Hi,

I have 3 WAN links.
The problem I am having is the WireGuard connection is always using the main line which is ISP 1.
How do I route the WireGuard connection to specific WAN link example thru ISP 3?
What is the mangle configuration or route rules I have to configured?
Both MikroTik are connected to the WireGuard on each end (Refer to diagram).
The purpose I want the WireGuard connection to connect thru specific WAN is to route the client to get the IP address on the other MikroTik (60.60.60.60) by utilizing the ISP 3 link and vice versa.

https://app.diagrams.net/?lightbox=1&highlight=0000ff&nav=1&title=wg.drawio#R<mxfile><diagram%20name%3D"Page-1"%20id%3D"u9xzOsLrfkkb_-P-oE69">7VrbUuM4EP2aPJKyLdtJHiGB2d1aqliY2pl9ohRbcbSRLY8s58LXb8uW42sCAybADhWGsVtySzrnqNXuMEDTcPtF4Hh5zX3CBpbhbwdoNrAsE40m8J%2By7HLLaDzODYGgvu5UGu7oA9FGQ1tT6pOk1lFyziSN60aPRxHxZM2GheCbercFZ%2FVRYxyQluHOw6xt%2FUZ9ucytY8co7b8RGiyLkU1Dt4S46KwNyRL7fFMxocsBmgrOZX4VbqeEKfAKXPLnrg607icmSCSf8sDij4c43V4Ho%2B3ZzdUq%2FAvgCc8cPTe5KxZMfFi%2FvgXPVO5uCcOS8uiybLkQPI18ojwbcMeFXPKAR5j9yXkMRhOM%2FxIpd5pQnEoOpqUMmW7Nx1WDHVyONiU8FR45soZCFlgERB7pZ%2B1BB7USHhIpdvCcyJa3rs8Da9kE%2B34lsnChwf0JoN0W0B8RQvSWEJroFxKr%2FaZI537XmKV6pGu6EvwrXbUYoGEWQC9wEufhd0G3CuoqfDGnkczm6FwMnJnqzWgQgcED%2FIgAw4JHUsNvwrovtNsZDQNYAaNz%2BI0fUkHUyiIiN1ysaKTa%2FqZCppjd3%2FIUXA2TdbAnbE2EJNvjlLUhLh6wddzWBxcqAvumPAZcfZYtKydAYeudFKtFyu93N2CAZbgMBr%2Fw6RouA3VpDrNP0QLjVRqfzmFMBIXJK4ZmMEM4c8lNaapS3CJ0f9qpLefjZLnff0mMPaDua7b30CGuPaXye58KmBFX6F1R5Rmov%2FcYT%2F3%2BiEbjOtGm1SbaREab6eK53plGB5i2Opi2htnnk%2BlnMG1N7Ddm2j7ANOpgGg2zzyfTz2DaHr31njbNFkUnSl7Atdh9r978o5wNneJ2ttXO87udvusz6TE%2BQopezPKXTnvc8TtLe8x2jGyxkayI9JZatxnsRFyuSY6%2BeTRyVfhKpOArMuWMq9gY8UgRvKCMFaaBhWZX46mtmGJ4TtgNT6jar1VKFfrUg%2F3Z6DDnUvKw0uFci0GqfdyWBvDKaATTKeoaRr6OWK053Aaq3DJcE4JDa7iBkBqkWPg9pb7OqB49OzSA7LYGClv%2FGnA%2BNXBiDbiT96YB93ENeKlYZ6zmR51%2FrgqAClCGk4R6darrB2udeJ8scJqlWQvGN%2BcRxGVNYSmSohzo%2FMRZ2Ya7AqfTkY8UtiefgHqEG7UBSjb3RchmVC9c5Ee4fqpaRGw4ckePOMqP%2BJYjYALvKt302Xhwwjaqj%2BPUaptwkTss5bSH9AUKG59QYRBHJhN7ahideupUXTV%2BfTjBTZ4ruGY%2B0nTUk%2BCQ2xCcbRydl9OYl2OeQqGTzxj4bEm6DYaR%2BUxJWugRR33FwEYF0j2Bwqz2O1BRcJgz7q1%2BpFySmuBcZYLmEBZNQR3n0GpU%2FtlGvM3UYcy58FVao3rozCrTh%2B%2BrV5r8Qd23cFqWNyrlkI7BDz%2BRxDjqfGSOvVWQ6f%2FMyxWvJkAjyNUw63Q5TUUmZcv4BrnWlyzX2n%2FxqHZGWZnJR63PpFmweQcr2lMrOib7Gmu4JT9SwM5%2FCoYdA4G1qsIDpa96UNssqSR3Mc4KFBvImLuLXIwsSmcvypyLL7jru7Ya5KyR1Y5ybiOI9Pe9QfvbnJdB1ngdQpADmuc9vXmaqi5Vha%2BrcGcWfar4NYNwf%2FhZr4ufP59MnHG2jYTeBGgGZ5Fabj%2BYmkOrDupksrdUce04e0us%2B8e1%2FVLvGsPipwUxACAPvaC362oViHWfCgHNt%2B%2BQ%2Bn5Wa%2B0irk5tD3y4Y7tGRpfE3Q4q0KsJvP1m7cA21D%2F%2FXyJM%2B2REwG35hz55rlb%2BuRS6%2FA8%3D<%2Fdiagram><%2Fmxfile>

