Route all traffic through wireguard aka full tunnel

hello
i am reaching out because i think i have just reached the limits if the knowledge i have ingested so far and to the limits of what i can ingest fast and make use of it

The situation is as follows, due to a certain need i have to be able to connect travel router to my home router via vpn and make sure all the traffic from travel one is routed through the tunnel.
In short all the clients connected to the travel router should be able to: access the internet, access local resources of home network, if scanned from outside should have the public ip of the home router.
I am, as you can imagine not a very knowledgeable person when it comes to routing and other alike, so please be patient.
I have followed TheNetworkBerg youtoube tutorial on both site2 site and road warrior videos and followed some of reddit suggestions not to say the least what has been written here on the forum but I was not so lucky in making it work.
Starting with the beginning, home router has wireguard interface, and multiple peers, laptops and phones and they work. The only problem is with router to router config.
What it seems i have succeeded is to have a successful handshake on the wg interface and still have internet.
Travel router receives internet via a hotspot from a phone ,
Bellow is an attempt of a diagram and the config I have on the travel router. With the route to 0.0.0.0/0 via wireguard interface i have internet on laptop connected to the router, with that active no internet anymore
Also I am not interested to reachout the travel router from the home one

/interface bridge
add admin-mac=48:8F:5A:29:AB:78 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi2 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=station .ssid=MikroTik-29AB79 disabled=no name=m_5ghz_station
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel2
add band=5ghz-ax disabled=no name=channel5
/interface wifi datapath
add bridge=bridge disabled=no name=datapath
/interface wifi security
add disabled=no name=android_phone
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes management-encryption=cmac management-protection=allowed name=ap_security wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=station .ssid=Work disabled=no name=m_2ghz_station security=android_phone
/interface wifi steering
add disabled=no name=steering
/interface wifi configuration
add channel=channel2 datapath=datapath disabled=no mode=ap name=cfg_wifi_2g security=ap_security ssid=mornache_on_the_road steering=steering
add channel=channel2 datapath=datapath disabled=no mode=ap name=cfg_wifi_5g security=ap_security ssid=mornache_on_the_road steering=steering
/interface wifi
add configuration=cfg_wifi_2g configuration.mode=ap disabled=no mac-address=4A:8F:5A:29:AB:79 master-interface=m_2ghz_station name=x_2ghz_ap
add configuration=cfg_wifi_5g configuration.mode=ap disabled=no mac-address=4A:8F:5A:29:AB:7A master-interface=m_5ghz_station name=x_5ghz_ap
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.2.10.10-10.2.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge interface=x_2ghz_ap
add bridge=bridge interface=x_5ghz_ap
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=m_2ghz_station list=WAN
add interface=m_5ghz_station list=WAN
/interface wireguard peers
add allowed-address=192.168.88.0/24,192.168.40.1/32 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=18281 interface=wireguard name=home persistent-keepalive=20s public-key=\
    "key="
/ip address
add address=10.2.10.1/24 comment=defconf interface=bridge network=10.2.10.0
add address=172.16.16.1/24 interface=wireguard network=172.16.16.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add add-default-route=no disabled=yes interface=m_2ghz_station
add disabled=yes interface=m_5ghz_station
add interface=m_2ghz_station
/ip dhcp-server network
add address=10.2.10.0/24 comment=defconf dns-server=10.2.10.1 gateway=10.2.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=wireguard
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wireguard routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bucharest
/system logging
add prefix=wg topics=wireguard
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

HI there,should be very doable.
The idea is that the travel router connects to a local internet connection and the private subnet traffic behind the router goes out wireguard instead of the local internet.
The confusing bit is your WAN side,
It would appear that you are
a. using 2ghz chain to get internet connectivity
b. using 5ghz chain to get internet connectivity
c. using ether1 to get internet connectivity.

It would appear that you have no interest in providing wifi connected LAn clients to your travel router???
Or I am just confused because you have FOUR WIFI interfaces ??

• m_2ghz_station
• m_5ghz_station
• x_2ghz_ap
• x_5ghz_ap

As far as I am aware that would be impossible. You can have four WLANS ( wlan is equivalent to wired ports in terms of interface ) but the virtual ones after the master ones are allocated ARE FIXED in frequency and PURPOSE to the settings of the master chain. What you can do is assign the WLAN a different SSID and even to a diffferent vlan.

Therefore its hard to progress with this glaring inconsistency.

→ Modify
/interface wireguard peers
add allowed-address=172.16.16.2/32,192.168.88.0/24,192.168.40.0/24 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=18281 interface=wireguard name=home persistent-keepalive=20s public-key=
“key=”

/ip route ( Wireguard route, table main is automatically created when adding the wireguard address list entry so not required for you to add onee )
add dst-address=192.168.88.0/24 gateway=wireguard routing-table=main
add dst-address=192.168.40.0/24 gateway=wireguard routing-table=main

MISSING:::::::::
/routing table add fib name=via-WG
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard table=via-WG
/routing rules
add action=lookup-only-in-table comment=“enable local traffic” min-prefix=0 table=main
add action=lookup-only-in-table src-address=10.2.10.0/24 table=via-WG

SECURITY
Where are all your firewall rules on Travel Router???

Hei @anav
Allow me to say that in my humble opinion you are some sort of demigod of this forum to say the least!

1. internet connectivity - I am currently testing so I added into the WAN all possible internet sources and I have some dhcp client setup for each but they are disabled
   2 I am providing internet to the router via a hotspot using station mode on 2ghz
   3 i have created a slave wifi for each physical, in my head that would work as aps since physical ones can be station set. but I can use them 2ghz to provide internet and 5ghz to provide wifi to clients and give up the slaves. I do not want to complicate my life before i see it working, there is plenty of time for that after
   4 atm slaves are useless since i am cable connected
   5 firewall - I am just working my way around it and i deleted firewall, or disabled depending when I did the export, i have a backup made after i added wg interface and peer. I work get lost and then reset the “lab”. In this way i do not have to rework the peer on the home side.
   6 when connectivity will work I will add back the default rules and then add what else I see fit, Luckily for me the forum is full with great advices on firewall hardening, some coming from yourself
   7 the main table being set in the config - it is how it was exported and I let it be, It shows how it looks in the real setup anyhow
   thanks
   i will go check your advices right away ( after putting the rest of the family to sleep, they get nervous when I toy with internet in the house ) )

hmm tested and it does not work
all in all i managed to convince the forum to go into a 500 internal server error

also just for my clarification, when creating the dhcp client to connect to internet should i add default route or not?, this to work with the suggested config
i am posting the new config

