route marking with two ISPs and PCC with wireguard

Despra2 · December 21, 2023, 5:17pm

Hi, I have a problem with mark routing and wireguard.
I have two internet connections distributed through “PCC”, before I had a server where Wireguard was hosted and through a simple nat rule it worked without problems through either of the two Wans. Now when trying to place Wireguard on the Router, the “mangle” rules do not work.
The wireguard input interface from the outside is wan2, in the log I can see how “mangle” marks the route “Wan2->RoS” and in the firewall how it accepts the incoming connection to the Router. But in the chain output the route is not marked, and by doing Torch on Wan1, wireguard traffic appears that tries to pass through there. No Handshake.

Dec/20/2023 18:33:03 PPPPP input: in:Wan2 out:(unknown 0), connection-state:new src-mac 94:6a:b0:::, proto UDP, 85.52..:14824->192.168.1.129:51820, len 176
Dec/20/2023 18:33:03 WWWW input: in:Wan2 out:(unknown 0), connection-mark:Wan2->RoS connection-state:new src-mac 94:6a:b0:::, proto UDP, 85.52..:14824->192.168.1.129:51820, len 176
Dec/20/2023 18:33:08 WWWW input: in:Wan2 out:(unknown 0), connection-mark:Wan2->RoS connection-state:new src-mac 94:6a:b0:::, proto UDP, 85.52..:14824->192.168.1.129:51820, len 176

The route with Routing Table “main” and distance 1 is Wan1, and with distance 2 Wan2, if I change the distances or disable Wan1, marking of the route “to_wan2” occurs and Handshake success.

Dec/20/2023 19:06:30 PPPPP input: in:Wan2 out:(unknown 0), connection-state:new src-mac 94:6a:b0:::, proto UDP, 85.52..:14824->192.168.1.129:51820, len 176
Dec/20/2023 19:06:30 WWWW input: in:Wan2 out:(unknown 0), connection-mark:Wan2->RoS connection-state:new src-mac 94:6a:b0:::, proto UDP, 85.52..:14824->192.168.1.129:51820, len 176
Dec/20/2023 19:06:31 PPPPP input: in:Wan2 out:(unknown 0), connection-state:new src-mac 94:6a:b0:::, proto UDP, 85.52..:14824->192.168.1.129:51820, len 176
Dec/20/2023 19:06:32 PP output: in:(unknown 0) out:Wan2, connection-mark:Wan2->RoS connection-state:established proto UDP, 192.168.1.129:51820->85.52..:57245, len 124

I have tried the “mangle” combinations:

Connection input → Routing output
Connection prerouting → Routing output
Connection prerouting → Routing prerouting
None have worked and I no longer know where to look for the problem. Thanks in advance.