For both routers.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, etc..)

Also answer,
identify all users of wireguard tunnel
identify what traffic they need ( your input is not specific enough )

Mikrotik 1 (Client)

2024-07-22 20:16:28 by RouterOS 7.14.3

software id = redacted

model = CCR2004-16G-2S+

serial number = redacted

/interface bridge
add disabled=yes name=Customer port-cost-mode=short
add name=IKE2
add name=Management port-cost-mode=short
add name=Redtone-br port-cost-mode=short
/interface ethernet
set [ find default-name=ether6 ] comment=ether6 name=Redtone
set [ find default-name=ether1 ] comment=“WAN ports 1-8”
set [ find default-name=ether10 ] comment=“OLT data ports 10-12” disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] comment=“Management ports 12-16”
set [ find default-name=sfp-sfpplus1 ] comment=“OLT-A,B,C,D,E uplink”
/interface wireguard
add listen-port=13299 mtu=1420 name=CJ1-Internet
add disabled=yes listen-port=13233 mtu=1420 name=to-Bintang
add disabled=yes listen-port=13232 mtu=1420 name=to-Chambers
add disabled=yes listen-port=13234 mtu=1420 name=to-Trion1
add disabled=yes listen-port=13235 mtu=1420 name=to-Trion2
add disabled=yes listen-port=13231 mtu=1420 name=to-YouthCity
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
add interface=ether3 name=vlan500-2 vlan-id=500
add interface=ether5 name=vlan500-3 vlan-id=500
add interface=sfp-sfpplus2 name=vlan500-4 vlan-id=500
/interface pppoe-client
add add-default-route=yes comment=ether9 default-route-distance=8 interface=
vlan500-4 name=Unifi-2Gbps user=superliteelec002@unifibiz
/interface ovpn-client
add certificate=mvertica.crt_0 cipher=aes128-cbc connect-to=
origintechlab.splynx.app mac-address=02:48:AB:D0:40:73 name=Ovpn-Splynx
protocol=udp user=mvertica
/interface list
add name=WAN
add name=LAN
add name=PPPoE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
add name=ike2-policies
/ip ipsec profile
add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ike2
/ip ipsec peer
add exchange-mode=ike2 name=ike2 passive=yes profile=ike2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 lifetime=8h name=ike2 pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.88.99-192.168.88.199
add name=Customer_Pool ranges=172.16.252.200-172.16.255.200
add name=vpn_pool0 ranges=192.168.99.100-192.168.99.110
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Management name=dhcp1
/ip ipsec mode-config
add address-pool=vpn_pool0 address-prefix-length=32 name=ike2-conf
split-include=0.0.0.0/0 static-dns=192.168.99.1,8.8.4.4 system-dns=no
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add address-list=GPON_Customer dns-server=8.8.8.8,8.8.4.4 interface-list=
PPPoE local-address=172.16.252.1 name=GPON remote-address=Customer_Pool
use-compression=no use-mpls=no
add address-list=Unifi change-tcp-mss=yes name=Unifi
add address-list=TIME change-tcp-mss=yes name=TIME
add address-list=Unifi-2 change-tcp-mss=yes name=Unifi-2
add address-list=TIME-2 change-tcp-mss=yes name=TIME-2
add address-list=Unifi-3 change-tcp-mss=yes name=Unifi-3
add address-list=TIME-3 change-tcp-mss=yes name=TIME-3
add address-list=TIME-4 change-tcp-mss=yes name=TIME-4
/interface pppoe-client
add add-default-route=yes comment=ether2 default-route-distance=2 interface=
ether2 name=TIME-1Gbps profile=TIME user=enquiry538@timebb
add add-default-route=yes comment=ether4 default-route-distance=4 interface=
ether4 name=TIME-1Gbps-2 profile=TIME-2 user=jolene93@timebb
add add-default-route=yes comment=ether7 default-route-distance=6 interface=
ether7 name=TIME-1Gbps-3 profile=TIME-3 user=jolene850@timebb
add add-default-route=yes comment=ether8 default-route-distance=7 interface=
ether8 name=TIME-1Gbps-4 profile=TIME-4 user=enquiry522@timebb