/interface bridge
add admin-mac=48:8F:5A:29:AB:78 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel2
add band=5ghz-ac disabled=no name=channel5
/interface wifi datapath
add bridge=bridge disabled=no name=datapath
/interface wifi security
add disabled=no name=android_phone
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes management-encryption=cmac management-protection=allowed name=ap_security wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=station .ssid=Work disabled=no name=m_2ghz_station security=android_phone
/interface wifi steering
add disabled=no name=steering
/interface wifi configuration
add channel=channel2 datapath=datapath disabled=no mode=ap name=cfg_wifi_2g security=ap_security ssid=mornache_on_the_road steering=steering
add channel=channel5 datapath=datapath disabled=no mode=ap name=cfg_wifi_5g security=ap_security ssid=mornache_on_the_road steering=steering
/interface wifi
set [ find default-name=wifi2 ] channel=channel5 configuration=cfg_wifi_5g configuration.mode=ap disabled=no name=m_5ghz_ap
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.2.10.10-10.2.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=via-WG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge disabled=yes interface=*7
add bridge=bridge disabled=yes interface=*8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=m_2ghz_station list=WAN
add disabled=yes interface=m_5ghz_ap list=WAN
/interface wireguard peers
add allowed-address=172.16.16.2/32,192.168.88.0/24,192.168.40.0/24 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=18281 interface=wireguard name=home persistent-keepalive=20s public-key=\
    "xxx="
/ip address
add address=10.2.10.1/24 comment=defconf interface=bridge network=10.2.10.0
add address=172.16.16.1/24 interface=wireguard network=172.16.16.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add add-default-route=no disabled=yes interface=m_2ghz_station
add interface=m_2ghz_station
/ip dhcp-server network
add address=10.2.10.0/24 comment=defconf dns-server=10.2.10.1 gateway=10.2.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=wireguard routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard routing-table=via-WG scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/routing rule
add action=lookup-only-in-table comment="enable local traffic" disabled=no min-prefix=0 table=main
add action=lookup-only-in-table disabled=no src-address=10.2.10.0/24 table=via-WG
/system clock
set time-zone-name=Europe/Bucharest
/system logging
add prefix=wg topics=wireguard
add prefix=route topics=route
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Just for my edification,
Can you please describe where the device is getting WAN from.
I understand it could be
either WAN1 for a wired connection from hotel to the travel router
either WLAN 2ghz for a wifi connection from hotel to travel router ( or to android phone acting as WAN )
either WLAN 5ghz for a wifi connection from hotel to travel router ( or to android phone acting as WAN )
??? does the travel router have an LTE capability for a cellular connection capacity ???


The other question is if using android phone, which is the best freq to use for that??
Then you can use the other freq/chain, to provide LAN connectivity to your aka wifi on laptop or ipad…

Ah I see, language barrier ftw and my poor explication
the router is an old cap ac, it has no lte
I am using a wifi to connect to the hotspot of the phone, the phone itself has wifi closed so i am receiving the internet via the mobile carrier → hotspot → mikrotik with a station mode where I do a scan and select the network of the phone and click connect add the password in paraphrase

I am doing this because I am at home while doing the setup and i do not have 2 isp to test one for home router and one for mobile
Rest of the WAN stuff is for … idk later use when i can connect to a hotspot using 5ghz or via cable on eth1. But by all means I will not do this simultaneously. Plan is to go somewhere on a longer vacation, identify the source of the internet (preferably wired) stick the cable in eth1, route all traffic to home wg server, connect to the travel router via eth2 or via wifi and appear to all interested that i am at home!
Makes more sense?

strange enough, I have removed the commented dhcp client entries and now it semi works with the suggested tweaks:

• new routing table
• rules
  -routes
  what is still not going is actually make use of vpn, connect and route all traffic but at least I have internet
  Before removing those in order to have internet I had to disable added rules and routes
  here is the latest config I have

/interface bridge
add admin-mac=48:8F:5A:29:AB:78 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel2
add band=5ghz-ac disabled=no name=channel5
/interface wifi datapath
add bridge=bridge disabled=no name=datapath
/interface wifi security
add disabled=no name=android_phone
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes \
    ft-over-ds=yes management-encryption=cmac management-protection=allowed \
    name=ap_security wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=station .ssid=Work disabled=\
    no name=m_2ghz_station security=android_phone
/interface wifi steering
add disabled=no name=steering
/interface wifi configuration
add channel=channel2 datapath=datapath disabled=no mode=ap name=cfg_wifi_2g \
    security=ap_security ssid=mornache_on_the_road steering=steering
add channel=channel5 datapath=datapath disabled=no mode=ap name=cfg_wifi_5g \
    security=ap_security ssid=mornache_on_the_road steering=steering
/interface wifi
set [ find default-name=wifi2 ] channel=channel5 configuration=cfg_wifi_5g \
    configuration.mode=ap disabled=no name=m_5ghz_ap
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.2.10.10-10.2.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=via-WG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=m_2ghz_station list=WAN
add disabled=yes interface=m_5ghz_ap list=WAN
/interface wireguard peers
add allowed-address=172.16.16.2/32,192.168.88.0/24,192.168.40.0/24 \
    endpoint-address=xxx.xxx.xxx.xxx endpoint-port=18281 interface=\
    wireguard name=home persistent-keepalive=20s public-key=\
    "xxx="
/ip address
add address=10.2.10.1/24 comment=defconf interface=bridge network=10.2.10.0
add address=172.16.16.1/24 interface=wireguard network=172.16.16.0
/ip dhcp-client
add interface=m_2ghz_station
/ip dhcp-server network
add address=10.2.10.0/24 comment=defconf dns-server=10.2.10.1 gateway=\
    10.2.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=wireguard \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard \
    routing-table=via-WG scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table comment="enable local traffic" disabled=no \
    table=main
add action=lookup-only-in-table disabled=no src-address=10.2.10.0/24 table=\
    via-WG
/system clock
set time-zone-name=Europe/Bucharest
/system logging
add prefix=wg topics=wireguard
add prefix=route topics=route
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Okay understood, so you will alway wire the AP from etherport to your laptop etc. ( via ether2)
Also need the export of the home router!!

Not quite right
/routing rule
add action=lookup-only-in-table comment=“enable local traffic” disabled=no
table=main
add action=lookup-only-in-table disabled=no src-address=10.2.10.0/24 table=
via-WG