# 2023-12-19 21:32:37 by RouterOS 7.13
# software id = 73QX-APG8
#
# model = RB4011iGS+
# serial number = 
/interface bridge
add add-dhcp-option82=yes dhcp-snooping=yes igmp-snooping=yes igmp-version=3 \
    mld-version=2 multicast-querier=yes name=Bridge_BASE vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="" name=Wan1
set [ find default-name=ether2 ] comment="" name=Wan2
set [ find default-name=ether3 ] comment=3a
set [ find default-name=ether4 ] comment=4a
set [ find default-name=ether5 ] comment=5a
set [ find default-name=ether6 ] comment=6a
set [ find default-name=ether7 ] comment=7a
set [ find default-name=ether8 ] comment=8a disabled=yes
set [ find default-name=ether9 ] comment=9a
set [ find default-name=ether10 ] comment=10a
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
    sfp speed=1G-baseT-full
/interface wireguard
add listen-port=51820 mtu=1420 name=Vpn_Casa
/interface vlan
add interface=Bridge_BASE name=vlan66_BASE vlan-id=66
add interface=Bridge_BASE name=vlan99_BASE vlan-id=1
add interface=Bridge_BASE name=vlan101_BASE vlan-id=101
add interface=Bridge_BASE name=vlan102_BASE vlan-id=102
add interface=Bridge_BASE name=vlan103_BASE vlan-id=103
/interface list
add comment="Interfaces Exteriores" name=Wans
add comment="Interfaces Interiores" name=Lan
add comment="Redes con reproductores" name=Reproductores
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-server option
add code=42 name=NTP_server_publico value="'pool.ntp.org'"
add code=19 name="Forwarding OFF" value="'0'"
add code=45 name=Netbios_Datagram value="'192.168.100.101'"
add code=40 name=NIS_domain value="'olimpo'"
add code=46 name=NETBIOS_mode value="'8'"
add code=252 name=Bug_Win7 value="'\\n'"
/ip dhcp-server option sets
add name=Opciones_Dnsmasq options="Forwarding OFF,NTP_server_publico,Netbios_D\
    atagram,NETBIOS_mode,NIS_domain,Bug_Win7"
/ip pool
add name=dhcp_pool0 ranges=192.168.100.1-192.168.100.99
add name=pool_Fijas ranges=192.168.100.100-192.168.100.149
add name=pool_invitados ranges=10.10.101.1-10.10.101.99
add name=pool_vlan102 ranges=10.10.102.1-10.10.102.99
add name=pool_vlan103 ranges=10.10.103.1-10.10.103.99
add name=pool_IoT ranges=10.10.66.1-10.10.66.99
add name=pool_BASE2 ranges=192.168.100.130-192.168.100.142
add name=pool_TEST ranges=192.168.98.1-192.168.98.99
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 dhcp-option-set=Opciones_Dnsmasq \
    interface=Bridge_BASE lease-time=1d6h name=dhcp1
add add-arp=yes address-pool=pool_invitados interface=vlan101_BASE \
    lease-time=5m name=dhcpd_invitados
add add-arp=yes address-pool=pool_vlan102 interface=vlan102_BASE \
    lease-time=1d name=dhcpd_102
add add-arp=yes address-pool=pool_vlan103 interface=vlan103_BASE \
    lease-time=1d6h name=dhcpd_103
add add-arp=yes address-pool=pool_IoT interface=vlan66_BASE name=dhcpd_IoT_66
add add-arp=yes address-pool=pool_TEST dhcp-option-set=Opciones_Dnsmasq \
    interface=vlan99_BASE name=server_TEST
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=to_Wan1
add fib name=to_Wan2
add fib name=to_PiHole
/interface bridge port
add bridge=Bridge_BASE interface=ether3 internal-path-cost=10 path-cost=10
add bridge=Bridge_BASE interface=ether4 internal-path-cost=10 path-cost=10
add bridge=Bridge_BASE interface=ether5 internal-path-cost=10 path-cost=10
add bridge=Bridge_BASE interface=ether6 internal-path-cost=10 path-cost=10
add bridge=Bridge_BASE interface=ether7 internal-path-cost=10 path-cost=10
add bridge=Bridge_BASE interface=ether8 internal-path-cost=10 path-cost=10
add bridge=Bridge_BASE comment="Trunk 1" interface=ether9 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=Bridge_BASE comment=10a interface=ether10 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=Bridge_BASE comment="Trunk 2" interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=Lan
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=Bridge_BASE tagged=Bridge_BASE,sfp-sfpplus1,ether9,ether10 \
    vlan-ids=101
add bridge=Bridge_BASE tagged=Bridge_BASE,sfp-sfpplus1,ether9,ether10 \
    vlan-ids=102
