    :log error "Failed to create VPN-Routes address list. Script execution aborted."
    :error "Script terminated due to address list creation error"
}
:put "Successfully created address list with $vpnRoutesCount entries"

# Create routing mark for VPN traffic
:put "Creating routing mark for VPN traffic..."
/ip firewall mangle remove [find comment="Mark VPN traffic from ether5"]
/ip firewall mangle
add chain=prerouting src-address=$VpnLanSubnet dst-address-list="VPN-Routes" \
    action=mark-routing new-routing-mark="vpn_traffic" passthrough=yes \
    comment="Mark VPN traffic from ether5"
:delay 1s

# Verify mangle rule was created
:if ([:len [/ip firewall mangle find comment="Mark VPN traffic from ether5"]] = 0) do={
    :put "ERROR: Failed to create mangle rule for VPN traffic"
    :log error "Failed to create mangle rule for VPN traffic. Script execution aborted."
    :error "Script terminated due to mangle rule creation error"
}
:put "Successfully created mangle rule for VPN traffic"

# Add routes for VPN and regular traffic
:put "Creating routing rules..."
/ip route remove [find comment="Route VPN traffic through WireGuard"]
/ip route remove [find comment="Default route through ISP"]
/ip route remove [find comment="Backup route for VPN traffic"]

/ip route
add dst-address=0.0.0.0/0 gateway="wireguard1" routing-mark="vpn_traffic" \
    comment="Route VPN traffic through WireGuard"
add dst-address=0.0.0.0/0 gateway=$WanInterface distance=1 \
    comment="Default route through ISP"
add dst-address=0.0.0.0/0 gateway=$WanInterface routing-mark="vpn_traffic" distance=2 \
    comment="Backup route for VPN traffic"
:delay 1s

# Verify routes were created
:if ([:len [/ip route find comment="Route VPN traffic through WireGuard"]] = 0) do={
    :put "ERROR: Failed to create route for VPN traffic"
    :log error "Failed to create route for VPN traffic. Script execution aborted."
    :error "Script terminated due to VPN route creation error"
}
:if ([:len [/ip route find comment="Default route through ISP"]] = 0) do={
    :put "ERROR: Failed to create default route"
    :log error "Failed to create default route. Script execution aborted."
    :error "Script terminated due to default route creation error"
}
:put "Successfully created routing rules"
:put "Split tunneling configuration completed successfully\n"
:delay 1s

#####################################################################
# SECTION 5: Firewall Configuration
#####################################################################

:put "SECTION 5: Firewall Configuration"
:put "--------------------------------"

# Configure basic firewall rules
:put "Setting up basic firewall rules..."

# Allow established connections
/ip firewall filter remove [find comment="Allow established connections"]
/ip firewall filter
add chain=input action=accept connection-state=established,related \
    comment="Allow established connections" place-before=0

# Allow ICMP
/ip firewall filter remove [find comment="Allow ICMP"]
/ip firewall filter
add chain=input action=accept protocol=icmp \
    comment="Allow ICMP" place-before=1

# Allow WireGuard connections
/ip firewall filter remove [find comment="Allow WireGuard connections"]
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=13231 \
    comment="Allow WireGuard connections" place-before=2

# Allow internal networks
/ip firewall filter remove [find comment="Allow from standard LAN"]
/ip firewall filter remove [find comment="Allow from VPN LAN"]
/ip firewall filter
add chain=input action=accept src-address=$RegularLanSubnet \
    comment="Allow from standard LAN" place-before=3
add chain=input action=accept src-address=$VpnLanSubnet \
    comment="Allow from VPN LAN" place-before=4

# Configure forwarding between networks
:put "Setting up forwarding rules between networks..."
/ip firewall filter remove [find comment="Allow standard LAN to VPN LAN"]
/ip firewall filter remove [find comment="Allow VPN LAN to standard LAN"]
/ip firewall filter
add chain=forward action=accept src-address=$RegularLanSubnet dst-address=$VpnLanSubnet \
    comment="Allow standard LAN to VPN LAN" place-before=0
add chain=forward action=accept src-address=$VpnLanSubnet dst-address=$RegularLanSubnet \
    comment="Allow VPN LAN to standard LAN" place-before=1

# Enable FastTrack for better performance
/ip firewall filter remove [find comment="FastTrack for established connections"]
/ip firewall filter
add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="FastTrack for established connections" place-before=0

