Hello,

Before I was on AzireVPN, where here good users helped to configure it http://forum.mikrotik.com/t/wireguard-azirevpn-misbehavior/165351/1

So after setting up all, being happy for 1y+ , they change the Port forward policy…i decided to try new provider.
I came around this AirVPN and seems to have big community and stable service, so i gave it a try…

I realized new feature in WinBox - Wireguard - WG Import - Greaat!

Mikrotik OS is on 16.2 , but on my BITTER surprise - WG Import doesn’t work…
I checked OS update and 7.17 (yesteday fresh update), probably a bug in previous FW, so did update and same problem…
This drives me Insane so many years on market and still issues with OpenVPN / Wireguard seamless configs imports
-Did ticket and got notice just now - This is fixed on 7.18beta (at least they are fast)

Anyway back to ISSUE spend few hours to set all manually (based on previous AzireVPN provider settings) into some working level.

My setup is that i have also Docker hosted on Server for PiHole where I have 2x DNS from previous provider (still working fine)
AzireVPN
91.231.153.2
192.211.0.2

Now the issues are:

1. AirVPN DNS 10.128.0.1 seems to be working only if the client (VPN Whitelist) is connected to the VPN tunnel

2. The rest clients (not on VPN) are having issues with pages , connectivity etc. (using AirVPN DNS 10.128.0.1)
   When is take Client1 out from VPN and is connected “via regular internet” issues with pages are gone and everything runs/loads smoothly.

VPN Client list i manage via routing table (not sure if there is any other better way)

/routing rule
add action=lookup-only-in-table comment=ZigBee-Hub disabled=no src-address=\
    192.168.10.20/32 table=main
add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=\
    192.168.10.50/32 table=main
add action=lookup-only-in-table comment="Redmi 8" disabled=no \
    src-address=192.168.10.64/32 table=main
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG

3. I removed completely AirVPN DNS 10.128.0.1 and kept only 91.231.153.2 , 192.211.0.2 on Pihole
   Now nonVPN clients run great all pages etc.

Client on Air VPN tunnel runs 80-90% fine some pages do not load or partially and for example paint.NET update is faling (see pic) vs On nonVPN clients work fine

I recall having similar issues with AzireVPN and then someone suggested:

"With adding the command , started to work, changing to MTU 1500 didnt worked out.
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wg-az-se-sto passthrough=yes protocol=tcp tcp-flags=syn
"
I tried to edit it for current interface , seems it help at bit to get access , but somehow the few MB update is extremely slow
even speed on VPN is like 50/5mb (before i start to look for faster server, would like to have this issue resolved)

Also how is see that something is not right is via this Browser plugin (https://github.com/AykutCevik/Geolocate-IP-Browser-Extension)
Where it shows ERROR and no data about IP vs in normal state it changes/update country flag within seconds

Here is my config:
Seems like now they have new feature https://help.mikrotik.com/docs/spaces/ROS/pages/328155/Configuration+Management
show-sensitive (yes|no; Default: no). RouterOS version 7 only
hide-sensitive (yes|no; Default: no). RouterOS version 6 only

So hope all needed is there

#doesnt work with =yes / no switch
export hide-sensitive=yes file=VPN

#works
export hide-sensitives file=VPN

# 2025-01-25 12:20:13 by RouterOS 7.17
# software id = NNA1-7M3W
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=XX:XX:XX:XX:XX:XX \
    name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1320 name=AirVPN_Sweden
add comment=back-to-home-vpn disabled=yes listen-port=40556 mtu=1420 name=\
    back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2422,2447,2467 name=ch-2ghz \
    skip-dfs-channels=10min-cac width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5320 name=ch-5ghz \
    skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=wifi-sec wps=\
    disable
/interface wifi configuration
add antenna-gain=0 channel=ch-2ghz country=Czech disabled=no name=\
    wifi-conf-2.4Ghz security=wifi-sec ssid=XXX
add antenna-gain=0 channel=ch-5ghz country=Czech disabled=no name=\
    wifi-conf-5Ghz security=wifi-sec ssid=XXX_5G
/interface wifi
add configuration=wifi-conf-5Ghz configuration.mode=ap .tx-power=24 disabled=\
    no name=cap-wifi1 radio-mac=XX:XX:XX:XX:XX:XX
add configuration=wifi-conf-2.4Ghz configuration.mode=ap .tx-power=24 \
    disabled=no name=cap-wifi2 radio-mac=XX:XX:XX:XX:XX:XX
set [ find default-name=wifi1 ] configuration=wifi-conf-5Ghz \
    configuration.mode=ap disabled=no name=wifi1-5g
set [ find default-name=wifi2 ] configuration=wifi-conf-2.4Ghz \
    configuration.mode=ap disabled=no name=wifi2-2g
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
add disabled=yes fri=17h30m-19h mon=17h30m-19h name=kids sat=17h30m-19h30m \
    sun=17h30m-19h thu=17h30m-19h tue=17h30m-19h wed=17h30m-19h
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/queue simple
add comment=Arduino-Box max-limit=10/10 name=Arduino-Box target=\
    192.168.10.112/32
add comment=Arduino-Garaz max-limit=10/10 name=Arduino-Garaz target=\
    192.168.10.110/32
/queue tree
add max-limit=1G name=TotalBand parent=global
add max-limit=50M name="01 Games" packet-mark=games parent=TotalBand
add max-limit=20M name="02 YouTube" packet-mark=youtube parent=TotalBand
add comment="Browsing, downloads" max-limit=1G name="03 Other" packet-mark=\
    no-mark parent=TotalBand
/routing table
add disabled=no fib name=useWG
/zerotier
set zt1 disabled=no disabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1-5g internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2-2g internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=no
/ipv6 settings
set max-neighbor-entries=15360
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/interface wifi access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
    wifi1-5g signal-range=-120..-85
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
    wifi2-2g signal-range=-120..-85
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=require-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=wifi-conf-5Ghz \
    supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=wifi-conf-2.4Ghz \
    supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=se3.vpn.airdns.org \
    endpoint-port=51820 interface=AirVPN_Sweden name=peer4 \
    persistent-keepalive=35s preshared-key=\
    "XXX" public-key=\
    "XXX"
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=10.142.189.241 interface=AirVPN_Sweden network=10.142.189.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment=" Xiaomi 2201122G" name="MikroTik hAP AX3" \
    private-key="XXX" public-key=\
    "XXX"
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.50 client-id=1:a8:a1:59:44:6f:3b comment=MiniPC \
    mac-address=A8:A1:59:44:6F:3B rate-limit=1000M/1000M server=dhcp1
add address=192.168.10.70 client-id=1:4:cf:8c:e8:42:18 comment="Vacuum" \
    mac-address=04:CF:8C:E8:42:18 server=dhcp1