add bridge=Bridge_BASE tagged=Bridge_BASE,sfp-sfpplus1 vlan-ids=103
add bridge=Bridge_BASE tagged=Bridge_BASE,ether9 vlan-ids=66
/interface list member
add interface=Wan1 list=Wans
add interface=Wan2 list=Wans
add interface=Bridge_BASE list=Lan
add interface=vlan66_BASE list=Reproductores
add interface=vlan102_BASE list=Reproductores
add interface=Vpn_Casa list=Lan
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=Vpn_Casa public-key=\
    "..."
/ip address
add address=10.10.101.100/24 interface=vlan101_BASE network=10.10.101.0
add address=10.10.102.100/24 interface=vlan102_BASE network=10.10.102.0
add address=10.10.103.100/24 interface=vlan103_BASE network=10.10.103.0
add address=10.10.66.100/24 interface=vlan66_BASE network=10.10.66.0
add address=192.168.98.100/24 interface=vlan99_BASE network=192.168.98.0
add address=192.168.100.100/24 interface=Bridge_BASE network=192.168.100.0
add address=10.10.0.1/24 interface=Vpn_Casa network=10.10.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no interface=Wan1
add add-default-route=no interface=Wan2
/ip dhcp-server alert
add alert-timeout=30s disabled=no interface=Bridge_BASE on-alert=\
    "dog info \"DHCP Server intruso\"" valid-server=74:4D:28:43:6B:D2
/ip dhcp-server network
add address=10.10.66.0/24 dns-server=8.8.8.8,8.8.4.4 domain=IoT gateway=\
    10.10.66.100
add address=10.10.101.0/24 dns-server=8.8.8.8,8.8.4.4 domain=guest \
    gateway=10.10.101.100 netmask=32
add address=10.10.102.0/24 dns-server=8.8.8.8,8.8.4.4 domain=eolo \
    gateway=10.10.102.100
add address=10.10.103.0/24 dns-server=8.8.8.8,8.8.4.4 domain=eolo3 \
    gateway=10.10.103.100
add address=192.168.98.0/24 dns-server=\
    192.168.100.104 domain=olimpo gateway=192.168.98.100 ntp-server=\
    213.251.52.234,91.235.212.22 wins-server=192.168.100.101
add address=192.168.100.0/24 dns-server=\
    192.168.100.104,1.1.1.1 domain=olimpo gateway=192.168.100.100 \
    ntp-server=213.251.52.234,91.235.212.22 wins-server=192.168.100.101
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.104 comment="Fijada manual" name=pihole.olimpo
/ip firewall address-list
add address=192.168.100.0/24 list="Red Lan"
add address=download.mikrotik.com list=Accesibles_por__router
add address=192.168.1.0/24 list=Conectado
add address=192.168.100.0/24 list=Conectado
add address=192.168.0.0/24 list=Conectado
add address=core2.api...com list=DDNS
add address=192.168.100.104 list=PiHole
add address=10.10.101.0/24 list=Conectado
add address=10.10.101.0/24 list="Red Lan"
add address=10.10.101.0/24 list="Red invitados"
add address=192.168.100.0/24 list="Red LMN"
add address=10.10.102.0/24 list="Red Lan"
add address=10.10.102.0/24 list=Conectado
add address=10.10.102.0/24 list="Wifi con internet"
add address=10.10.101.0/24 list="Wifi con internet"
add address=192.168.100.101 list=Plex_Server
add address=10.10.103.0/24 list=Conectado
add address=10.10.103.0/24 list="Wifi con internet"
add address=10.10.103.0/24 list="Red Lan"
add address=8.8.8.8 list=DNS_Google
add address=8.8.4.4 list=DNS_Google
add address=10.10.103.0/24 disabled=yes list=Reproductores
add address=10.10.66.0/24 list=Conectado
add address=10.10.66.0/24 list="Red Lan"
add address=10.10.66.0/24 list="Wifi con internet"
add address=10.10.66.0/24 list=Red_IoT
add address=192.168.98.0/24 list=Conectado
add address=192.168.0.0/16 list=RFC1918
add address=10.0.0.0/18 list=RFC1918
add address=172.16.0.0/12 list=RFC1918
add address=192.168.98.0/24 list="Red Lan"
add address=192.168.98.0/24 list="Wifi con internet"
add address=10.10.0.0/24 list=Conectado
add address=10.10.0.0/24 list="Red Lan"
add address=10.10.0.0/24 list="Wifi con internet"
/ip firewall filter
add action=accept chain=input comment=\
    "IN_conn_ESTABLISED, RELATED_y _UNTRAKED" connection-state=\
    established,related,untracked
add action=drop chain=input comment=IN_DROP_conn_INVALID connection-state=\
    invalid
add action=accept chain=input comment=\
    "IN_Accept_DNSudp.(mia_allowRemoteRequestDNS)" dst-port=53 protocol=udp \
    src-address-list=PiHole