TO:
/routing rule
add action=lookup-only-in-table comment=“enable local traffic” disabled=no
table=main min-prefix=0
add action=lookup-only-in-table disabled=no src-address=10.2.10.0/24 table=
via-WG

home router coming up

/interface bridge
add admin-mac=48:A9:8A:E0:D7:55 auto-mac=no name=bridgeLocal port-cost-mode=\
    short protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ema/ac
set [ find default-name=ether2 ] comment=pppoe
set [ find default-name=ether3 ] comment=tado
set [ find default-name=ether4 ] comment=birou/main
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether2 \
    name=pppoe-out1 use-peer-dns=yes user=xxxxxxx
/interface wireguard
add comment=wireguard listen-port=18281 mtu=1420 name=wireguard
/interface vlan
add interface=bridgeLocal name=vlan-20-guest vlan-id=20
add interface=bridgeLocal name=vlan-88-main vlan-id=88
/interface list
add name=LAN
add name=WAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2432,2472 name=2ghz skip-dfs-channels=\
    all width=20mhz
add band=5ghz-ax disabled=no frequency=5260,5500 name=5ghz skip-dfs-channels=\
    all width=20/40/80mhz
/interface wifi datapath
add bridge=bridgeLocal disabled=no name=datapath-main vlan-id=88
add bridge=bridgeLocal disabled=no name=datapath-guest vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no \
    encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes \
    management-encryption=cmac management-protection=allowed name=\
    security_bogdan wps=disable
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=no disabled=no \
    encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes \
    management-encryption=cmac management-protection=allowed name=\
    security_guest wps=disable
/interface wifi steering
add disabled=no name=steering neighbor-group=dynamic-mornache5g-15af2dbc rrm=\
    yes
/interface wifi configuration
add chains=0,1 channel=2ghz country=Romania datapath=datapath-main disabled=no \
    name=cfg_2g security=security_bogdan security.ft=yes .ft-over-ds=yes ssid=\
    mornache2g steering=steering tx-chains=0,1
add chains=0,1 channel=5ghz channel.skip-dfs-channels=disabled .width=\
    20/40/80mhz country=Romania datapath=datapath-main disabled=no name=cfg_5g \
    security=security_bogdan security.ft=yes .ft-over-ds=yes ssid=mornache5g \
    steering=steering tx-chains=0,1
add chains=0,1 channel=5ghz channel.width=20/40/80mhz country=Romania \
    datapath=datapath-guest disabled=no mode=ap name=cfg_5g_guest security=\
    security_guest security.ft=yes .ft-over-ds=yes ssid=mornache5g_iot \
    steering=steering tx-chains=0,1
add chains=0,1 channel=2ghz country=Romania datapath=datapath-guest disabled=\
    no mode=ap name=cfg_2g_guest security=security_guest security.ft=yes \
    .ft-over-ds=yes ssid=mornache2g_iot steering=steering tx-chains=0,1
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=main ranges=192.168.88.2-192.168.88.254
add name=guest ranges=192.168.20.2-192.168.20.254
add name=tado ranges=192.168.90.2/31
/ip dhcp-server
add address-pool=main interface=vlan-88-main name=main
add address-pool=guest interface=vlan-20-guest name=guest
add address-pool=tado interface=bridgeLocal name=tado
/interface bridge port
add bridge=bridgeLocal interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal interface=ether5 internal-path-cost=10 path-cost=10 \
    pvid=88
add bridge=bridgeLocal interface=ether1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether4,ether5 vlan-ids=20,88
/interface list member
add interface=ether2 list=WAN
add interface=bridgeLocal list=LAN
add interface=vlan-20-guest list=LAN
add interface=vlan-88-main list=LAN
/interface ovpn-server servers
add mac-address=FE:6F:F6:8B:B6:99 name=ovpn-server1
/interface wifi access-list
add action=accept allow-signal-out-of-range=10s disabled=yes mac-address=\
    8C:17:59:DC:D5:D4 signal-range=-60..120
add action=reject allow-signal-out-of-range=10s disabled=yes mac-address=\
    8C:17:59:DC:D5:D4 signal-range=120..-61
/interface wifi cap
set caps-man-addresses=192.168.88.1 discovery-interfaces=bridgeLocal enabled=\
    yes slaves-static=no
/interface wifi capsman
set enabled=yes interfaces=vlan-20-guest,vlan-88-main package-path="" \
    require-peer-certificate=no upgrade-policy=require-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_2g \
    name-format=%I-2G-wifi slave-configurations=cfg_2g_guest supported-bands=\
    2ghz-ax,2ghz-g,2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cfg_5g \
    name-format=%I-5G-wifi slave-configurations=cfg_5g_guest supported-bands=\
    5ghz-a,5ghz-n,5ghz-ac,5ghz-ax
/interface wireguard peers
add allowed-address=192.168.40.8/32 comment=iPhone interface=wireguard name=\
    iPhone public-key="glSa7rvQAPrmZzsVBKK+Zl+oOlY1Y6HZeibykT0P3SQ=" \
    responder=yes
add allowed-address=192.168.40.10/32 comment=android interface=wireguard name=\
    android public-key="aqtDSG6Sd6Udv4IUIBKUZU4zv0xjq9BebGumqm+Wa2E=" \
    responder=yes
add allowed-address=192.168.40.4/32 comment=Mac interface=wireguard name=\
    MacBook public-key="fkVmY7MhvepV8McBv6G1KZ/loA2MD/pKyMvDHEJEriI="
add allowed-address=10.2.10.0/24,172.16.16.0/24,192.168.40.12/32 comment=\
    RoadWarrior interface=wireguard name=RoadWarrior persistent-keepalive=25s \
    public-key="0yzLpomS04fvdOsfgAVRPivkVgNWV7UWCt2iBfdqI2Y=" responder=yes
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.88.1/24 comment=main interface=vlan-88-main network=\
    192.168.88.0
add address=192.168.20.1/24 comment=guest interface=vlan-20-guest network=\
    192.168.20.0
add address=192.168.90.1/24 comment=taco interface=ether3 network=192.168.90.0
add address=192.168.40.1/24 comment=wireguard interface=wireguard network=\
    192.168.40.0
/ip dhcp-server lease
add address=192.168.88.192 mac-address=24:DF:A7:2B:A9:F8 server=main
add address=192.168.88.191 mac-address=24:DF:A7:2B:A5:96 server=main
add address=192.168.88.188 mac-address=48:22:54:E4:06:5C server=main