add add-default-route=yes comment=ether1 disabled=no interface=vlan500 name=
Unifi-1Gbps profile=Unifi user=originwifi1@unifibiz
add add-default-route=yes comment=ether3 default-route-distance=3 disabled=no
interface=vlan500-2 name=Unifi-1Gbps-2 profile=Unifi-2 user=
originwifi@unifibiz
add add-default-route=yes comment=ether5 default-route-distance=5 disabled=no
interface=vlan500-3 name=Unifi-1Gbps-3 profile=Unifi-3 user=
uptrend_media@unifibiz
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/routing table
add disabled=no fib name=Customer
add fib name=to_Unifi
add disabled=no fib name=to_TIME
add disabled=no fib name=to_Unifi-2
add disabled=no fib name=to_TIME-2
add disabled=no fib name=to_Unifi-3
add disabled=no fib name=to_Redtone
add disabled=no fib name=to_TIME-3
add disabled=no fib name=to_TIME-4
add disabled=no fib name=to_Unifi-2Gbps
/user-manager limitation
add name=100Mbps rate-limit-burst-rx=110000000B
rate-limit-burst-threshold-rx=128000000B rate-limit-burst-threshold-tx=
128000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=10s
rate-limit-burst-tx=110000000B rate-limit-min-rx=90000000B
rate-limit-min-tx=90000000B rate-limit-rx=100000000B rate-limit-tx=
100000000B uptime-limit=4w2d
add name=200Mbps rate-limit-burst-rx=210000000B
rate-limit-burst-threshold-rx=256000000B rate-limit-burst-threshold-tx=
256000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=10s
rate-limit-burst-tx=210000000B rate-limit-min-rx=190000000B
rate-limit-min-tx=190000000B rate-limit-rx=200000000B rate-limit-tx=
200000000B uptime-limit=4w2d
add name=300Mbps rate-limit-burst-rx=310000000B
rate-limit-burst-threshold-rx=320000000B rate-limit-burst-threshold-tx=
256000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=10s
rate-limit-burst-tx=210000000B rate-limit-min-rx=290000000B
rate-limit-min-tx=190000000B rate-limit-rx=300000000B rate-limit-tx=
200000000B uptime-limit=4w2d
/user-manager profile
add name=GPON_100Mbps name-for-users=GPON_100Mbps starts-when=first-auth
validity=4w2d
add name=GPON_200Mbps name-for-users=GPON_200Mbps starts-when=first-auth
validity=4w2d
add name=GPON_300Mbps name-for-users=GPON_300Mbps starts-when=first-auth
validity=4w2d
/user-manager user group
add inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2
name=VPN outer-auths=
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
/zerotier
set zt1 comment=“ZeroTier Central controller - https://my.zerotier.com/”
disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=Customer disabled=yes interface=ether9 internal-path-cost=10
path-cost=10
add bridge=Customer disabled=yes interface=ether10 internal-path-cost=10
path-cost=10
add bridge=Customer disabled=yes interface=ether11 internal-path-cost=10
path-cost=10
add bridge=Management interface=ether12 internal-path-cost=10 path-cost=10
add bridge=Management interface=sfp-sfpplus1 internal-path-cost=10 path-cost=
10
add bridge=Management disabled=yes interface=sfp-sfpplus2 internal-path-cost=
10 path-cost=10
add bridge=Management interface=ether13 internal-path-cost=10 path-cost=10
add bridge=Management interface=ether14 internal-path-cost=10 path-cost=10
add bridge=Management interface=ether15 internal-path-cost=10 path-cost=10
add bridge=Management interface=ether16 internal-path-cost=10 path-cost=10
add bridge=Redtone-br interface=Redtone internal-path-cost=10 path-cost=10
add bridge=Redtone-br interface=*20 internal-path-cost=10 path-cost=10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes
use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/interface detect-internet
set internet-interface-list=WAN wan-interface-list=WAN
/interface list member
add interface=Unifi-1Gbps list=WAN
add interface=Customer list=LAN