add action=accept chain=input comment="IN_conn_RED_LMN. (SSH, WINBOX)" \
    dst-port=22,8291 protocol=tcp src-address-list="Red LMN"
add action=accept chain=input comment="IN_conn_WANS. (WIREGUARD)" dst-port=\
    51820 in-interface-list=Wans log=yes log-prefix=WWWW protocol=udp
add action=accept chain=input comment="IN_conn_WANS. (WIREGUARD)" \
    in-interface=Vpn_Casa log=yes log-prefix=WW
add action=accept chain=input comment=\
    "Acepta el ping desde LMN a todo lo conectado (Puertos del Router)" \
    disabled=yes dst-address-list=Conectado log=yes log-prefix=QQ protocol=\
    icmp src-address-list="Red LMN"
add action=accept chain=input disabled=yes dst-address-list=Conectado \
    dst-port=5246,5247 protocol=udp src-address-list="Red LMN"
add action=drop chain=input comment="IN_DROP_ALL. Excepto DST-NAT" \
    connection-nat-state=!dstnat
add action=accept chain=forward comment=\
    "FW_conn_ESTABLISHED, RELATED_y_UNTRAKED" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=FW_DROP_conn_INVALID connection-state=\
    invalid
add action=accept chain=forward comment=\
    "FW_conn_RED_LMN a Todo menos a los INVITADOS" dst-address-list=\
    "!Red invitados" src-address-list="Red LMN"
add action=accept chain=forward comment=\
    "FW_conn_WifiConInternet  a Todo lo NO Conectado (internet)" \
    dst-address-list=!Conectado src-address-list="Wifi con internet"
add action=accept chain=forward comment="FW_conn_VLAN3 a PLEX" \
    dst-address-list=Plex_Server dst-port=32400 log=yes log-prefix=QQQQ \
    protocol=tcp src-address-list=Reproductores
add action=accept chain=forward comment=\
    "FW_conn_BridgeInvitados a HubHarmony" disabled=yes dst-address-list=\
    Reproductores src-address-list=Reproductores
add action=drop chain=forward comment="FW_DROP_ALL. Excepto DST-NAT" \
    connection-nat-state=!dstnat
/ip firewall mangle
add action=accept chain=prerouting comment=\
    "Para asegurar que todo lo local este en la connetion mark \"main\"" \
    dst-address-list=Conectado src-address-list=Conectado
add action=accept chain=prerouting comment="Solo si hay problemas con paginas \
    HTTPS -- ojo todo el HTTPS se deriva a Wan1" disabled=yes dst-port=443 \
    in-interface-list=Lan protocol=tcp
add action=mark-connection chain=input comment="Conexiones Wan -> Router" \
    connection-mark=no-mark in-interface=Wan1 log=yes log-prefix=mmmmm \
    new-connection-mark=Wan1->RoS passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
    Wan2 log=yes log-prefix=PPPPP new-connection-mark=Wan2->RoS passthrough=\
    yes
add action=mark-routing chain=output connection-mark=Wan1->RoS log=yes \
    log-prefix=mm new-routing-mark=to_Wan1 passthrough=no
add action=mark-routing chain=output connection-mark=Wan2->RoS log=yes \
    log-prefix=PP new-routing-mark=to_Wan2 passthrough=no
add action=mark-connection chain=forward comment="Conexiones Wan -> Lan" \
    connection-mark=no-mark in-interface=Wan1 new-connection-mark=Wan1->Lan \
    passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=Wan2 new-connection-mark=Wan2->Lan passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Wan1->Lan \
    new-routing-mark=to_Wan1 passthrough=yes src-address-list="Red Lan"
add action=mark-routing chain=prerouting connection-mark=Wan2->Lan \
    new-routing-mark=to_Wan2 passthrough=yes src-address-list="Red Lan"
add action=mark-routing chain=prerouting comment="Conexiones Lan -> Wan" \
    dst-address-list=DDNS_Qnap dst-port=443 new-routing-mark=to_Wan2 \
    passthrough=no protocol=tcp src-address=192.168.100.101
add action=mark-routing chain=prerouting dst-address-list=DDNS_Qnap dst-port=\
    443 new-routing-mark=to_Wan1 passthrough=no protocol=tcp src-address=\
    192.168.100.102
add action=mark-routing chain=prerouting dst-address-list=DDNS_Qnap dst-port=\
    443 new-routing-mark=to_Wan2 passthrough=no protocol=tcp src-address=\
    192.168.100.103
add action=mark-connection chain=prerouting comment="Marcar las conexiones UDP\
    \_53 que no son de PiHole para hacer dst-nat + (Desmarcar para que no evit\