/ip dhcp-server network
add address=192.168.10.0/24 comment="VPN DNS Servers" dns-server=192.168.10.2 \
    gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.51 list=No-Internet
add address=se3.vpn.airdns.org list=3rdPartyVPN2
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=log chain=forward connection-state=new disabled=yes dst-port=\
    80,443 log=yes protocol=tcp
add action=drop chain=forward comment="No-Internet Rule" log=yes log-prefix=\
    Blocked-Internet-Tries out-interface-list=WAN src-address-list=\
    No-Internet
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=51820 in-interface=ether1-WAN \
    protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
    in-interface-list=LAN
add action=accept chain=input comment="allow Winbox" port=8291 protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface-list=WAN
add action=accept chain=forward in-interface=bridge out-interface=\
    AirVPN_Sweden
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
    out-interface=AirVPN_Sweden protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=AirVPN_Sweden
add action=dst-nat chain=dstnat comment=Loxone dst-port=7777 in-interface=\
    ether1-WAN log=yes log-prefix=Loxone protocol=tcp to-addresses=\
    192.168.10.100 to-ports=7777
add action=dst-nat chain=dstnat comment="Transmission BT - Work" dst-port=\
    7778 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=\
    192.168.10.101 to-ports=7788
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="SSH Router" disabled=yes dst-port=\
    2220 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=\
    192.168.10.1 to-ports=2222
/ip firewall service-port
set ftp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=60:45:CB:9A:3F:F0 name=Tower user=system-dummy
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=AirVPN_Sweden \
    routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/routing rule
add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=\
    192.168.10.50/32 table=main
add action=lookup-only-in-table comment=Laptop disabled=no \
    src-address=192.168.10.51/32 table=main
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik hAP AX3"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=time1.google.com
add address=time2.google.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anyone?

Sure but how bout first you get rid of all the noise.
Delete all the unused config as it makes it harder to read and diagnose issues.
Once done repost and will have a look.

I edited the 1st port and added “cleaned” config with removed “disabled” items
Should be better now

EDIT:

Seems like I need to have AirVPN DNS for AirVPN active connections only
For all the rest I have to use NON-AirVPN DNS server.

At the moment I use NON-AirVPN DNS servers via IP-Hole for everything

Just got confirmed from AiRVPN forum:
To reach 10.128.0.1 (or rather AirDNS in general) you will need an active VPN connection, yes.

Did AirVPN provide any DNS servers for you to use?

You have two PCs you dont want going out wireguard sweden?
Assuming these need to go out regular local WAN?

Any other local traffic that should occur ( between LANIPs ) ??
You noted PI server, if all are going out internet via sweden what is the purpose of PI server then? Still used…???

The IP not allowed internet, I gather thats for both local and Wireguard correct?

What is strange is that you dont want the laptop to go out sweden, which is fine but its also a laptop you dont want to have any internet so no local wan access either???

Assuming since you had BTH, and no regular wireguard, you do not get a public IP address and cannot forward a port from ISP provider, so one could conclude you dont need a port forwarding rule??

Why do you have port forward rules at all is my question?

Further why do you attempt to use airpvpn to port forward to your router, do they provide such a service?/////////// My experience is that its only outgoing traffic they support…to provide you with internet at a different location etc…

Did AirVPN provide any DNS servers for you to use?
In generated config for WG VPN was this one 10.128.0.1
Also here in specs i found https://airvpn.org/specs/
DoH, DoT
Every gateway/daemon assigned to you acts as a DNS (port 53), DoH (dns-over-http, port 443), DoT (dns-over-tls, port 853).
DoH and DoT don’t add any actual benefit, because plain DNS requests are encrypted inside our tunnel anyway.
However, users might need it for special configurations. In such cases, use dns.airservers.org (automatically resolved into VPN gateway address).
Our DNS returns a NXDOMAIN for “use-application-dns.net”, for compatibility reasons.

Address = 10.142.189.241/32
PrivateKey = xxx
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = se3.vpn.airdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

You have two PCs you dont want going out wireguard sweden?

There are multiple PCs, but for better transparency i kept only few clients in config
Currently i’m using this “Rules” list where I:

• ENABLE client to be OUT of VPN
• DISABLE client to be IN → VPN

/routing rule
add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=\
    192.168.10.50/32 table=main
add action=lookup-only-in-table comment=Laptop disabled=no \
    src-address=192.168.10.51/32 table=main
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG

Assuming these need to go out regular local WAN?
as stated above I ENABLE / DISABLE in Rules depends if they should be on VPN or NOT.
Eg some page is not working in Sweden (I Enable rule)

Any other local traffic that should occur ( between LANIPs ) ??
just regular Local network , no VLANs or similar. All clients on same IP range on single DHCP
if that’s what you are asking

The IP not allowed internet, I gather thats for both local and Wireguard correct?
I have somewhere rules to block Internet sometimes (for kids in case is too much )
Otherwise all clients have full LAN / Internet access. Only main grouping is clients ON->VPN (sweden) , OFF VPN (local)

okay understood.