# Configure NAT for both networks
:put "Setting up NAT rules..."
/ip firewall nat remove [find comment="NAT for standard LAN"]
/ip firewall nat remove [find comment="NAT for VPN LAN (non-VPN traffic)"]
/ip firewall nat remove [find comment="NAT for VPN traffic"]
/ip firewall nat
add chain=srcnat src-address=$RegularLanSubnet out-interface=$WanInterface action=masquerade \
    comment="NAT for standard LAN" place-before=0
add chain=srcnat src-address=$VpnLanSubnet out-interface=$WanInterface \
    dst-address-list=!VPN-Routes action=masquerade \
    comment="NAT for VPN LAN (non-VPN traffic)" place-before=1
add chain=srcnat src-address=$VpnLanSubnet out-interface="wireguard1" action=masquerade \
    comment="NAT for VPN traffic" place-before=2

# Configure DNS redirection for VPN LAN
:put "Setting up DNS redirection for VPN LAN..."
/ip firewall nat remove [find comment~"Redirect DNS for VPN network"]
/ip firewall nat
add chain=dstnat protocol=udp src-address=$VpnLanSubnet dst-port=53 \
    action=dst-nat to-addresses=$WgDns to-ports=53 \
    comment="Redirect DNS for VPN network to Windscribe DNS (UDP)" place-before=0
add chain=dstnat protocol=tcp src-address=$VpnLanSubnet dst-port=53 \
    action=dst-nat to-addresses=$WgDns to-ports=53 \
    comment="Redirect DNS for VPN network to Windscribe DNS (TCP)" place-before=1
:delay 2s

# Verify firewall rules were created
:if ([:len [/ip firewall filter find comment="Allow established connections"]] = 0) do={
    :put "WARNING: Basic firewall rule for established connections was not created"
    :log warning "Basic firewall rule for established connections was not created"
}
:if ([:len [/ip firewall nat find comment="NAT for VPN traffic"]] = 0) do={
    :put "WARNING: NAT rule for VPN traffic was not created"
    :log warning "NAT rule for VPN traffic was not created"
}
:put "Firewall configuration completed successfully\n"
:delay 1s

#####################################################################
# SECTION 6: DNS Configuration
#####################################################################

:put "SECTION 6: DNS Configuration"
:put "---------------------------"

# Configure DNS settings
:put "Setting up DNS..."
/ip dns
set allow-remote-requests=yes
set servers=8.8.8.8,8.8.4.4,$WgDns
set use-doh-server=none
:delay 1s
:put "DNS configuration completed successfully\n"

#####################################################################
# SECTION 7: Monitoring and Maintenance
#####################################################################

:put "SECTION 7: Monitoring and Maintenance"
:put "-----------------------------------"

# Create VPN status monitoring script
:put "Creating VPN monitoring script..."
/system script remove [find name="check-vpn"]
/system script
add name="check-vpn" source={
    :local lastHandshake [/interface wireguard peers get [find interface="wireguard1"] last-handshake]
    :if ([:tobool $lastHandshake] && $lastHandshake > 180) do={
        :log info "WireGuard connection appears down, restarting interface"
        /interface wireguard disable wireguard1
        :delay 2s
        /interface wireguard enable wireguard1
    }
}

# Schedule script to run every 5 minutes
/system scheduler remove [find name="check-vpn"]
/system scheduler
add interval=5m name="check-vpn" on-event="check-vpn" start-time=startup
:delay 1s

# Enable traffic monitoring for WireGuard interface
:put "Enabling traffic monitoring..."
/tool graphing interface remove [find interface="wireguard1"]
/tool graphing interface add interface="wireguard1"
:delay 1s

# Create final backup
:put "Creating final configuration backup..."
/system backup save name="wireguard-split-tunnel-config"
:delay 2s

#####################################################################
# SECTION 8: Final Verification
#####################################################################

:put "SECTION 8: Final Verification"
:put "----------------------------"

# Verify WireGuard interface is running
:local wgRunning [/interface wireguard get "wireguard1" running]
:put "WireGuard interface running: $wgRunning"

# Print WireGuard public key
:local publicKey [/interface wireguard get "wireguard1" public-key]
:put "WireGuard public key: $publicKey"

# Check routing table
:put "Routing table for VPN traffic:"
/ip route print where routing-mark="vpn_traffic"

# Print completion message
:put "\nWireGuard Split Tunnel Configuration Completed!"
:put "================================================"
:put "Configuration summary:"
:put "- WAN interface: $WanInterface"
:put "- Regular LAN subnet: $RegularLanSubnet (ports ether2-4)"
:put "- VPN LAN subnet: $VpnLanSubnet (port ether5)"
:put "- VPN will be used for specific IP ranges on port 5"
:put "- DNS is configured to prevent leaks"
:put "- VPN monitoring script is scheduled to run every 5 minutes"
:put "- Configuration backup saved as 'wireguard-split-tunnel-config'"
:put "\nTo test: Connect a device to ether5 and visit a site that should use the VPN."
:put "         Then check your IP using https://www.whatismyip.com"
:put "         Also check for DNS leaks using https://www.dnsleaktest.com"
:put "\nFor troubleshooting, use the following commands:"
:put "- Check WireGuard status: /interface wireguard print"
:put "- Check peer status: /interface wireguard peers print detail"
:put "- Check VPN routes: /ip route print where routing-mark=vpn_traffic"
:put "- Check logs: /log print where topics~\"wireguard\""

:log info "WireGuard split tunnel configuration script completed successfully"

@3zzy

Please stop posting AI generated dozens lines long scripts if the very first line shows that it is bullshit.