    en el NAT)" connection-state=new dst-address-type=!local dst-port=53 \
    in-interface-list=Lan new-connection-mark="Lan-> PiHole" passthrough=yes \
    protocol=udp src-address-list=!PiHole
add action=mark-connection chain=prerouting comment="Marcar las conexiones TCP\
    \_53 que no son de PiHole para hacer dst-nat + (Desmarcar para que no evit\
    en el NAT)" connection-state=new dst-address-type=!local dst-port=53 \
    in-interface-list=Lan new-connection-mark="Lan-> PiHole" passthrough=yes \
    protocol=tcp src-address-list=!PiHole
add action=mark-routing chain=prerouting comment=\
    "Marcar la Ruta UDP+TCP 53 -> PiHole" connection-mark="Lan-> PiHole" \
    in-interface-list=Lan new-routing-mark=to_PiHole passthrough=no
add action=mark-connection chain=prerouting comment="PCC -- Wan1 300Mbps 1/3" \
    connection-state=new dst-address-type=!local in-interface-list=Lan \
    new-connection-mark=Lan->Wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/0
add action=mark-connection chain=prerouting comment="PCC -- Wan1 300Mbps 2/3" \
    connection-state=new dst-address-type=!local in-interface-list=Lan \
    new-connection-mark=Lan->Wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/1
add action=mark-connection chain=prerouting comment="PCC -- Wan1 300Mbps 3/3" \
    connection-state=new dst-address-type=!local in-interface-list=Lan \
    new-connection-mark=Lan->Wan1 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/2
add action=mark-connection chain=prerouting comment="PCC -- Wan2 300Mbps 1/3" \
    connection-state=new dst-address-type=!local in-interface-list=Lan \
    new-connection-mark=Lan->Wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/3
add action=mark-connection chain=prerouting comment="PCC -- Wan2 300Mbps 2/3" \
    connection-state=new dst-address-type=!local in-interface-list=Lan \
    new-connection-mark=Lan->Wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/4
add action=mark-connection chain=prerouting comment="PCC -- Wan2 300Mbps 3/3" \
    connection-state=new dst-address-type=!local in-interface-list=Lan \
    new-connection-mark=Lan->Wan2 passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:6/5
add action=mark-routing chain=prerouting comment="PCC -- Marca rutas" \
    connection-mark=Lan->Wan1 in-interface-list=Lan new-routing-mark=to_Wan1 \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=Lan->Wan2 \
    in-interface-list=Lan new-routing-mark=to_Wan2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Wan1
add action=masquerade chain=srcnat out-interface=Wan2
add action=dst-nat chain=dstnat comment="Lan DNS -> PiHole OK" routing-mark=\
    to_PiHole to-addresses=192.168.100.104
/ip firewall raw
add action=drop chain=prerouting comment="Limitar ataques DDos a UDP Flood" \
    dst-port=53 in-interface-list=Wans protocol=udp
/ip firewall service-port
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    routing-table=to_Wan2
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    routing-table=to_Wan1
add check-gateway=ping comment=\
    "Ruta Gateway para los paquetes que no estan marcados Dist 2" disabled=no \
    distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=\
    "Ruta Gateway para los paquetes que no estan marcados Dist 1" disabled=no \
    distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dont-require-permissions=yes name=PiholeMangleDown owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall mangle disable numbers=[find comment~\"PiHole\"]\r\
    \n/ip firewall nat disable numbers=[find comment~\"PiHole\"]"
add dont-require-permissions=yes name=PiholeMangleUp owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
    ip firewall nat enable numbers=[find comment~\"PiHole\"]\r\
    \n/ip firewall mangle enable numbers=[find comment~\"PiHole\"]\r\
    \n"
/tool netwatch
add disabled=no down-script="/system script run PiholeMangleDown" host=\
    192.168.100.104 http-codes="" interval=10s test-script="" timeout=1s \
    type=icmp up-script="/system script run PiholeMangleUp"