Flexible list that need to go out wireguard sweden
Flexible list that needs to be blocked from any Internet access.

So you need to keep two firewall address lists up to date.
those allowed LOCAL WAN
those not allowed any WAN access
Rest go through Sweden.

You didnt confirm whether or not you get a public IP or that ISP router can forward a port to your router.
This is to either keep or remove any port forwardings you have through the local WAN.
Also to confirm no port forwarding is provided by Air wireguard so we can get rid of that noise too.

You didnt confirm whether or not you get a public IP or that ISP router can forward a port to your router.
This is to either keep or remove any port forwardings you have through the local WAN.
Also to confirm no port forwarding is provided by Air wireguard so we can get rid of that noise too.

Yes, Port Forwarding is there and working. AirVPN is offering 5 ports, currently for test I’m using 2 port fwd without prerouting.

This is how it looks like. You pick from the list of ports what is open and then they are keeping them on your account , regardless on which Country/City server you are using for VPN

I havent set yet Portfwd prerouting/remap rule,

As here https://airvpn.org/faq/port_forwarding/ they say “do NOT forward on your router the same ports you use on your listening services while connected to the VPN.”
Probably this is for Remote connection,Server WebUI interfaces and such…?

In PORTS setup page they say they NOT suggesting remap due to Tracker issue
This is only for p2p torrents,DC++ etc…?

Otherwise bit confused, what is right to do in the end…

Before i had torrent client like example: incoming port: 55555 and for VPN was 66666, then i set remap/preroute in Firewall rules

Ports setup Page notes

This is my first take on the subject. This should resolve most issues.
What is not clear is what the airvpn does with the original source addresses of the incoming traffic to its site.
In other words we do not know if airvpn sourcnats the incoming traffic to its own wireguard IP or not.
If it does not, then return traffic from your router will get complex and will need more work.

2025-01-25 12:20:13 by RouterOS 7.17

CHANGES:
/ip settings
set allow-fast-path**=yes**

/interface detect-internet
set detect-interface-list**=none**

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=AirVPN_Sweden list=WAN

/ip firewall address-list
add address=192.168.10.X list=Authorized comment=“admin PC”
add address=192.168.10.Y list=Authorized comment=“admin laptop”
add address=192.168.10.Z list=Authorized comment=“admin smartphone”
add address=… list=exceptions comment=“as required, LAN IPs using local WAN”
add address= … list=no-internet commment=“as required, LAN IPs with no WAN access”

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN src-address-list=exceptions dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN src-address-list=exceptions dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface=AirVPN_Sweden src-address-list=**!**no-Internet
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN src-address-list=exceptions
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=!exceptions to-address=10.128.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address-list=!exceptions to-address=10.128.0.1
add action=dst-nat chain=dstnat comment=“Transmission BT - VPN” dst-port=
54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp
to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment=“Transmission BT - VPN” dst-port=
54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp
to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment=“Transmission BT - VPN” dst-port=
54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp
to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment=“Transmission BT - VPN” dst-port=
54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp
to-addresses=192.168.10.101

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=AirVPN_Sweden
routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
add dst-address=10.128.0.1 gateway=AirVPN_Sweden routing-table=main

/routing rule
{exceptions stated first in order - as required - ensure keep firewall address list up to date}
add action=lookup-only-in-table comment=“LANIP-1 going out local WAN” src-address=as required table=main
add action=lookup-only-in-table comment=“LANIP-2 going out local WAN” src-address=as required table=main
…
add action=lookup-only-in-table comment=LANIP-N going out local WAN" src-address=as required table=main
{ rest of LAN goes through Sweden }
add action=lookup-only-in-table src-address=192.168.10.0/24 table=useWG comment=“Rest of LAN thru Sweden”

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

If we find out that airvpn does not sourcnat external user source IP, then we may look at some additional work to ensure traffic flows properly in all situations.

So far there are no issues for the traffic to reach the router and the LAN server.
Lets say this time the request is not sourcenatted to airvpnIP but from a public IP.

Router will attempt to return traffic how…
Normally it would be sent to local WAN, but we have to be cognizant of the sending device and what rules it lives under.
Thus the serverIP is critical.
If the serverIP is captured by the Routing Rule, then no change is required as any return traffic from this IP (or originating traffic for that matter) would get caught in the routing rule.

Assessing therefore, mangling or other rules are likely not needed as the above config works for both cases.

thanks for update…

Seems to be much better now!
Browser Extension for IP resolves the VPN IP right away (thats a good sign)
Also the paintnet update works.

I will use it for few days, to test everything and see…then the last thing will be to

• add different VPN countries
• modify this rule for VPN DNS - add dst-address=10.128.0.1 gateway=AirVPN_Sweden routing-table=main
  to be able to read address from dns.airservers.org (in case VPN provider will change DNS IP)