Do not ask us to sacrifice our time to feed the Grok xAI if you are too lazy to do it yourself.

I’m not a network engineer, and I’m using AI to explore possible solutions. I posted the script to provide context and make it easier to understand my question. I understand your concern about AI-generated content, but I’m genuinely looking for help. I don’t expect anyone to write the entire script for me, just to provide guidance so it takes me half way there.

It’s a problem of contemporary times: to be not involved.

You do not even try to understand what the LLM has generated as an answer. You just wait to have the solution served on a silver plate.
Additionaly, frankly speaking, you inform that you have no will to spend time on that as there are skilled people here.
Yes, there are a lot of more or less skilled people who spent hundreds of hours mastering their knowledge. Do you consider paying them for their efforts?

Oh I promise I’m fully involved here. I specifically chose Mikrotik and have spent days trying to figure it out. But I can’t become a seasoned network engineer in just a couple of weeks, and I don’t see the point in hiring one for a fee that’s ten times the router’s cost just to set up my unique home network. Instead, I’m using every tool at my disposal, including AI, to speed up the learning process.

After all, even in areas where I’m an expert, I still use AI to work faster. Tools evolve and help us do more with less, and that’s kind of the point, right? If you feel you can’t help me because I’m using AI, no problem. But I’m hoping others might offer insights.

As for paying, I’m not sure why that’s coming up. This forum is about sharing knowledge, right? If it’s not a paid request forum, why bring that into the discussion?

I don’t have time to produce a ready-to-copy-n-paste configuration for you, but this is the rough idea of the steps that you’ll need.

1, Start from the default MikroTik configuration of your hEX refresh (the defconf), with working main internet connection.

2, Create WireGuard interface (let’s say wireguard1) with the private key from the Winscribe config.

3, Add that interface (wireguard1) to interface list WAN.

4, Under IP → Address, add an entry for the wireguard1 interface, with 100.101.181.14/24 as IP address.

5, Create a Wireguard peer, associated with wireguard1, with the public key, preshared key and End-point information from the Winscribe config. Allowed Address must be set to 0.0.0.0/0 (and ::/0 too if you want)

6, Under Interfaces → VLAN, create a new VLAN interface, let’s say vlan20, with “bridge” (the main bridge from defconf) as parent interface, VLAN ID = 20 (or choose other numbers between 2-4094)

7, Add vlan20 to interface list LAN.

8, Under IP → Address, add entry for vlan20 with, for instance, 192.168.20.1/24 as IP address

9, Configure address pool and DHCP Server for interface vlan20 (there is a wizard for it under IP → DHCP Server → DHCP → DHCP Setup) using the same subnet.

10, Under Bridge → Ports edit the entry for ether5, tab VLAN, set PVID to 20 and Frame Types to admit only untagged and priority tagged.

11, Under Bridge, edit “bridge” (from defconf) and turn on VLAN → VLAN Filtering. RouterOS will create the dynamic entries for VLAN 20 under Bridge → VLANs. You can convert them to static entries if you want.

12, Create a routing table, for instance USE_WG, with FIB turned on.

13, In IP → Route, create a route in the main table with dst-address=8.8.4.4/32 routing-table=main gateway=wireguard1 scope=10 target-scope=10

14, In IP → Route, create a route in the USE_WG table with dst-address=0.0.0.0/0 routing-table=USE_WG gateway=8.8.4.4 check-gateway=ping scope=30 target-scope=11

15, In the IP → Firewall → Filter table, edit the rule with the comment “defconf: fasttrack” and add the condition connection-mark=no-mark.

16, Create an Address List with the IP addresses from your OP, with the name USE_WG_DEST for instance:

/ip firewall address-list
add address=31.13.0.0/16 list=USE_WG_DEST
add address=34.252.184.159/32 list=USE_WG_DEST
...
add address=17.0.0.0/8 list=USE_WG_DEST

17, In the IP → Firewall → Mangle table, add a new rule with chain=forward action=change-mss new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535 passthrough=yes

18, In the IP → Firewall → Mangle table, add a new rule with chain=prerouting action=mark-connection connection-mark=no-mark connection-state=new in-interface=vlan20 dst-address-list=USE_WG_DEST new-connection-mark=USE_WG passthrough=yes

19, In the IP → Firewall → Mangle table, add a new rule with chain=prerouting action=mark-routing connection-mark=USE_WG in-interface=vlan20 new-routing-mark=USE_WG passthrough=no

That should do it.