Notes: interface Vlan99_BASE was only for test and vlan103_Base is currently unused (I just disabled it)

Despra2 · December 30, 2023, 4:51pm

nobody can help me?

Despra2 · December 30, 2023, 5:10pm

Updated to 7.14beta4 and it has been magically resolved.

anav · December 30, 2023, 5:43pm

I will have a look and see what I can figure out… The funny thing about MT, it can allow some traffic if the config is almost there, but eventually any errors will reach up and grab you by the nuts…

anav · December 30, 2023, 7:17pm

Observations

(1) DO NOT USE VLAN-ID=1. Its already used by the router in the background and should not be used to carry data, it can cause weird things down the line.
Instead just switch that to VLAN-ID=99 for example because its actually called vlan99_BASE, why you assigned 1 is beyond me… ???
This is compounded by very bad advice to try and have a separate bridge DHCP while its hosting vlans. STICK TO ONLY VLANS…
SO the recommendation is to cut the bridge from doing anything but bridging and give the associated subnet VLAN10.

You only need to add the vlan to the bridge when creating the vlan10 and maybe a few other spots to replace bridge… like
add interface=Bridge_BASE name=vlan10_HOME vlan-id=10
add address=192.168.100.100/24 interface=vlan10_HOME network=192.168.100.0
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 dhcp-option-set=Opciones_Dnsmasq
interface=vlan10_HOME lease-time=1d6h name=dhcp1

(2) You have 5 Vlans ( aka subnets ).
How is that you have 8 pools? Please explain.

Edit: Okay I see you have split vlan BASE into THREE POOLS and two of them even overlap.
Why do this nonsense, if you need another vlan create another vlan, they are cheap and easier to deal with if there are DIFFERENT REQUIREMENTS for different groups of users!!!

/ip pool
add name=dhcp_pool0 ranges=192.168.100.1-192.168.100.99
add name=pool_Fijas ranges=192.168.100.100-192.168.100.149
add name=pool_invitados ranges=10.10.101.1-10.10.101.99
add name=pool_vlan102 ranges=10.10.102.1-10.10.102.99
add name=pool_vlan103 ranges=10.10.103.1-10.10.103.99
add name=pool_IoT ranges=10.10.66.1-10.10.66.99
add name=pool_BASE2 ranges=192.168.100.130-192.168.100.142
add name=pool_TEST ranges=192.168.98.1-192.168.98.99

(3) You didnt mention pihole, another added complexity to the mix..

(4) It looks like you have in bridge ports 3-8,10 are access ports in that you are wanting vlan1 now vlan10 to go out these…
Ether9-sfppplus are trunk ports carrying vlans. It was not clear that ether10 was a trunk port since you had inconsistently not made a comment identifying it as a trunk port.
However reading the /interface bridge vlan settings, surprize it was a trunk port!!