add address=192.168.88.195 client-id=1:50:ec:50:25:d4:4 mac-address=\
    50:EC:50:25:D4:04 server=main
add address=192.168.88.178 client-id=1:14:c1:4e:43:b8:42 mac-address=\
    14:C1:4E:43:B8:42 server=main
add address=192.168.88.194 client-id=1:64:90:c1:12:e4:a4 mac-address=\
    64:90:C1:12:E4:A4 server=main
add address=192.168.88.180 client-id=1:8c:17:59:dc:d5:d4 mac-address=\
    8C:17:59:DC:D5:D4 server=main
add address=192.168.88.25 mac-address=54:48:E6:09:C7:77 server=main
add address=192.168.88.198 client-id=1:b4:2e:99:ef:c8:4a mac-address=\
    B4:2E:99:EF:C8:4A server=main
add address=192.168.88.19 client-id=1:90:9:d0:10:cf:b6 mac-address=\
    90:09:D0:10:CF:B6 server=main
add address=192.168.88.27 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:a3:61:7e:41:14:b0:63:a3 mac-address=\
    DE:A6:65:16:48:46 server=main
add address=192.168.88.8 client-id=1:48:a9:8a:c2:7e:1c mac-address=\
    48:A9:8A:C2:7E:1C server=main
add address=192.168.88.7 client-id=1:4:cf:8c:cd:e7:d0 mac-address=\
    04:CF:8C:CD:E7:D0 server=main
add address=192.168.88.185 mac-address=5C:E5:0C:0C:61:28 server=main
add address=192.168.88.23 mac-address=B4:60:ED:59:29:1C server=main
add address=192.168.88.3 mac-address=E0:5A:1B:F1:97:DC server=main
add address=192.168.88.26 client-id=1:90:ca:fa:b0:5d:64 mac-address=\
    90:CA:FA:B0:5D:64 server=main
add address=192.168.88.52 client-id=1:c8:5c:cc:42:a9:57 mac-address=\
    C8:5C:CC:42:A9:57 server=main
add address=192.168.88.47 client-id=1:60:de:f4:55:9d:20 mac-address=\
    60:DE:F4:55:9D:20 server=main
add address=192.168.88.16 client-id=1:fa:66:8b:24:14:f1 mac-address=\
    FA:66:8B:24:14:F1 server=main
add address=192.168.88.104 mac-address=F4:F5:E8:57:EE:94 server=main
add address=192.168.88.101 client-id=1:60:de:f4:a2:4a:aa mac-address=\
    60:DE:F4:A2:4A:AA server=main
add address=192.168.88.20 client-id=1:f6:23:cd:fb:6c:2a mac-address=\
    F6:23:CD:FB:6C:2A server=main
add address=192.168.20.247 client-id=1:48:a9:8a:c2:7e:1c mac-address=\
    48:A9:8A:C2:7E:1C server=guest
add address=192.168.90.2 client-id=1:ec:e5:12:21:d6:4e mac-address=\
    EC:E5:12:21:D6:4E server=tado
add address=192.168.88.28 client-id=1:56:a9:24:89:f9:2c mac-address=\
    56:A9:24:89:F9:2C server=main
add address=192.168.88.18 client-id=1:90:9:d0:10:cf:b5 mac-address=\
    90:09:D0:10:CF:B5 server=main
add address=192.168.88.40 client-id=1:b8:27:eb:14:f1:26 mac-address=\
    B8:27:EB:14:F1:26 server=main
add address=192.168.88.11 mac-address=84:E3:42:6F:F5:A4 server=main
add address=192.168.88.33 client-id=1:5c:e9:31:56:48:a6 mac-address=\
    5C:E9:31:56:48:A6 server=main
add address=192.168.88.10 mac-address=54:48:E6:0A:16:D9 server=main
add address=192.168.88.4 mac-address=44:23:7C:F3:72:F9 server=main
add address=192.168.88.24 client-id=1:50:a6:d8:af:dd:68 mac-address=\
    50:A6:D8:AF:DD:68 server=main
add address=192.168.88.34 client-id=1:c0:95:6d:5d:d7:a9 mac-address=\
    C0:95:6D:5D:D7:A9 server=main
add address=192.168.88.30 client-id=1:e4:fa:c4:78:e4:78 mac-address=\
    E4:FA:C4:78:E4:78 server=main
add address=192.168.88.29 client-id=1:e4:fa:c4:78:ef:f6 mac-address=\
    E4:FA:C4:78:EF:F6 server=main
add address=192.168.20.236 client-id=1:f0:25:8e:74:5b:c8 comment=charger \
    mac-address=F0:25:8E:74:5B:C8 server=guest
add address=192.168.20.241 client-id=1:c0:e0:18:7c:63:3a comment=invertor \
    mac-address=C0:E0:18:7C:63:3A server=guest
add address=192.168.20.234 client-id=1:50:a6:d8:af:dd:68 mac-address=\
    50:A6:D8:AF:DD:68 server=guest
add address=192.168.20.232 client-id=1:c4:d4:38:6f:2d:c8 comment=dongle \
    mac-address=C4:D4:38:6F:2D:C8 server=guest
add address=192.168.88.38 client-id=\
    ff:f8:ce:1b:a1:0:2:0:0:ab:11:ca:db:64:82:9:cf:67:cb mac-address=\
    D8:3A:DD:BD:8B:FA server=main
add address=192.168.88.41 client-id=1:bc:24:11:5b:b7:4b mac-address=\
    BC:24:11:5B:B7:4B server=main
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.1
add address=192.168.88.0/24 dns-server=192.168.88.80 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1 gateway=192.168.90.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=192.168.88.0/24 list=vlan-main
add address=192.168.20.0/24 list=vlan-guest
add address=192.168.40.0/24 list=wireguard
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=wireguard dst-address=192.168.88.0/24 \
    log=yes log-prefix=VPN-ROUTER-SRC src-address=192.168.40.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=wireguard dst-port=18281 log=yes \
    log-prefix="[VPN-ROUTER-PORT]" protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward dst-address=192.168.88.0/24 log=yes \
    src-address=10.2.10.0/24
add action=drop chain=forward comment="drop intervlan access" in-interface=\
    vlan-20-guest log=yes log-prefix="drop from 20 to 88" out-interface=\
    vlan-88-main
add action=drop chain=forward comment="drop intervlan access" in-interface=\
    vlan-88-main log=yes log-prefix="drop from 88 to 20" out-interface=\
    vlan-20-guest
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="pppoe masquerade" ipsec-policy=\
    out,none out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=wireguard-router dst-port=18281 \
    in-interface=pppoe-out1 log=yes log-prefix="[ VPN  ]" protocol=udp \
    to-addresses=192.168.40.1 to-ports=18281
add action=dst-nat chain=dstnat comment="home lab" dst-address=192.168.88.27 \
    dst-port=81 in-interface=pppoe-out1 log=yes log-prefix="[HOME LAB]" \
    protocol=tcp to-addresses=192.168.88.27
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.40.0/24
set ssh port=1988
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.40.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=parter
/system logging
add disabled=yes topics=wireless
add disabled=yes topics=firewall
add topics=wireguard
/system note
set show-at-login=no
/system package update
set channel=development
/tool romon
set enabled=yes