Here the “LIVE” config export

# 2025-01-27 15:40:47 by RouterOS 7.17
# software id = NNA1-7M3W
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=XX:XX:XX:XX:XX:XX\
    name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1320 name=AirVPN_Sweden
add comment=back-to-home-vpn disabled=yes listen-port=40556 mtu=1420 name=\
    back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2422,2447,2467 name=ch-2ghz \
    skip-dfs-channels=10min-cac width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5320 name=ch-5ghz \
    skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=wifi-sec wps=\
    disable
/interface wifi configuration
add antenna-gain=0 channel=ch-2ghz country=Czech disabled=no name=\
    wifi-conf-2.4Ghz security=wifi-sec ssid=xxx
add antenna-gain=0 channel=ch-5ghz country=Czech disabled=no name=\
    wifi-conf-5Ghz security=wifi-sec ssid=xxx_5G
/interface wifi
add configuration=wifi-conf-5Ghz configuration.mode=ap .tx-power=24 disabled=\
    no name=cap-wifi1 radio-mac=XX:XX:XX:XX:XX:XX
add configuration=wifi-conf-2.4Ghz configuration.mode=ap .tx-power=24 \
    disabled=no name=cap-wifi2 radio-mac=XX:XX:XX:XX:XX:XX
set [ find default-name=wifi1 ] configuration=wifi-conf-5Ghz \
    configuration.mode=ap disabled=no name=wifi1-5g
set [ find default-name=wifi2 ] configuration=wifi-conf-2.4Ghz \
    configuration.mode=ap disabled=no name=wifi2-2g
/iot lora servers
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
add disabled=yes fri=17h30m-19h mon=17h30m-19h name=kids sat=17h30m-19h30m \
    sun=17h30m-19h thu=17h30m-19h tue=17h30m-19h wed=17h30m-19h
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/queue simple
add comment=Arduino-Box max-limit=10/10 name=Arduino-Box target=\
    192.168.10.112/32
add comment=Arduino-Garaz max-limit=10/10 name=Arduino-Garaz target=\
    192.168.10.110/32
/queue tree
add max-limit=1G name=TotalBand parent=global
add max-limit=50M name="01 Games" packet-mark=games parent=TotalBand
add max-limit=20M name="02 YouTube" packet-mark=youtube parent=TotalBand
add comment="Browsing, downloads" max-limit=1G name="03 Other" packet-mark=\
    no-mark parent=TotalBand
/routing table
add disabled=no fib name=useWG
/zerotier
set zt1 disabled=no disabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1-5g internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2-2g internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set allow-fast-path=yes
/ipv6 settings
set max-neighbor-entries=15360
/interface detect-internet
set internet-interface-list=all lan-interface-list=all wan-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=AirVPN_Sweden list=WAN
/interface wifi access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
    wifi1-5g signal-range=-120..-85
add action=reject allow-signal-out-of-range=10s disabled=no interface=\
    wifi2-2g signal-range=-120..-85
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=require-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=wifi-conf-5Ghz \
    supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=wifi-conf-2.4Ghz \
    supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=se3.vpn.airdns.org \
    endpoint-port=51820 interface=AirVPN_Sweden name=peer4 \
    persistent-keepalive=35s preshared-key=\
    "xxx" public-key=\
    "xxx"
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=10.142.189.241 interface=AirVPN_Sweden network=10.142.189.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment=" Xiaomi 2201122G" name="MikroTik hAP AX3" \
    private-key="xxx" public-key=\
    "xxx"
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.50 client-id=1:a8:a1:59:44:6f:3b comment=MiniPC \
    mac-address=A8:A1:59:44:6F:3B rate-limit=1000M/1000M server=dhcp1
add address=192.168.10.70 client-id=1:4:cf:8c:e8:42:18 comment="Vacuum" \
    mac-address=04:CF:8C:E8:42:18 server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 comment="VPN DNS Servers" dns-server=192.168.10.2 \
    gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.51 list=No-Internet
add address=se3.vpn.airdns.org list=3rdPartyVPN2
add address=192.168.10.50 comment=MiniPC list=Authorized
add address=192.168.10.60 comment=M12Pro list=Authorized
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=drop chain=forward comment="No-Internet Rule" log=yes log-prefix=\
    Blocked-Internet-Tries out-interface-list=WAN src-address-list=\
    No-Internet
add action=accept chain=input dst-port=51820 in-interface=ether1-WAN \
    protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
    in-interface-list=LAN
add action=accept chain=forward in-interface=bridge out-interface-list=WAN
add action=accept chain=forward in-interface=bridge out-interface=\
    AirVPN_Sweden
add action=accept chain=input comment="allow Winbox" port=8291 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=exceptions
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=exceptions
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface=\
    AirVPN_Sweden src-address-list=!no-Internet
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN \
    src-address-list=exceptions
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
    out-interface=AirVPN_Sweden protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=AirVPN_Sweden
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=\
    !exceptions to-addresses=10.128.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address-list=\
    !exceptions to-addresses=10.128.0.1
add action=dst-nat chain=dstnat comment=Loxone dst-port=7777 in-interface=\
    ether1-WAN log=yes log-prefix=Loxone protocol=tcp to-addresses=\
    192.168.10.100 to-ports=7777
add action=dst-nat chain=dstnat comment="Transmission BT - Work" dst-port=\
    7778 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=\
    192.168.10.101 to-ports=7788
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=\
    54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp \
    to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="SSH Router" disabled=yes dst-port=\
    2220 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=\
    192.168.10.1 to-ports=2222
/ip firewall service-port
set ftp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=60:45:CB:9A:3F:F0 name=Tower user=system-dummy
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=AirVPN_Sweden \
    routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
add dst-address=10.128.0.1 gateway=AirVPN_Sweden routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/routing rule
add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=\
    192.168.10.50/32 table=main
add action=lookup-only-in-table comment=Laptop disabled=no \
    src-address=192.168.10.51/32 table=main
add action=lookup comment="Rest of LAN thru Sweden" disabled=no src-address=\
    192.168.10.0/24 table=useWG

/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik hAP AX3"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=time1.google.com
add address=time2.google.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Only issue what presist is unRAID servers - Docker update check, but this seems to be an generic issue with VPN server which are probably blacklisted on docker.com domain

Jan 27 15:15:08 unRAIDTower nginx: 2025/01/27 15:15:08 [error] 20521#20521: *1630914 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 192.168.x.x, server: , request: "POST /plugins/dynamix.docker.manager/include/DockerUpdate.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.sock", host: "192.168.x.x", referrer: "http://192.168.x.x/Docker"

I did most of the changes, but what im not sure about is FW rules.