/interface bridge port
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6 pvid=10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7 pvid=10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10
add bridge=Bridge_BASE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1

(5) In both /interface bridge port/vlan you fail TO IDENTIFY vlan99-BASE? Is it used or needed?

(6) The associated /interface bridge port settings…
/interface bridge vlan
add bridge=Bridge_BASE tagged=Bridge_BASE,sfp-sfpplus1,ether9,ether10
vlan-ids=101
add bridge=Bridge_BASE tagged=Bridge_BASE,sfp-sfpplus1,ether9,ether10
vlan-ids=102
add bridge=Bridge_BASE tagged=Bridge_BASE,sfp-sfpplus1 vlan-ids=103
add bridge=Bridge_BASE tagged=Bridge_BASE,ether9 vlan-ids=66
add bridge=Bridge_BASE tagged=Bridge untagged=ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=10

NOTE if old VLAN1, now 10, needs to go through the various trunk ports, then just add them tagged along with the current Bridge on the last bolded entry.

(7) Unless you know what you are doing, this is usually not required… advanced use…
So what in the standard firewall settings is not good enough that you need to invoke this??

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

(8) The bridge does not cover all vlans on the interface list..and with vlan10 the bridge thankfully is a NON player.

/interface list member
add interface=Wan1 list=Wans
add interface=Wan2 list=Wans
add interface=vlan10_HOME list=Lan
add interface=vlan66_BASE list=Lan
add interface=vlan99_BASE list=Lan
add interface=vlan101_BASE list=Lan
add interface=vlan102_BASE list=Lan
add interface=vlan103_BASE list=Lan
add interface=vlan66_BASE list=Reproductores
add interface=vlan102_BASE list=Reproductores
add interface=Vpn_Casa list=Lan

(9) This rule makes no sense in the input chain…
add action=accept chain=input disabled=yes dst-address-list=Conectado
dst-port=5246,5247 protocol=udp src-address-list=“Red LMN”

(10) This rule makes no sense in the input chain…
add action=drop chain=input comment=“IN_DROP_ALL. Excepto DST-NAT”
connection-nat-state=!dstnat

(11) This rule shows the ugly mess the firewall rules are in… You need to allow some subnets internet, so you block all access to local subnets instead… so weird.
add action=accept chain=forward comment=
“FW_conn_WifiConInternet a Todo lo NO Conectado (internet)”
dst-address-list=!Conectado src-address-list=“Wifi con internet”

(12) OVERALL your usage of address lists is over the top.
If a rule only requires a single IP as source or destination use the IP
If a rule only requires a single subnet as source or destination use the subnet
If a rule requires two or more subnets, identify the subnets into one interface-list.

Firewall address lists are most useful if you have a group of IP addresses within a subnet, but not the whole subnet OR
You have a bunch of firewall addresses from different subnets or sources
In the above cases it makes sense to use Firewall ADDRESSES.
Anytime you have a bunch of users by themselves without, or WITH whole subnets that need to have the same rule applied, use firewall address list.

As far as the forward chain goes much easier to apply a concept of automatically DROP ALL Traffic at L3, and then one only has to identify allowed traffic. Much easier.
{forward chain}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
***** ADD ANY MORE ALLOW RULES HERE *****
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat disabled=yes { enable if required }
add action=drop chain=forward comment=“drop all else”

Note with this setup all vlans are blocked from each other you can decide based on interface list, what has access to the wan,
In your case I would have simple added an interface list called=INTERNET
/interface list
add name=INTERNET
/interface list members
add interface=vlan99_BASE list=INTERNET
add interface=vlan66-BASE list=INTERNET
add interface=vlan101-BASE list=INTERNET
add interface=vlan102-BASE list=INTERNET
add interface=vlan103-BASE list=INTERNET
add interface=Vpn-Casa list=INTERNET

With rule modified above to look like.
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=INTERNET out-interface-list=WAN

Whats amusing is that looking at your rule, you dont have the HOME VLAN 10, your old vlan1 old bridge lan on ether3-8, identified on the firewall address list “Wifi con internet”.
Does that mean none of the users on ethernet3- were supposed to have internet?
If this is a mistake then you could use the normal rule and dont need an extra interface..
Since all six vlans and wireguard would be allowed internet access!!