with the suggested bits on travel one it does like in the picture bellow
also, i noted a strange behavior from winbox, I added the min-prefix 0 as suggested and when I clicked ok it disappeared. When i did it from terminal it remained

Well the two devices will never connect… two different subnets…

HOME
add address=192.168.40.1/24 interface=wireguard network=192.168.40.0

TRAVEL
add address=172.16.16.1/24 interface=wireguard network=172.16.16.0

So, for the stupid of me!
Can you confirm that i have to change the address associated to travel wg to be in the same subnet?
/ip addresses
Remove 172
Add 192.168.smththatmakessense
?

The great thing about Wireguard is that you have many options.

1. Simplest approach because its easier only to change the single peer, since you have several others already tied to the .40 subnet.
   TRAVEL ROUTER
   add address=192.168.40.12/24 interface=wireguard network=192.168.40.0 { assuming .12 is what you intended to assign - sorta indicated by allowed IPs on home router }

HOME ROUTER
Fix the ALLOWED IPs on the travel client peer setting and persistent keep alive is NOT used here, only on the travel router.
add allowed-address=192.168.40.12/32,10.2.10.0/24 comment=TravelRouter interface=wireguard name=RoadWarrior" public-key=“====”

2. The other Option is to keep the travel router as is, no changes (save one) !, and simply add another Address on the HOME Router. A wireguard interface can have multiple addresses SO:

HOME ROUTER
/interface wireguard
add comment=wireguard listen-port=18281 mtu=1420 name=wireguard
add comment=wireguard listen-port=19281 mtu=1420 name=wg-Travel

/ip firewall filter
…
add action=accept chain=input comment=wireguard dst-port=18281 log=yes
log-prefix=“[VPN-ROUTER-PORT]” protocol=udp
add action=accept chain=input comment=“travel router” dst-port=19281 log=yes
log-prefix=“[VPN-RW PORT]” protocol=udp
…

/interface wireguard peers
add allowed-address=192.168.40.8/32 comment=iPhone interface=wireguard name=
iPhone public-key=“glSa7rvQAPrmZzsVBKK+Zl+oOlY1Y6HZeibykT0P3SQ=”
responder=yes
add allowed-address=192.168.40.10/32 comment=android interface=wireguard name=
android public-key=“aqtDSG6Sd6Udv4IUIBKUZU4zv0xjq9BebGumqm+Wa2E=”
responder=yes
add allowed-address=192.168.40.4/32 comment=Mac interface=wireguard name=
MacBook public-key=“fkVmY7MhvepV8McBv6G1KZ/loA2MD/pKyMvDHEJEriI=”
add allowed-address=172.16.16.1/32 comment=“Travel Router” interface=wg-Travel public-key="**"
/ip address
add address=192.168.88.1/24 comment=main interface=vlan-88-main network=
192.168.88.0
add address=192.168.20.1/24 comment=guest interface=vlan-20-guest network=
192.168.20.0
add address=192.168.90.1/24 comment=taco interface=ether3 network=192.168.90.0
add address=192.168.40.1/24 comment=wireguard interface=wireguard network=
192.168.40.0
add address=172.16.16.2/24 interface=wg_Travel network=172.16.16.0

TRAVEL ROUTER
Only one change is required here…
/interface wireguard peers
add allowed-address=172.16.16.2/32,192.168.88.0/24,192.168.40.0/24
endpoint-address=xxx.xxx.xxx.xxx endpoint-port=19281 interface=
wireguard name=home persistent-keepalive=20s public-key=
“xxx=”

Now will handle firewall rules separately.
On the travel router… we can basically (holding my nose) keep the existing defaults..

Dont make any firewall changes yet, as you need to decide which approach wrt to wireguard you will take.
The below is notional, just to show you the direction headed.

HOME ROUTER:

GET RID OF DSTNAT rule for wireguard, not sure what its doing there??? BOGUS!!!
add action=dst-nat chain=dstnat comment=wireguard-router dst-port=18281
in-interface=pppoe-out1 log=yes log-prefix=“[ VPN ]” protocol=udp
to-addresses=192.168.40.1 to-ports=18281

/ip firewall adddress-list { static DHCP leases where applicable }
add address=192.168.88.X list=Authorized comment=“admin PC home router”
add address=192.168.88.Y list=Authorized comment=“admin second device wifi?”
add address=192.168.40.A list=Authorized comment=“admin remote device anywhere” { could be laptop, smartphone, ipad etc.. }
add address=10.2.10.D list=Authorized comment=“admin behind travel router”

/ip firewall filter
( default rules to keep )
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment= dst-address=127.0.0.1
( admin rules )
add action=accept chain=input comment=wireguard dst-port=18281 log=yes
log-prefix=“[VPN-ROUTER-PORT]” protocol=udp
OPTIONAL IF YOU CREATE A SECOND WIREGUARD —>
add action=accept chain=input comment=wireguard dst-port=19281 log=yes
log-prefix=“[VPN-ROUTER-PORT]” protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=Authorized
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { add this last so you dont lock yourself out }
++++++++++++++++++++++++++++++++++++++++++
( default rules to keep )
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
( admin rules )
add action=accept chain=forward dst-address=192.168.88.0/24 log=yes
src-address=10.2.10.0/24
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wg to local LAN” in-interface=wireguard dst-address=192.168.88.0/24???
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment=“drop all else”


Note: It is not clear but I believe you only want wireguard users with access to the .88 LAN ???

Hello
it worked with the first indicated solution where i did not have to overcomplicate the setup at home.. for good or bad it works and my peace depends on it
It took a while before working and I am unsure why but eventually it started and i can ping all stuff in my network and it seems that my IP changed from the mobile ISP to the home ISP which I assume is a good sign all in all.
The only thing I found needed and i thing is missing from the original suggestion is that I had to add a new NAT
add action=log chain=srcnat log=yes log-prefix=“log srcnat wireguard” out-interface=wireguard
and comment the nat added for WAN
I only assume that all traffic goes to wg that is the only NAT I need.
I added back the default firewall and I will look over to see what i can improve over it.
I would appreciate greatly if you can scan this while I go wrap my head around your firewall suggestions over the home one.
many many thanks

Also to all that came after me, you have in this thread 2 wg configs that eventually worked

/interface bridge
add admin-mac=48:8F:5A:29:AB:78 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel2
add band=5ghz-ac disabled=no name=channel5
/interface wifi datapath
add bridge=bridge disabled=no name=datapath
/interface wifi security
add disabled=no name=android_phone
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes management-encryption=cmac management-protection=allowed name=ap_security wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=station .ssid=Work disabled=no name=m_2ghz_station security=android_phone
/interface wifi steering
add disabled=no name=steering
/interface wifi configuration
add channel=channel2 datapath=datapath disabled=no mode=ap name=cfg_wifi_2g security=ap_security ssid=mornache_on_the_road steering=steering
add channel=channel5 datapath=datapath disabled=no mode=ap name=cfg_wifi_5g security=ap_security ssid=mornache_on_the_road steering=steering
/interface wifi
set [ find default-name=wifi2 ] channel=channel5 configuration=cfg_wifi_5g configuration.mode=ap disabled=no name=m_5ghz_ap
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.2.10.10-10.2.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=via-WG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=m_2ghz_station list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.ro endpoint-port=18281 interface=wireguard name=home persistent-keepalive=25s public-key="someKey"
/ip address
add address=10.2.10.1/24 comment=defconf interface=bridge network=10.2.10.0
add address=192.168.40.12/24 interface=wireguard network=192.168.40.0
/ip dhcp-client
add dhcp-options=hostname,clientid,clientid_duid interface=m_2ghz_station
/ip dhcp-server lease
add address=10.2.10.254 client-id=1:c8:4b:d6:76:b8:fb mac-address=C8:4B:D6:76:B8:FB server=defconf
/ip dhcp-server network
add address=10.2.10.0/24 comment=defconf dns-server=1.1.1.1 gateway=10.2.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN - REMOVED
add action=masquerade chain=srcnat log=yes log-prefix="vpn psqrd" out-interface=wireguard -> LOGGING only so i can see stuff
add action=log chain=srcnat log=yes log-prefix="log srcnat wireguard" out-interface=wireguard
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard routing-table=via-WG scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.2.10.0/24 table=via-WG
add action=lookup-only-in-table comment="enable local traffic" disabled=no min-prefix=0 table=main
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Remember I need both latest snapshot of both devices to ensure they integrate.
extra NAT should not be needed because we covers incoming traffic via allowed IPs and firewall rules.
Due to the fact that your rules still need work is why…Once fixed the NAT rule will not be required.
( it also defeats your need to log the source address of incoming)
Its something we keep in our back pocket when needed, ( aka when allowed IPs is not sufficient )..