1. The clients via VPN or NOT
   I need to maintain FW address-list?

/ip firewall address-list
add address=192.168.10.X list=Authorized comment="admin PC"
add address=192.168.10.Y list=Authorized comment="admin laptop"
add address=192.168.10.Z list=Authorized comment="admin smartphone"
add address=......... list=exceptions comment="as required, LAN IPs using local WAN"
add address= ........ list=no-internet commment="as required, LAN IPs with no WAN access"

Including Routing rule?

/routing rule
{exceptions stated first in order - as required - ensure keep firewall address list up to date}
add action=lookup-only-in-table comment="LANIP-1 going out local WAN" src-address=as required table=main
add action=lookup-only-in-table comment="LANIP-2 going out local WAN" src-address=as required table=main
...
add action=lookup-only-in-table comment=LANIP-N going out local WAN" src-address=as required table=main
{ rest of LAN goes through Sweden }
add action=lookup-only-in-table src-address=192.168.10.0/24 table=useWG comment="Rest of LAN thru Sweden"

So if i want “Admin PC” on VPN/NOTonVPN i need to Enable / Disable in both Lists?
as until now I was doing it only in “/routing rule” list

2. I did make them in order as you suggested, but few rules are gonne. Want to confirm if I should completely disable/remove them
   0-7 FW values

/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=drop chain=forward comment="No-Internet Rule" log=yes log-prefix=\
    Blocked-Internet-Tries out-interface-list=WAN src-address-list=\
    No-Internet
add action=accept chain=input dst-port=51820 in-interface=ether1-WAN \
    protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
    in-interface-list=LAN
add action=accept chain=forward in-interface=bridge out-interface-list=WAN
add action=accept chain=forward in-interface=bridge out-interface=\
    AirVPN_Sweden
add action=accept chain=input comment="allow Winbox" port=8291 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp src-address-list=exceptions
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address-list=exceptions
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface=\
    AirVPN_Sweden src-address-list=!no-Internet
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN \
    src-address-list=exceptions
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"

• back-to-home is not possible to remove via WinBox interface (feature or bug?)
  

3. NAT rules
   updated as suggested

• rule 0 can be disabled/ removed now?
  

4. /routing rule
   {exceptions stated first in order - as required - ensure keep firewall address list up to date}
   Not possible to “change order” in WinBox UI, but I assume it doesnt matter as it seems to work fine

5. Thought this might help for not able to connect to (via WinBox) Router via IP , but not working only via MAC
   Not sure where is the issue, but i’ve learned to live with it

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

a small update…
after setting up everything there seems to be portfwd issue, which I later find out that was due to another Transmission/torrent client setting…

Wanted be sure, so cleared the whole config of ROS and strarted from scratch…

seems that even I did the same config as i had before, line by line as it didnt want to take whole import at once (next time will do “/export show-sensitive verbose file=01-default” backup) , yeah we learn on mistakes (now is by default many IPv6 settings, i dont use any so I disabled it…)

I still had issues…mostly with loading pages. So in config I had this line, which did the trick also 1y ago with similar issue. But you didnt mention it now…

/ip firewall mangle
add action=change-mss chain=forward comment=\
    "Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu \
    out-interface=AirVPN_Sweden protocol=tcp tcp-flags=syn

Yes it still recommended for third party VPNs, there are actually two in case one doesnt work well

add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535

Thanks I’ve added also 2nd one

seems like those “fasttrack” were added and cant be deleted from WinBox UI, but disabled…

[admin@MikroTik hAP AX3] /ip/firewall/mangle> print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=prerouting action=passthrough 

 1  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 2  D ;;; special dummy rule to show fasttrack counters
      chain=postrouting action=passthrough 

 3    ;;; Clamp MSS to PMTU for Outgoing packets
      chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp out-interface=AirVPN_Sweden log=no log-prefix="" 

 4    chain=forward action=change-mss new-mss=1380 tcp-flags=syn protocol=tcp out-interface=AirVPN_Sweden tcp-mss=1381-65535

Anyway still i find the setting up WG on Mikrotik is way too complex vs other router where i can import config and it just works…

1. Did output again(easier to read), please could you check on FW what can be removed disabled?
   01-defaultTerse5-edit.rsc (17.2 KB)
2. IPv6 rules can be left there? as with “lastest” factory reset they just shown up
   so did “/ipv6 settings set disable-ipv6=yes” hope it wont interfere with VPN now
3. For adding another VPN location , I need to basically setup each line/setting where it says “AirVPN_Sweden” duplicate to “AirVPN_NL” or such way?

Thanks!

butt ugly format for export…
Also, pay more attention to security this opens up winbox to the entire internet.
add action=accept chain=input comment=“allow Winbox” port=8291 protocol=tcp
Simply only allow admin “authorized IPs” to access the router via the input chain, job done!!

Use only one of the clamp mangle rules not both.

If doing ssh to router, then drop the dstnat rule ( only if ssh is a server running on LAN).

Your queue rules are meaningless, unless I misunderstood simple queues, and thus you should disable them for now and articulate what it is you wish to accomplish.
Then this will likely precipitate disabling fastrack.

As for adding another VPN location, another instance of wireguard or both,
You would need to provide more details… What does the provider give to you for this functionality, …???