Even still one could still use the default rule with this caveat
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN src-address-list=!192.168.100.0/24

(13) You even botched a default rule… into something useless for the intended purpose but luckily this rule has no business once you start changing the config anyway and should be removed…
add action=drop chain=forward comment=“FW_DROP_ALL. Excepto DST-NAT”
connection-nat-state=!dstnat

NOTE: the rules I have above, add the drop all rule, allow port forwarding if required, and make lan to wan access explicit vice implicit. Also it drops LAN to LAN traffic at L3 which the old rule didnt.

++++++++++++++++++++++++++++
Until the mess above is cleaned up hard to even look at mangles and routes.
Suffice to say its a complete disaster- mangle wise…

IP Routes surprisingly seem okay.

Raw rule is not required, your router couldnt handle flooding anyway.
Just ensure that the router DNS is never open on the WAN side.

Final note, pihole should be handled in dstnat not mangling.
If pihole goes down there is no other way for LAN users to get internet, is that the intention???

Despra2 · January 1, 2024, 8:17pm

First of all, thank you very much for taking the necessary time.
(1) It is the residue of a previous configuration when changing the CAPS_MAN configuration to v7.13.
The intention is/was to configure a Vlan “vlan98_BASE” as the management network, changing all the elements of the network to this new vlan with id=98, and leaving the users in the “Bride_BASE” (vlan-id=1).
But given the advice, what is better? Leave the default vlan to the users and the vlan =XX to MNG or the other way around?

(2) Cleaned 4 Subnets = 4 Pools (vlan103 has been removed)
(3) and the CAPS-MAN configuration is missing
(4) Actually the ether10 interface is not a TRUNK but since it has a Hap and with the new wifi 7.13 vlan configuration it has to work as such with the caps-man Vlans.
(5) no, pending how to act with (1)
(6) pending how to act with (1)
(7) It will be a mistake on my part because reading the help I understood that it will be necessary for them to be active to use the Firewall and Mangle rules on the VLANs

use-ip-firewall-for-vlan (yes | no; Default: no)
Send bridged VLAN traffic to also be processed by IP/Firewall. This property only has effect when use-ip-firewall is set to yes. This property is required in case you want to assign Simple Queues or global Queue Tree to VLAN traffic in a bridge.

(8) Added vlans to list=Lan. What is the reason for removing the Bridge from the Lan list? security?
(9) Removed
(10) Would the correct one be to refer to DST-NAT?:
add action=drop chain=input comment=“IN_DROP_ALL.”
(11) The intention was to allow access to everything that was not connected to the router, that is, the Internet. Changed as you explain below.
(12) Made the modifications to the firewall according to the comments.
Currently all networks have access to the internet but I have created the Internet interface-list with its rule to use later.
Regarding pi-hole, Mangle rules are to capture all DNS requests from the network and NAT forward them to Pi-hole, I did not find an effective way to capture all DNS requests directly with NAT.
Again, thanks for the help.
When pi-hole does not work NETWATCH launches a script that deactivates the Mangle and Nat rules.

anav · January 1, 2024, 8:52pm

(1) The advice is to have a separate VLAN for users and a separate VLAN for managment if you need it. The concept of a management vlan is mostly so that all smart devices on the network are configured and reachable on this network that nobody else has access too. If you have a trusted subnet then you could use that instead and not create a separage management vlan.
So DO NOT USE vlan–id=1 for any subnet.

(2) Correct, the normal firewall rules work just fine for mangles and vlans. Bridge additional rules are rarely needed.

(3) Yes, the bridge has no function on the interface list once you move to all vlans. One never adds things to lists if they are not required.