Please confirm then decision is to go with —> single wireguard address at home router and change travel router to match ???

I am on a Halloween ride atm
I will go with first proposal! Change the address for wg travel
Simple is the best! Already tested and it works. Some tweaks needed for the nat but in rest it does what i needed
The config amended and working is posted above. I will tick the solved once i am home
Logging is smth embed within my nature due to job
Once i can spend some time to work on home one i will post both

Sounds good! Boo

I had a look on the firewall and i have some questions

first

add action=accept chain=input comment=“admin access” src-address-list=Authorized

and the entries in the list that go with are to restrict access to the admin part of the router? if so i used the full list available created for vlans and added for wireguard_travel. I replaced the auth list with those. I will consider to restrict it even more in the future. For now I have a restriction on /ip services on who can access them and if i understood correctly it is also a way to restrict

set winbox address=192.168.88.0/24,192.168.40.0/24

second

add action=drop chain=forward comment=“drop all else”

• drops all traffic to internet from travel router/ not tested on a device connected to home router. Is it normal?

third
NAT is still needed on travel router. Is it normal? what am I missing?

forth
can you help me understand the rationale behind ->> add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=udp?

and .. an observation
after adding the rule with comment <> i noticed that one of my Chinese devices, a Huawei car charger has a lot of traffic blocked by it…