add interface=Unifi-1Gbps-2 list=WAN
add interface=TIME-1Gbps list=WAN
add interface=Unifi-1Gbps-3 list=WAN
add interface=TIME-1Gbps-2 list=WAN
add interface=Redtone list=WAN
add interface=Management list=LAN
add interface=Redtone-br list=WAN
add interface=TIME-1Gbps-3 list=WAN
add interface=Unifi-2Gbps list=WAN
/interface pppoe-server server
add authentication=mschap2 default-profile=GPON interface=Customer
keepalive-timeout=30 one-session-per-host=yes service-name=GPON
/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=
redacted endpoint-port=13231 interface=to-YouthCity
public-key=“GkmePKK6jc5LZh9kbpYAEK+2/0k5oRfdHLYSzAxod0M=”
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=
redacted endpoint-port=13231 interface=to-Chambers
public-key=“FAGwkn1eM+dK0KlxtI/3QI/4YCaEVmJkawDvs2aIARM=”
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=
redacted endpoint-port=13231 interface=to-Bintang
public-key=“macz3FODP9zu1rKalkMeeqNF9Pj1dOtHgxMWVJat3kQ=”
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=
redacted endpoint-port=13231 interface=to-Trion1
public-key=“rPeXzh6oeeCQXgPVc7qpzmnlZketDLZTNj9PTf7qD1c=”
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=
redacted endpoint-port=13235 interface=to-Trion2
public-key=“m8k0h5UQr3Bw3WaY8i80vnHzRWGKmSfwk6fzJvzZnhw=”
add allowed-address=0.0.0.0/0 endpoint-address=redacted
endpoint-port=13231 interface=CJ1-Internet public-key=
“O+Mu1AiWcGZ3ME2wEGEff9M7uVb0pWaib9FSnvJEgm4=”
/ip address
add address=192.168.88.1/24 interface=Management network=192.168.88.0
add address=192.1.1.1/24 disabled=yes interface=to-YouthCity network=
192.1.1.0
add address=192.2.2.1/24 disabled=yes interface=to-Chambers network=192.2.2.0
add address=192.3.3.1/24 disabled=yes interface=to-Bintang network=192.3.3.0
add address=192.168.99.1/24 interface=IKE2 network=192.168.99.0
add address=192.4.4.1/24 disabled=yes interface=to-Trion1 network=192.4.4.0
add address=192.5.5.1/24 disabled=yes interface=to-Trion2 network=192.5.5.0
add address=172.254.0.2/30 interface=CJ1-Internet network=172.254.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether7
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=mvertica.otl
add address=192.168.88.2 name=mverticap.otl
add address=192.168.89.1 name=youth.otl
add address=192.168.90.1 name=chambers.otl
add address=192.168.90.2 name=chambersp.otl
add address=192.168.91.1 name=bintang.otl
add address=192.168.91.2 name=bintangp.otl
add address=192.168.92.1 name=trion1.otl
add address=192.168.92.2 name=trion1p.otl
add address=192.168.93.1 name=trion2.otl
add address=192.168.93.2 name=trion2p.otl
/ip firewall address-list
add address=192.168.88.0/24 list=Management_Access
add address=192.168.99.0/24 list=Management_Access
add address=192.168.88.0/24 list=LANs
add address=192.168.89.0/24 list=Management_Access
add address=192.1.1.0/24 list=Management_Access
add address=172.16.252.0/22 list=GPON_Users
add address=172.16.252.0/22 list=LANs
add address=192.168.90.0/24 list=Management_Access
add address=192.168.91.0/24 list=Management_Access
/ip firewall filter
add action=jump chain=input comment=“Check port knock” icmp-options=8:0-255
jump-target=knock packet-size=!0-99 protocol=icmp
add action=accept chain=input comment=“accept established,related connection”
connection-state=established,related
add action=accept chain=input comment=“accept icmp packets” protocol=icmp
add action=accept chain=input comment=“accept wireguard connection” dst-port=
13231-13235,13299 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=Unifi-1Gbps protocol=udp
add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=Unifi-1Gbps-2 protocol=udp
add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=Unifi-1Gbps-3 protocol=udp