This is really helpful, I’ll try it out and report back.
Much appreciated!

Heads up, MT is not a DPI capable router so its a no go if you are trying to control via websites or apps etc…

Surely AI will tell him that …

It probably will and its response would be more helpful than yours.

Ah its the only reason I bought a HEX to be able to do split tunnelling cause using VPN on phone eats up a lot of battery and is huge hassle.
Will need to find a router thats DPI capable then?

In fact, look at nature:
It has a tendency to make the most stupid or defective plants, animals and beings in the same species die more easily,
while it rewards and makes the plants, animals and beings that know how to adapt better and more intelligently evolve.
So if people now or in the future have a less and less developed brain because they make others items think,
the tendency of humanity is to become a flock of sheep to be slaughtered in the hands of the few wolves that lead it.

Look how many animals for slaughter there are now around, all with their heads bowed to the screen or with their cell phone in a tray in front/side of them.
Smartphones and tablets that take the place of family education because mom or dad are busy with their social media so they leave the aforementioned in the face of the newborn so that he becomes hypnotized and stupid, so as not to be disturbed by their social media…

When there is a nearly infallible AI that will do your job better than you, and will cost less, you will no longer be of any use.
You will be just another obsolete animal to be sent to the slaughterhouse.
And at that point I want to see how you survive, replaced and without work, with what adaptability you move…

That's one way to think about it but I think it misses how human progress has always worked.
Throughout history, our greatest strength has been our ability to create and use tools that extend our capabilities.
The people who thrive aren't those who refuse to use new tools they're the ones who learn to work effectively with them. From fire to farming to computers, each new technology changed what skills were most valuable, but didn't make humans less capable overall.
Consider calculators they didn't make us worse at mathematical thinking! Instead, they freed us from tedious calculations so we could tackle more complex problems. The most successful people weren't those who insisted on doing all math by hand, but those who used calculators to enhance their abilities.
The future will reward those who adapt and learn to use these new tools effectively, just as it always has.

No, it doesn’t since you’re still asking it questions to get the config right for that device (which NONE of MT devices can do reliably).
Sometimes you have to THINK on your own.
Try it, it might be a refreshing experience.

As Rex indicates:
the day we will blindly accept without a blink of an eye what any machine says … poor humans we will be.

I welcome the fact lots of info can be processed/digested in a tremendous speed by AI but I always keep an eye out with respect to checking the results.

And here you make a serious mistake.

I learned to count without calculator up into university.
We had to do physics calculations up to 5 digits after the comma with powers and all that.

As a result I can eye-ball a mistake in a finance report just looking at it.
Those young guys using their beautiful Excel sheets and scientific calculators who made the report have been proven wrong quite often by me.
Because they do not know their basics.

You need to MASTER basic capabilities first and THEN you may get benefit from automating.
Not just relying on automation and not knowing what it does.

I actually did THINK quite a lot before buying this router, but as someone new to networking, there were technical limitations I couldn’t have anticipated. I spent days figuring things out on my own, learning as I went, then posted here as a human seeking help from other humans.
The fact that I didn’t blindly accept whatever AI suggested is evident from me posting here asking for clarification in the first place. If I had simply accepted what AI told me without questioning it, why would I bother posting at all?
In this process, I’ve discovered something interesting - a knowledge sharing forum where some mods seem fundamentally opposed to… knowledge sharing. The hostility toward someone trying to learn (whether using AI as a starting point or not) is a rather unfortunate combination for a community that supposedly exists to help people improve their skills.
But thank you for the suggestion to think on my own. I never would have considered that revolutionary approach without your guidance.

I’m genuinely impressed by your numerical aptitude that’s a remarkable skill that clearly serves you well. You’re fortunate to have that natural talent.
However, I think you may be making the classic ‘curse of knowledge’ error. When something comes easily to someone, they often struggle to understand why others might need different approaches or tools to achieve the same outcomes.
Not everyone processes information the same way, has the same learning style, or possesses identical cognitive strengths.
Modern tools exist precisely because they democratize capabilities that historically belonged only to those with specific natural aptitudes. They don’t replace understanding - they provide different pathways to it.
Your approach clearly worked wonderfully for you. I’m just suggesting that insisting everyone must learn exactly as you did might reveal more about your limitations in understanding human diversity than about the proper way to learn.
But I suspect you already know this, and are simply enjoying the superiority of being the exception rather than considering how your attitude affects those still learning.