home router

/interface bridge
add admin-mac=48:A9:8A:E0:D7:55 auto-mac=no name=bridgeLocal port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ema/ac
set [ find default-name=ether2 ] comment=pppoe
set [ find default-name=ether3 ] comment=tado
set [ find default-name=ether4 ] comment=birou/main
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=ether2 name=pppoe-out1 use-peer-dns=yes user=xxxxxxx
/interface wireguard
add comment=wireguard listen-port=18281 mtu=1420 name=wireguard
/interface vlan
add interface=bridgeLocal name=vlan-20-guest vlan-id=20
add interface=bridgeLocal name=vlan-88-main vlan-id=88
/interface list
add name=LAN
add name=WAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2432,2472 name=2ghz skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no frequency=5260,5500 name=5ghz skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=bridgeLocal disabled=no name=datapath-main vlan-id=88
add bridge=bridgeLocal disabled=no name=datapath-guest vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes management-encryption=cmac management-protection=allowed name=security_bogdan wps=disable
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=no disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes management-encryption=cmac management-protection=allowed name=security_guest wps=disable
/interface wifi steering
add disabled=no name=steering neighbor-group=dynamic-mornache5g-15af2dbc rrm=yes
/interface wifi configuration
add chains=0,1 channel=2ghz country=Romania datapath=datapath-main disabled=no name=cfg_2g security=security_bogdan security.ft=yes .ft-over-ds=yes ssid=mornache2g steering=steering tx-chains=0,1
add chains=0,1 channel=5ghz channel.skip-dfs-channels=disabled .width=20/40/80mhz country=Romania datapath=datapath-main disabled=no name=cfg_5g security=security_bogdan security.ft=yes .ft-over-ds=yes ssid=mornache5g steering=steering tx-chains=0,1
add chains=0,1 channel=5ghz channel.width=20/40/80mhz country=Romania datapath=datapath-guest disabled=no mode=ap name=cfg_5g_guest security=security_guest security.ft=yes .ft-over-ds=yes ssid=mornache5g_iot steering=steering tx-chains=0,1
add chains=0,1 channel=2ghz country=Romania datapath=datapath-guest disabled=no mode=ap name=cfg_2g_guest security=security_guest security.ft=yes .ft-over-ds=yes ssid=mornache2g_iot steering=steering tx-chains=0,1
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip pool
add name=main ranges=192.168.88.2-192.168.88.254
add name=guest ranges=192.168.20.2-192.168.20.254
add name=tado ranges=192.168.90.2/31
/ip dhcp-server
add address-pool=main interface=vlan-88-main name=main
add address-pool=guest interface=vlan-20-guest name=guest
add address-pool=tado interface=bridgeLocal name=tado
/interface bridge port
add bridge=bridgeLocal interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal interface=ether5 internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridgeLocal interface=ether1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether4,ether5 vlan-ids=20,88
/interface list member
add interface=ether2 list=WAN
add interface=bridgeLocal list=LAN
add interface=vlan-20-guest list=LAN
add interface=vlan-88-main list=LAN
/interface ovpn-server servers
add mac-address=FE:6F:F6:8B:B6:99 name=ovpn-server1
/interface wifi access-list
add action=accept allow-signal-out-of-range=10s disabled=yes mac-address=8C:17:59:DC:D5:D4 signal-range=-60..120
add action=reject allow-signal-out-of-range=10s disabled=yes mac-address=8C:17:59:DC:D5:D4 signal-range=120..-61
/interface wifi cap
set caps-man-addresses=192.168.88.1 discovery-interfaces=bridgeLocal enabled=yes slaves-static=no
/interface wifi capsman
set enabled=yes interfaces=vlan-20-guest,vlan-88-main package-path="" require-peer-certificate=no upgrade-policy=require-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_2g name-format=%I-2G-wifi slave-configurations=cfg_2g_guest supported-bands=2ghz-ax,2ghz-g,2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cfg_5g name-format=%I-5G-wifi slave-configurations=cfg_5g_guest supported-bands=5ghz-a,5ghz-n,5ghz-ac,5ghz-ax
/interface wireguard peers
add allowed-address=192.168.40.8/32 comment=iPhone interface=wireguard name=iPhone public-key="glSa7rvQAPrmZzsVBKK+Zl+oOlY1Y6HZeibykT0P3SQ=" responder=yes
add allowed-address=192.168.40.10/32 comment=android interface=wireguard name=android public-key="aqtDSG6Sd6Udv4IUIBKUZU4zv0xjq9BebGumqm+Wa2E=" responder=yes
add allowed-address=192.168.40.4/32 comment=Mac interface=wireguard name=MacBook public-key="fkVmY7MhvepV8McBv6G1KZ/loA2MD/pKyMvDHEJEriI="
add allowed-address=192.168.40.12/32,10.2.10.0/24 comment=RoadWarrior interface=wireguard name=RoadWarrior public-key="0yzLpomS04fvdOsfgAVRPivkVgNWV7UWCt2iBfdqI2Y=" responder=yes
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.88.1/24 comment=main interface=vlan-88-main network=192.168.88.0
add address=192.168.20.1/24 comment=guest interface=vlan-20-guest network=192.168.20.0
add address=192.168.90.1/24 comment=taco interface=ether3 network=192.168.90.0
add address=192.168.40.1/24 comment=wireguard interface=wireguard network=192.168.40.0
/ip dhcp-server lease
add address=192.168.88.192 mac-address=24:DF:A7:2B:A9:F8 server=main
add address=192.168.88.191 mac-address=24:DF:A7:2B:A5:96 server=main
add address=192.168.88.188 mac-address=48:22:54:E4:06:5C server=main
add address=192.168.88.195 client-id=1:50:ec:50:25:d4:4 mac-address=50:EC:50:25:D4:04 server=main
add address=192.168.88.178 client-id=1:14:c1:4e:43:b8:42 mac-address=14:C1:4E:43:B8:42 server=main
add address=192.168.88.194 client-id=1:64:90:c1:12:e4:a4 mac-address=64:90:C1:12:E4:A4 server=main
add address=192.168.88.180 client-id=1:8c:17:59:dc:d5:d4 mac-address=8C:17:59:DC:D5:D4 server=main
add address=192.168.88.25 mac-address=54:48:E6:09:C7:77 server=main
add address=192.168.88.198 client-id=1:b4:2e:99:ef:c8:4a mac-address=B4:2E:99:EF:C8:4A server=main
add address=192.168.88.19 client-id=1:90:9:d0:10:cf:b6 mac-address=90:09:D0:10:CF:B6 server=main
add address=192.168.88.27 client-id=ff:ca:53:9:5a:0:2:0:0:ab:11:a3:61:7e:41:14:b0:63:a3 mac-address=DE:A6:65:16:48:46 server=main
add address=192.168.88.8 client-id=1:48:a9:8a:c2:7e:1c mac-address=48:A9:8A:C2:7E:1C server=main
add address=192.168.88.7 client-id=1:4:cf:8c:cd:e7:d0 mac-address=04:CF:8C:CD:E7:D0 server=main
add address=192.168.88.185 mac-address=5C:E5:0C:0C:61:28 server=main
add address=192.168.88.23 mac-address=B4:60:ED:59:29:1C server=main
add address=192.168.88.3 mac-address=E0:5A:1B:F1:97:DC server=main
add address=192.168.88.26 client-id=1:90:ca:fa:b0:5d:64 mac-address=90:CA:FA:B0:5D:64 server=main
add address=192.168.88.52 client-id=1:c8:5c:cc:42:a9:57 mac-address=C8:5C:CC:42:A9:57 server=main
add address=192.168.88.47 client-id=1:60:de:f4:55:9d:20 mac-address=60:DE:F4:55:9D:20 server=main
add address=192.168.88.16 client-id=1:fa:66:8b:24:14:f1 mac-address=FA:66:8B:24:14:F1 server=main
add address=192.168.88.104 mac-address=F4:F5:E8:57:EE:94 server=main
add address=192.168.88.101 client-id=1:60:de:f4:a2:4a:aa mac-address=60:DE:F4:A2:4A:AA server=main
add address=192.168.88.20 client-id=1:f6:23:cd:fb:6c:2a mac-address=F6:23:CD:FB:6C:2A server=main
add address=192.168.20.247 client-id=1:48:a9:8a:c2:7e:1c mac-address=48:A9:8A:C2:7E:1C server=guest
add address=192.168.90.2 client-id=1:ec:e5:12:21:d6:4e mac-address=EC:E5:12:21:D6:4E server=tado
add address=192.168.88.28 client-id=1:56:a9:24:89:f9:2c mac-address=56:A9:24:89:F9:2C server=main
add address=192.168.88.18 client-id=1:90:9:d0:10:cf:b5 mac-address=90:09:D0:10:CF:B5 server=main
add address=192.168.88.40 client-id=1:b8:27:eb:14:f1:26 mac-address=B8:27:EB:14:F1:26 server=main
add address=192.168.88.11 mac-address=84:E3:42:6F:F5:A4 server=main
add address=192.168.88.33 client-id=1:5c:e9:31:56:48:a6 mac-address=5C:E9:31:56:48:A6 server=main
add address=192.168.88.10 mac-address=54:48:E6:0A:16:D9 server=main
add address=192.168.88.4 mac-address=44:23:7C:F3:72:F9 server=main
add address=192.168.88.24 client-id=1:50:a6:d8:af:dd:68 mac-address=50:A6:D8:AF:DD:68 server=main
add address=192.168.88.34 client-id=1:c0:95:6d:5d:d7:a9 mac-address=C0:95:6D:5D:D7:A9 server=main
add address=192.168.88.30 client-id=1:e4:fa:c4:78:e4:78 mac-address=E4:FA:C4:78:E4:78 server=main
add address=192.168.88.29 client-id=1:e4:fa:c4:78:ef:f6 mac-address=E4:FA:C4:78:EF:F6 server=main
add address=192.168.20.236 client-id=1:f0:25:8e:74:5b:c8 comment=charger mac-address=F0:25:8E:74:5B:C8 server=guest
add address=192.168.20.241 client-id=1:c0:e0:18:7c:63:3a comment=invertor mac-address=C0:E0:18:7C:63:3A server=guest
add address=192.168.20.234 client-id=1:50:a6:d8:af:dd:68 mac-address=50:A6:D8:AF:DD:68 server=guest
add address=192.168.20.232 client-id=1:c4:d4:38:6f:2d:c8 comment=dongle mac-address=C4:D4:38:6F:2D:C8 server=guest
add address=192.168.88.38 client-id=ff:f8:ce:1b:a1:0:2:0:0:ab:11:ca:db:64:82:9:cf:67:cb mac-address=D8:3A:DD:BD:8B:FA server=main
add address=192.168.88.41 client-id=1:bc:24:11:5b:b7:4b mac-address=BC:24:11:5B:B7:4B server=main
add address=192.168.88.5 client-id=1:16:90:7a:fe:35:f5 mac-address=16:90:7A:FE:35:F5 server=main
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=1.1.1.1 gateway=192.168.20.1
add address=192.168.88.0/24 dns-server=192.168.88.80 gateway=192.168.88.1
add address=192.168.90.0/24 dns-server=1.1.1.1 gateway=192.168.90.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=192.168.88.0/24 list=vlan-main
add address=192.168.20.0/24 list=vlan-guest
add address=192.168.40.0/24 list=wireguard_home
add address=10.2.10.0/24 list=wireguard_travel
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=18281 log=yes log-prefix="[VPN-ROUTER-PORT]" protocol=udp
add action=accept chain=input comment="admin access" src-address-list=vlan-main
add action=accept chain=input comment="admin access" src-address-list=wireguard_home
add action=accept chain=input comment="admin access" src-address-list=wireguard_travel
add action=drop chain=input comment="drop input on guest" log=yes log-prefix="drop input on guest vlan" src-address-list=vlan-guest
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="drop all else" log=yes log-prefix="drop all else on input"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="wg_travel to vlan_main" dst-address-list=vlan-main log=yes log-prefix="wg_travel to main_vlan" src-address-list=wireguard_travel
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg to local LAN" dst-address-list=vlan-main in-interface=wireguard
add action=drop chain=forward comment="drop intervlan access" in-interface=vlan-20-guest log=yes log-prefix="drop from 20 to 88" out-interface=vlan-88-main
add action=drop chain=forward comment="drop intervlan access" in-interface=vlan-88-main log=yes log-prefix="drop from 88 to 20" out-interface=vlan-20-guest
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="pppoe masquerade" ipsec-policy=out,none out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="home lab" dst-address=192.168.88.27 dst-port=81 in-interface=pppoe-out1 log=yes log-prefix="[HOME LAB]" protocol=tcp to-addresses=192.168.88.27
add action=log chain=input disabled=yes dst-port=18281 in-interface=wireguard log=yes log-prefix=test protocol=udp
/ip firewall service-port
set ftp disabled=yes
set h323 disabled=yes
set pptp disabled=yes
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.88.0/24,192.168.40.0/24
set ssh port=1988
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.40.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=parter
/system note
set show-at-login=no
/system package update
set channel=development
/tool romon
set enabled=yes