TIME-1Gbps not ready

add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=TIME-1Gbps protocol=udp

TIME-1Gbps-2 not ready

add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=TIME-1Gbps-2 protocol=udp

TIME-1Gbps-3 not ready

add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=TIME-1Gbps-3 protocol=udp

TIME-1Gbps-4 not ready

add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=TIME-1Gbps-4 protocol=udp

Unifi-2Gbps not ready

add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=Unifi-2Gbps protocol=udp
add action=accept chain=input comment=“accept ipsec connection” dst-port=
500,4500 in-interface=Redtone-br protocol=udp
add action=add-src-to-address-list address-list=Management_Access
address-list-timeout=15m chain=input comment=
“port knock with icmp count 15 times” icmp-options=8:15 protocol=icmp
add action=accept chain=input comment=
“accept connection from management subnets” in-interface=to-YouthCity
add action=accept chain=input comment=
“accept connection from management subnets” in-interface=to-Chambers
add action=accept chain=input comment=
“accept connection from management subnets” in-interface=to-Bintang
add action=accept chain=input comment=“ACCEPT TLS after knock” dst-port=443
protocol=tcp src-address-list=KNOCK-SUCCESS
add action=accept chain=input comment=“ACCEPT SSH after knock” dst-port=8291
protocol=tcp src-address-list=KNOCK-SUCCESS
add action=drop chain=input comment=“drop everything except from Management”
in-interface=Unifi-1Gbps src-address-list=!Management_Access
add action=drop chain=input comment=“drop everything except from Management”
in-interface=Unifi-1Gbps-2 src-address-list=!Management_Access
add action=drop chain=input comment=“drop everything except from Management”
in-interface=Unifi-1Gbps-3 src-address-list=!Management_Access

TIME-1Gbps not ready

add action=drop chain=input comment=“drop everything except from Management”
in-interface=TIME-1Gbps src-address-list=!Management_Access

TIME-1Gbps-2 not ready

add action=drop chain=input comment=“drop everything except from Management”
in-interface=TIME-1Gbps-2 src-address-list=!Management_Access