…

# model = C53UiG+5HPaxD2HPaxD
# serial number = xxx
/interface bridge 
add admin-mac=48:A9:8A:07:9A:63 auto-mac=no comment=defconf name=bridge
/interface ethernet 
set [ find default-name=ether1 ] comment=WAN mac-address=F8:32:E4:4F:98:B8 name=ether1-WAN
/interface wireguard 
add comment="AirVPN SE" listen-port=13231 mtu=1320 name=AirVPN_Sweden private-key="xxx"
/interface list 
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel 
add band=2ghz-ax disabled=no frequency=2422,2447,2467 name=ch-2ghz skip-dfs-channels=10min-cac width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5320 name=ch-5ghz skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi security 
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=wifi-sec passphrase=xxx wps=disable
/interface wifi configuration 
add antenna-gain=0 channel=ch-2ghz country=Czech disabled=no name=wifi-conf-2.4Ghz security=wifi-sec ssid=XXX
add antenna-gain=0 channel=ch-5ghz country=Czech disabled=no name=wifi-conf-5Ghz security=wifi-sec ssid=XXX_5G
add configuration=wifi-conf-5Ghz configuration.mode=ap .tx-power=24 disabled=no name=cap-wifi1 radio-mac=48:A9:8A:C2:8D:EE
add configuration=wifi-conf-2.4Ghz configuration.mode=ap .tx-power=24 disabled=no name=cap-wifi2 radio-mac=48:A9:8A:C2:8D:EF
/interface wifi 
set [ find default-name=wifi1 ] channel=ch-5ghz configuration=wifi-conf-5Ghz configuration.mode=ap disabled=no name=wifi1-5g security=wifi-sec security.ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel=ch-2ghz configuration=wifi-conf-2.4Ghz configuration.mode=ap disabled=no name=wifi2-2g security=wifi-sec security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/iot lora servers 
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip kid-control 
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
add disabled=yes fri=17h30m-19h mon=17h30m-19h name=kids sat=17h30m-19h30m sun=17h30m-19h thu=17h30m-19h tue=17h30m-19h wed=17h30m-19h
/ip pool 
add name=dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server 
add address-pool=dhcp interface=bridge lease-time=10m name=dhcp1
/ip smb users 
set [ find default=yes ] disabled=yes
/queue simple 
add comment=Arduino-Box max-limit=10/10 name=Arduino-Box target=192.168.10.112/32  disabled=yes
add comment=Arduino-Garaz max-limit=10/10 name=Arduino-Garaz target=192.168.10.110/32  disabled=yes
/routing table 
add disabled=no fib name=useWG
/disk settings 
set auto-media-interface=bridge
/interface bridge port 
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1-5g
add bridge=bridge comment=defconf interface=wifi2-2g
/ip firewall connection tracking 
set udp-timeout=10s
/ip neighbor discovery-settings 
set discover-interface-list=LAN
/ipv6 settings 
set disable-ipv6=yes
/interface detect-internet 
set detect-interface-list=none
/interface list member 
add  interface=bridge list=LAN
 interface=ether1-WAN list=WAN
add interface=AirVPN_Sweden list=WAN
/interface wifi access-list 
add action=reject allow-signal-out-of-range=10s disabled=no interface=wifi1-5g signal-range=-120..-85
add action=reject allow-signal-out-of-range=10s disabled=no interface=wifi2-2g signal-range=-120..-85
/interface wifi capsman 
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=no upgrade-policy=require-same-version
/interface wifi provisioning 
add action=create-enabled disabled=no master-configuration=wifi-conf-5Ghz supported-bands=5ghz-ax
/interface wifi provisioning 
add action=create-enabled disabled=no master-configuration=wifi-conf-2.4Ghz supported-bands=2ghz-ax
/interface wireguard peers 
add allowed-address=0.0.0.0/0 endpoint-address=se3.vpn.airdns.org endpoint-port=51820 interface=AirVPN_Sweden name=peer1 persistent-keepalive=35s preshared-key="xxx" public-key="xxx"
/iot lora traffic options 
set crc-errors=no
/ip address 
add address=192.168.10.1/24 comment=defconf interface=bridge network=192.168.10.0
add address=10.142.189.241 interface=AirVPN_Sweden network=10.142.189.0
/ip dhcp-client 
add comment=defconf interface=ether1-WAN
/ip dhcp-server lease 
add address=192.168.10.50 client-id=1:a8:a1:59:44:6f:3b comment=MiniPC mac-address=A8:A1:59:44:6F:3B rate-limit=1000M/1000M server=dhcp1
add address=192.168.10.70 client-id=1:4:cf:8c:e8:42:18 comment="Vacuum" mac-address=04:CF:8C:E8:42:18 server=dhcp1
/ip dhcp-server network 
add address=192.168.10.0/24 comment="VPN DNS Servers" dns-server=192.168.10.2 gateway=192.168.10.1
/ip dns 
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static 
add address=192.168.10.1 comment=defconf disabled=yes name=router.lan type=A
/ip firewall address-list 
add address=192.168.10.51 disabled=yes list=Local-Internet  comment="Users using Local Internet only" 
add address=192.168.10.XX disabled=yes list=No-Internet  comment="Users with NO internet access at all" 
add address=se3.vpn.airdns.org list=3rdPartyVPN
add address=dns.airservers.org list=3rdPartyVPN
add address=192.168.10.50 comment=MiniPC list=Authorized
add address=192.168.10.60 comment=M12Pro list=Authorized
add address=192.168.10.101 comment="Tower" list=Authorized
/ip firewall filter 
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp src-address-list=Local-Internet
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=Local-Internet
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="local internet access"  in-interface-list=LAN out-interface-list=WAN src-address-list=Local-Internet
add action=accept chain=forward  comment="Sweden access" in-interface-list=LAN out-interface=AirVPN_Sweden src-address-list=!No-Internet
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=AirVPN_Sweden protocol=tcp tcp-flags=syn
/ip firewall nat 
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address-list=!Local-Internet to-addresses=10.128.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address-list=!Local-Internet  to-addresses=10.128.0.1
add action=dst-nat chain=dstnat comment=Loxone dst-port=7777 in-interface=ether1-WAN log=yes log-prefix=Loxone protocol=tcp to-addresses=192.168.10.100 
add action=dst-nat chain=dstnat comment="Transmission BT - Work" dst-port=7778 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=192.168.10.101 
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp to-addresses=192.168.10.101
add action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=54518 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp to-addresses=192.168.10.101
action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=tcp to-addresses=192.168.10.101
action=dst-nat chain=dstnat comment="Transmission BT - VPN" dst-port=54519 in-interface=AirVPN_Sweden log-prefix=TransmissionBT protocol=udp to-addresses=192.168.10.101
/ip firewall service-port 
set ftp disabled=yes
/ip hotspot profile 
set [ find default=yes ] html-directory=hotspot
/ip kid-control device 
add mac-address=60:45:CB:9A:3F:F0 name=Tower user=system-dummy
add mac-address=64:DD:E9:32:45:19 name="Mi12 Pro;2" user=system-dummy
add mac-address=04:CF:8C:E8:42:18 name="Vacuum" user=system-dummy
/ip route 
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=AirVPN_Sweden routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.128.0.1/32 gateway=AirVPN_Sweden routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service 
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop 
/routing rule 
add action=lookup-only-in-table comment=ZigBee-Hub disabled=no src-address=192.168.10.20/32 table=main
add action=lookup-only-in-table comment=Rig disabled=no src-address=192.168.10.49/32 table=main
add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=192.168.10.50/32 table=main
add action=lookup comment="Rest of LAN thru Sweden" disabled=no src-address=192.168.10.0/24 table=useWG
/system clock 
set time-zone-name=Europe/Prague
/system identity 
set name="MikroTik hAP AX3"
/system note 
set show-at-login=no
/system ntp client 
set enabled=yes
/system ntp client servers 
add address=0.cz.pool.ntp.org
add address=time1.google.com
add address=time2.google.com
/system routerboard mode-button 
set enabled=yes on-event=dark-mode
/system routerboard wps-button 
set enabled=yes on-event=wps-accept
/system script add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