travel router

/interface bridge
add admin-mac=48:8F:5A:29:AB:78 auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel2
add band=5ghz-ac disabled=no name=channel5
/interface wifi datapath
add bridge=bridge disabled=no name=datapath
/interface wifi security
add disabled=no name=android_phone
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes management-encryption=cmac management-protection=allowed name=ap_security wps=disable
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=station .ssid=Work disabled=no name=m_2ghz_station security=android_phone
/interface wifi steering
add disabled=no name=steering
/interface wifi configuration
add channel=channel2 datapath=datapath disabled=no mode=ap name=cfg_wifi_2g security=ap_security ssid=mornache_on_the_road steering=steering
add channel=channel5 datapath=datapath disabled=no mode=ap name=cfg_wifi_5g security=ap_security ssid=mornache_on_the_road steering=steering
/interface wifi
set [ find default-name=wifi2 ] channel=channel5 configuration=cfg_wifi_5g configuration.mode=ap disabled=no name=m_5ghz_ap
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=10.2.10.10-10.2.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing table
add fib name=via-WG
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=bridge list=LAN
add interface=m_2ghz_station list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.ro endpoint-port=18281 interface=wireguard name=home persistent-keepalive=25s public-key="BgUJfSZVXEX3/0xWCXjwYbTjp0OFshfkxIxMD4KftDo="
/ip address
add address=10.2.10.1/24 comment=defconf interface=bridge network=10.2.10.0
add address=192.168.40.12/24 interface=wireguard network=192.168.40.0
/ip dhcp-client
add dhcp-options=hostname,clientid,clientid_duid interface=m_2ghz_station
/ip dhcp-server lease
add address=10.2.10.254 client-id=1:c8:4b:d6:76:b8:fb mac-address=C8:4B:D6:76:B8:FB server=defconf
/ip dhcp-server network
add address=10.2.10.0/24 comment=defconf dns-server=1.1.1.1 gateway=10.2.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat log=yes log-prefix="vpn psqrd" out-interface=wireguard
add action=log chain=srcnat log=yes log-prefix="log srcnat wireguard" out-interface=wireguard
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard routing-table=via-WG scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.2.10.0/24 table=via-WG
add action=lookup-only-in-table comment="enable local traffic" disabled=no min-prefix=0 table=main
/system clock
set time-zone-name=Europe/Bucharest
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

1. Yes the only folks that should have access in the input chain is the admin.
   The source address list is easy to maintain and allows the admin to identify all the LAN subnet IPs he has on any connected network as well as any wireguard IPs assigned to his/her devices.

There are many places to control access.
The input chain is one.
IP services is another and typically I do what you do by putting all the subnets that are relevant and use input chain to reduce down to specific IP addresses.

2. Drop all else means exactly that. If you need traffic then put an allow rule before this last rule…

3. Yes, because you still have to make the initial connection to the internet and then to the wireguard tunnel and provide the private LAN subnet to devices behind the router.

4. Sure, how else will users get internet access in general. Not to worry because in your case the users will likely be only going through wireguard but certainly is normal on any home router.
   You can disable it and should still work…

5. Sorry I didnt add any of those firewall rules so not sure whats going on there. Seems like you keep insisting on complicating and adding to the config instead of simplifying??

Hello again, new day new month same mikrotiks
At least is working but as pointed by another in this forum when it comes to firewalls that is not necessarily a good thing

/ip firewall address-list
add address=192.168.88.0/24 list=vlan-main
add address=192.168.20.0/24 list=vlan-guest
add address=192.168.40.0/24 list=wireguard_home
add address=10.2.10.0/24 list=wireguard_travel

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=18281 log=yes log-prefix=“[VPN-ROUTER-PORT]” protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=vlan-main
add action=accept chain=input comment=“admin access” src-address-list=wireguard_home
add action=accept chain=input comment=“admin access” src-address-list=wireguard_travel
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users to services” dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop input on guest” disabled=yes log=yes log-prefix=“drop input on guest vlan” src-address-list=vlan-guest → NOT SURE I NEED THAT
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=drop chain=input comment=“drop all else” log=yes log-prefix=“drop all else on INPUT”
add action=accept chain=forward comment=“defconf: accept IN ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept OUT ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=forward comment=“wg_travel to vlan_main” dst-address-list=vlan-main log=yes log-prefix=“wg_travel to main_vlan” src-address-list=wireguard_travel
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN - I suspect this does not work, has 0 traffic even if it is high enough and because if it i added below the ones with comment TEST
add action=accept chain=forward comment=“wg to local LAN” dst-address-list=vlan-main in-interface=wireguard
add action=accept comment=“TEST” chain=forward in-interface=vlan-88-main out-interface=pppoe-out1 - for internet access
add action=accept comment=“TEST” chain=forward in-interface=vlan-20-guest out-interface=pppoe-out1 for internet access
add action=accept comment=“TEST” chain=forward in-interface=wireguard out-interface=pppoe-out1 for internet access
add action=drop chain=forward comment=“drop intervlan access” in-interface=vlan-20-guest log=yes log-prefix=“drop from 20 to 88” out-interface=vlan-88-main
add action=drop chain=forward comment=“drop intervlan access” in-interface=vlan-88-main log=yes log-prefix=“drop from 88 to 20” out-interface=vlan-20-guest
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN b] NOT SURE I NEED THAT [/b]
add action=drop chain=forward comment=“drop all else” log=yes log-prefix=“drop all else on FORWARD” out-interface-list=all

/ip firewall nat
add action=masquerade chain=srcnat comment=“pppoe masquerade” ipsec-policy=out,none out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment=“home lab” dst-address=192.168.88.27 dst-port=81 in-interface=pppoe-out1 log=yes log-prefix=“[HOME LAB]” protocol=tcp to-addresses=192.168.88.27
add action=log chain=input disabled=yes dst-port=18281 in-interface=wireguard log=yes log-prefix=test protocol=udp