TIME-1Gbps-3 not ready

add action=drop chain=input comment=“drop everything except from Management”
in-interface=TIME-1Gbps-3 src-address-list=!Management_Access
add action=drop chain=input comment=“drop everything except from Management”
in-interface=Redtone-br src-address-list=!Management_Access
add action=accept chain=forward comment=“forward established,related”
connection-state=established,related
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=return chain=knock comment=“KNOCK FAILURE return”
src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK-SUCCESS
address-list-timeout=1h chain=knock comment=“KNOCK 3rd - success 600”
packet-size=628 src-address-list=KNOCK2
add action=return chain=knock comment=“KNOCK 3rd - success return”
src-address-list=KNOCK-SUCCESS
add action=add-src-to-address-list address-list=KNOCK-FAILURE
address-list-timeout=1m chain=knock comment=“KNOCK 3rd - failure”
src-address-list=KNOCK2
add action=return chain=knock comment=“KNOCK 3rd - failure return”
src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=
1m chain=knock comment=“KNOCK 2nd - success 500” packet-size=528
src-address-list=KNOCK1
add action=return chain=knock comment=“KNOCK 2nd - success return”
src-address-list=KNOCK2
add action=add-src-to-address-list address-list=KNOCK-FAILURE
address-list-timeout=1m chain=knock comment=“KNOCK 2nd - failure”
src-address-list=KNOCK1
add action=return chain=knock comment=“KNOCK 2nd - failure return”
src-address-list=KNOCK-FAILURE
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=
1m chain=knock comment=“KNOCK 1st - success 400” packet-size=428
add action=return chain=knock comment=“KNOCK 1st - success return”
src-address-list=KNOCK1
add action=add-src-to-address-list address-list=KNOCK-FAILURE
address-list-timeout=1m chain=knock comment=“KNOCK 1st - failure”
/ip firewall mangle
add action=accept chain=prerouting comment=“accept connection from CJ1”
dst-address=172.254.0.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=172.255.0.0/24 src-address=
192.168.88.0/24
add action=accept chain=prerouting comment=
“accept connection for Youth Condo Nilai” dst-address=192.168.89.0/24
src-address=192.168.88.0/24
add action=accept chain=prerouting comment=
“accept connection for Chambers Residence” dst-address=192.168.90.0/24
src-address=192.168.88.0/24
add action=accept chain=prerouting comment=
“accept connection for Bintang Residence” dst-address=192.168.91.0/24
src-address=192.168.88.0/24
add action=accept chain=prerouting comment=“accept connection for TRION1”
dst-address=192.168.92.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting comment=“accept connection for TRION2”
dst-address=192.168.93.0/24 src-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=192.1.1.0/24 src-address=
192.168.88.0/24
add action=accept chain=prerouting dst-address=192.2.2.0/24 src-address=
192.168.88.0/24
add action=accept chain=prerouting dst-address=192.3.3.0/24 src-address=
192.168.88.0/24
add action=accept chain=prerouting dst-address=192.4.4.0/24 src-address=
192.168.88.0/24
add action=accept chain=prerouting dst-address=192.5.5.0/24 src-address=
192.168.88.0/24
add action=accept chain=prerouting comment=“accept connection for dst-nat”
dst-address=10.250.32.0/24 src-address=192.168.88.2
add action=accept chain=prerouting comment=“accept connection for dst-nat”
dst-address=10.250.32.1 src-address=172.16.252.0/22
add action=accept chain=prerouting dst-address=172.254.0.0/24 src-address=
172.16.252.0/22
add action=accept chain=prerouting comment=“accept connection for dst-nat”
disabled=yes dst-address-list=!LANs src-address=192.168.88.2
add action=accept chain=prerouting in-interface=Unifi-1Gbps

TIME-1Gbps not ready

add action=accept chain=prerouting in-interface=TIME-1Gbps
add action=accept chain=prerouting in-interface=Unifi-1Gbps-2

TIME-1Gbps-2 not ready

add action=accept chain=prerouting in-interface=TIME-1Gbps-2
add action=accept chain=prerouting in-interface=Unifi-1Gbps-3