…

Also do not quite understand your setup
If you have exceptions for traffic not going out to Sweden in routing…
192.168.10.20 - zigbee hub
192.168.10.49 - rig
192.168.10.50 - minipc

Then what is their relations ship to the firewall address lists. You clearly want their traffic not to go out Sweden VPN so
which category do they fall into…
Local Internet?
No internet?

Why do you bother have a 192.168.10.2 DNS entry for /ip dhcp-server
But then have a static /IP DNS setting for 192.168.10.1 ???

1. butt ugly format for export…
Which command to use then? without Verbose?
2. Also, pay more attention to security this opens up winbox to the entire internet.
add action=accept chain=input comment=“allow Winbox” port=8291 protocol=tcp
Simply only allow admin “authorized IPs” to access the router via the input chain, job done!!

changed to:
7 ;;; allow Winbox
chain=input action=accept protocol=tcp src-address-list=Authorized port=8291 log=no log-prefix=“”

3.Use only one of the clamp mangle rules not both.
Ok testing which one will behave better

4. If doing ssh to router, then drop the dstnat rule ( only if ssh is a server running on LAN).

SSH Router rule is disabled , I just have it in case I would need it in Future
/ip firewall nat add action=dst-nat chain=dstnat comment=“SSH Router” disabled=yes dst-port=2220 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=192.168.10.1 to-ports=2222

5.Your queue rules are meaningless, unless I misunderstood simple queues, and thus you should disable them for now and articulate what it is you wish to accomplish.
Then this will likely precipitate disabling fastrack.

If you mean those…If I recall correctly is was following some guide to set some speedlimit and track / monitor data transfer. I guess it can be disabled or removed…
/queue simple add comment=Arduino-Box max-limit=10/10 name=Arduino-Box target=192.168.10.112/32
/queue simple add comment=Arduino-Garaz max-limit=10/10 name=Arduino-Garaz target=192.168.10.110/32

6. As for adding another VPN location, another instance of wireguard or both,
You would need to provide more details… What does the provider give to you for this functionality, …???

Well I will just generate/download new config and this is how config looks:

Current Sweden IPv4

[Interface]
Address = 10.142.189.241/32
PrivateKey = xxx
MTU = 1320
DNS = 10.128.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = se3.vpn.airdns.org:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

Swiss - seems like there is just "Endpoint " name difference, rest is the same (also keys)

Endpoint = ch3.vpn.airdns.org:51820

then there is an option to use IPv4 + IPv6

[Interface]
Address = 10.142.189.241/32,fd7d:76ee:e68f:a993:d32f:26f3:cf63:5f5a/128
PrivateKey = xxx
MTU = 1320
DNS = 10.128.0.1, fd7d:76ee:e68f:a993::1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = ch3.vpn.airdns.org:51820
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 15

7. Also do not quite understand your setup
If you have exceptions for traffic not going out to Sweden in routing…
192.168.10.20 - zigbee hub
192.168.10.49 - rig
192.168.10.50 - minipc

Those are clients which I need time to time Enable or Disable from VPN. This was the only way I found to be working eficiently
Not on VPN (local country IP)
/routing rule add action=lookup-only-in-table comment=Rig disabled=no src-address=192.168.10.49/32 table=main
on VPN (eg. Sweden IP)
/routing rule add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=192.168.10.50/32 table=main

Then what is their relations ship to the firewall address lists. You clearly want their traffic not to go out Sweden VPN so
which category do they fall into…
Local Internet?
No internet?