TIME-1Gbps-3 not ready

add action=accept chain=prerouting in-interface=TIME-1Gbps-3

TIME-1Gbps-4 not ready

add action=accept chain=prerouting in-interface=TIME-1Gbps-4
add action=accept chain=prerouting disabled=yes in-interface=Redtone-br
add action=mark-connection chain=prerouting comment=new dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=Unifi_conn passthrough=
yes per-connection-classifier=src-address:3/0
add action=mark-connection chain=prerouting dst-address-list=!LANs
in-interface-list=LAN new-connection-mark=Unifi-2_conn passthrough=yes
per-connection-classifier=src-address:3/1
add action=mark-connection chain=prerouting dst-address-list=!LANs
in-interface-list=LAN new-connection-mark=Unifi-3_conn passthrough=yes
per-connection-classifier=src-address:3/2
add action=mark-connection chain=prerouting comment=current disabled=yes
dst-address-list=!LANs in-interface-list=LAN new-connection-mark=
Unifi_conn passthrough=yes per-connection-classifier=src-address:7/0
add action=mark-connection chain=prerouting disabled=yes dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=TIME_conn passthrough=yes
per-connection-classifier=src-address:7/1
add action=mark-connection chain=prerouting disabled=yes dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=Unifi-2_conn passthrough=
yes per-connection-classifier=src-address:7/2
add action=mark-connection chain=prerouting disabled=yes dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=TIME-2_conn passthrough=
yes per-connection-classifier=src-address:7/3
add action=mark-connection chain=prerouting disabled=yes dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=Unifi-3_conn passthrough=
yes per-connection-classifier=src-address:7/4
add action=mark-connection chain=prerouting disabled=yes dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=TIME-3_conn passthrough=
yes per-connection-classifier=src-address:7/5
add action=mark-connection chain=prerouting disabled=yes dst-address-list=
!LANs in-interface-list=LAN new-connection-mark=TIME-4_conn passthrough=
yes per-connection-classifier=src-address:7/6
add action=mark-routing chain=prerouting comment=current connection-mark=
Unifi_conn in-interface-list=LAN new-routing-mark=to_Unifi passthrough=
yes
add action=mark-routing chain=prerouting connection-mark=TIME_conn
in-interface-list=LAN new-routing-mark=to_TIME passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Unifi-2_conn
in-interface-list=LAN new-routing-mark=to_Unifi-2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TIME-2_conn
in-interface-list=LAN new-routing-mark=to_TIME-2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Unifi-3_conn
in-interface-list=LAN new-routing-mark=to_Unifi-3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TIME-3_conn
in-interface-list=LAN new-routing-mark=to_TIME-3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TIME-4_conn
in-interface-list=LAN new-routing-mark=to_TIME-4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=Redtone_conn
disabled=yes in-interface-list=LAN new-routing-mark=to_Redtone
passthrough=yes
add action=mark-routing chain=prerouting comment=CJ1-PBR disabled=yes
in-interface-list=LAN new-routing-mark=Customer passthrough=yes
src-address=172.16.252.0/22
add action=mark-routing chain=prerouting comment=
“Speedtest redirect to main line” disabled=yes dst-address-list=Speedtest
new-routing-mark=to_Unifi passthrough=yes src-address-list=GPON_Users
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address-list=
172.16.252.100 out-interface=Customer src-address-list=192.168.88.0/24
add action=dst-nat chain=dstnat comment=
“winbox dst-nat access to 192.168.88.2” dst-port=58291 in-interface-list=
WAN protocol=tcp to-addresses=192.168.88.2 to-ports=8291
add action=dst-nat chain=dstnat comment=
“winbox dst-nat access to 192.168.88.2” dst-port=1812 in-interface-list=
WAN protocol=udp to-addresses=192.168.88.2 to-ports=1812
add action=dst-nat chain=dstnat comment=
“winbox dst-nat access to 192.168.88.2” dst-port=1813 in-interface-list=
WAN protocol=udp to-addresses=192.168.88.2 to-ports=1813
add action=dst-nat chain=dstnat comment=
“winbox dst-nat access to 192.168.88.2” disabled=yes dst-port=8728
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.2 to-ports=
8728
add action=masquerade chain=srcnat disabled=yes out-interface=to-Bintang
add action=masquerade chain=srcnat comment=
“masquerade Customer to Unifi-1Gbps” out-interface=Unifi-1Gbps
add action=masquerade chain=srcnat comment=
“masquerade Customer to Unifi-1Gbps-2” out-interface=Unifi-1Gbps-2
add action=masquerade chain=srcnat comment=
“masquerade Customer to Unifi-1Gbps-3” out-interface=Unifi-1Gbps-3

Unifi-2Gbps not ready

add action=masquerade chain=srcnat comment=
“masquerade Customer to Unifi-1Gbps-3” out-interface=Unifi-2Gbps

TIME-1Gbps not ready

add action=masquerade chain=srcnat comment=
“masquerade Customer to TIME-1Gbps” out-interface=TIME-1Gbps

TIME-1Gbps-2 not ready

add action=masquerade chain=srcnat comment=
“masquerade Customer to TIME-1Gbps-2” out-interface=TIME-1Gbps-2

TIME-1Gbps-3 not ready

add action=masquerade chain=srcnat comment=
“masquerade Customer to TIME-1Gbps-3” out-interface=TIME-1Gbps-3