This is what im confused about why to add those clients also to Firewall address list.
Mainly i need (per your categorization)
VPN Internet 3-5 clients
Local Internet - the rest XX clients
No Internet - rarely 1-2clients (as i’m thinking maybe more clients could be blocked as they are mostly locally controlled, like some smart devices via hub)

8. Why do you bother have a 192.168.10.2 DNS entry for /ip dhcp-server
But then have a static /IP DNS setting for 192.168.10.1 ???

192.168.10.2 is a PiHole server
static is disabled - /ip dns static add address=192.168.10.1 comment=defconf disabled=yes name=router.lan type=A

I’m using mostly WinBox to config and therefor I use those disable/enable options, mostly not to forget how it was setup , in case I need to switch back.
As when I need to deeply setup something which I did few months ago and then disabled because various reasons, I wont remember and need to spend time googling or looking into config backups eg. Point 4 SSH rule
I’m still after 2y not very efficient with Mikrotik router setup, as u can see advanced settings are difficult for me…

No worries, doing well! Will look at this again later.
Understand about the wireguard…

Here is an example of your situation I saw elsewhere and the only difference was the endpoint address, but one needed a second interface.
/interface wireguard
add listen-port=51020 mtu=1420 name=Surfshark1
add listen-port=51080 mtu=1420 name=Surfshark2
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=address1.surfshark.com
endpoint-port=52222 interface=Surfshark1 name=wg-country1
persistent-keepalive=30s public-key=“=====”
add allowed-address=0.0.0.0/0 endpoint-address=address2.surfshark.com
endpoint-port=52222 interface=Surfshark2 name=wg-country2
persistent-keepalive=35s public-key=“****”
/ip address
add address=10.20.30.2/24 comment=VPN1 interface=Surfshark1 network=10.20.30.0
add address=10.20.30.2/24 comment=VPN2 interface=Surfshark2 network=10.20.30.0

Just now finalized / tried to sync with the Config you modified, hopefully now better for you to read
01-default08-edit.rsc (13 KB)
10. why this Internet detection setting need to be OFF? some security issue? or what

/interface detect-internet 
set detect-interface-list=none

11. into this list /ip firewall address-list - i should add all clients on my network and decide their rights? or only those with which I need to switch VPN/noVPN, maybe different VPN country later
    
    
    

/ip firewall address-list 
add address=192.168.10.51 disabled=yes list=Local-Internet  comment="Users using Local Internet only" 
add address=192.168.10.XX disabled=yes list=No-Internet  comment="Users with NO internet access at all" 
add address=se3.vpn.airdns.org list=3rdPartyVPN
add address=dns.airservers.org list=3rdPartyVPN
add address=192.168.10.50 comment=MiniPC list=Authorized
add address=192.168.10.60 comment=M12Pro list=Authorized
add address=192.168.10.101 comment="Tower" list=Authorized

Doing the /ip firewall address-list, is it necessary to do enable/disable over here /routing rule ?

/routing rule 
add action=lookup-only-in-table comment=ZigBee-Hub disabled=no src-address=192.168.10.20/32 table=main
add action=lookup-only-in-table comment=Rig disabled=no src-address=192.168.10.49/32 table=main
add action=lookup-only-in-table comment=Mini-PC disabled=yes src-address=192.168.10.50/32 table=main

EDIT: I guess I find the problem…seems like /ip firewall address-list rules are interfering with /routing rule
This is the part which I dont fully understand yet , why to keep both list maintained with clients

As when I temporary disabled add action=drop chain=forward comment=“drop all else” rule, everything started to work…
So then i’ve added
/ip firewall address-list
add address=192.168.10.0/24 list=Local-Internet
it started to work smoother as when was add action=drop chain=forward comment=“drop all else” disabled

so those 2 lists needs to be tuned, as in previous VPN setup i was only using /routing rule

It will work properly when you are clearer on requirements.
What you are doing is work arounds to ensure traffic flows, the to your expectations.
The problem is your actual expectations dont match your up to this point to the discussion previous aka the directions…

Step back.
Firewall rules are simply to allow or deny traffic permissions.
Routing rules are for determining which path traffic will take.

you have
a. some user that should get no internet (not many) this list of users is identified by No-Internet
b. some users should go out local WAN and not go out Sweden, this list of users is identified by Local-Internet

The firewall rules were setup to (order being important)
first allow those users designated to use the local WAN are allowed to the internet
Next the rest of the users will be allowed to use Sweden for internet but not those on the No-Internet list as they are not allowed any access.
Drop all else
DONE:
There should be no need to change the rules.
Your problem is inaccurate assessment of what the lists are for, and if you need to fix anything, fix the entries in the firewall address list.

As far as routing goes.
Routing rules capture all traffic so one needs to make sure that anybody not going out sweden for internet, aka going out local for internet, is identified first.
Hence your route rule should include

• local WAN source IP table main
• local WAN source IP table main
  …etc…
  -sweden WAN the rest of the subnet. table=useWG

DONE:
++++++++++++++++++++++++++++++++++++++++++++++++

However that seems to not work for you for some reason.
So please explain what traffic did not work…
WHat traffic worked when you removed the rule… that is where the issue lies…

Detect internet has caused and continues to cause weird issues, so we remove it.

By adding another wireguard vpn and possibly changing which go to which vpn add complications and changes requirements and should have been identified at the beginning.
You will have to start mangling unless you can contain users within subnets. SubnetA goes to sweden, SubnetB, goes to London, SubnetC goes out local WAN, subnetD, has no internet etc..
Another approach is to use WIFI to let users decide which vpn they are going out on.
SSID-Sweden
SSID-London
and of course only the users with the correct password can actually use them.
Very easy to assign a vlan (subnet ) to wifi and thus avoid mangling.