TIME-1Gbps-4 not ready

add action=masquerade chain=srcnat comment=
“masquerade Customer to TIME-1Gbps-4” out-interface=TIME-1Gbps-4
add action=masquerade chain=srcnat comment=“masquerade internet connection”
disabled=yes out-interface-list=WAN
/ip firewall raw
add action=add-dst-to-address-list address-list=Speedtest
address-list-timeout=none-dynamic chain=prerouting content=speedtest.net
disabled=yes dst-address-list=!GPON_Users src-address-list=GPON_Users
add action=add-dst-to-address-list address-list=Speedtest
address-list-timeout=none-dynamic chain=prerouting content=
speedtest.tm.com.my dst-address-list=!GPON_Users src-address-list=
GPON_Users
add action=add-dst-to-address-list address-list=Speedtest
address-list-timeout=none-dynamic chain=prerouting content=fast.com
disabled=yes dst-address-list=!GPON_Users src-address-list=GPON_Users
/ip ipsec identity
add auth-method=eap-radius certificate=“letsencrypt-autogen_2024-07-08T16:00:3
3Z,r10.pem_0,r11.pem_0,e5-cross.pem_0,e6-cross.pem_0,isrgrootx1.pem_0”
generate-policy=port-strict mode-config=ike2-conf peer=ike2
policy-template-group=ike2-policies
/ip ipsec policy
add dst-address=192.168.99.0/24 group=ike2-policies proposal=ike2
src-address=0.0.0.0/0 template=yes
/ip ipsec settings
set xauth-use-radius=yes
/ip route
add comment=“LB Route Unifi” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=Unifi-1Gbps pref-src=“” routing-table=to_Unifi scope=30
suppress-hw-offload=no target-scope=10
add comment=“LB Route TIME” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=TIME-1Gbps pref-src=“” routing-table=to_TIME scope=30
suppress-hw-offload=no target-scope=10
add comment=“LB Route Unifi-2” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=Unifi-1Gbps-2 pref-src=“” routing-table=to_Unifi-2 scope=30
suppress-hw-offload=no target-scope=10
add comment=“LB Route TIME-2” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=TIME-1Gbps-2 pref-src=“” routing-table=to_TIME-2 scope=30
suppress-hw-offload=no target-scope=10
add comment=“LB Route Unifi-3” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=Unifi-1Gbps-3 pref-src=“” routing-table=to_Unifi-3 scope=30
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=172.16.252.0/22 gateway=192.168.88.2
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=192.168.88.2
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=172.16.248.0/22 gateway=192.1.1.2 routing-table=
main suppress-hw-offload=no
add comment=“LB Route TIME-3” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=TIME-1Gbps-3 pref-src=“” routing-table=to_TIME-3 scope=30
suppress-hw-offload=no target-scope=10
add comment=“LB Route TIME-4” disabled=no distance=1 dst-address=0.0.0.0/0
gateway=TIME-1Gbps-4 pref-src=“” routing-table=to_TIME-4 scope=30
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.244.0/22 gateway=192.2.2.2
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add comment=“LB Route Unifi-2Gbps” disabled=no distance=1 dst-address=
0.0.0.0/0 gateway=Unifi-2Gbps pref-src=“” routing-table=to_Unifi-2Gbps
scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=letsencrypt-autogen_2024-07-08T16:00:33Z disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=::bab1 from-pool=unifipool6 interface=Management
/ipv6 dhcp-client
add interface=Unifi-1Gbps pool-name=unifipool6 request=prefix
add disabled=yes interface=TIME-1Gbps pool-name=timepool6 request=prefix
add disabled=yes interface=Unifi-1Gbps-2 pool-name=unifipool6-2 request=
prefix
add disabled=yes interface=TIME-1Gbps-2 pool-name=timepool6-2 request=prefix
/ppp aaa
set use-radius=yes
/radius
add address=127.0.0.1 service=login,ipsec
/radius incoming
set accept=yes
/routing ospf interface-template
add area=backbone disabled=no interfaces=Management
add area=backbone disabled=no interfaces=to-Bintang type=ptp
add area=backbone disabled=no interfaces=to-Chambers type=ptp
add area=backbone disabled=no interfaces=to-YouthCity type=ptp
add area=backbone disabled=no interfaces=IKE2
add area=backbone disabled=no interfaces=to-Trion1 type=ptp
add area=backbone disabled=no interfaces=to-Trion2 type=ptp
add area=backbone disabled=no interfaces=CJ1-Internet type=ptp
/routing rule
add action=lookup-only-in-table disabled=yes src-address=172.16.252.0/22
table=Customer
add action=lookup disabled=yes dst-address=192.168.88.0/24 src-address=
192.168.99.0/24 table=to_TIME
add action=lookup disabled=yes dst-address=192.168.88.0/24 src-address=
192.168.99.0/24 table=to_Unifi
/snmp
set contact=Wilson enabled=yes location=Mvertica trap-version=2
/system clock
set time-zone-name=Asia/Kuching
/system clock manual
set time-zone=+08:00
/system identity
set name=Origin_TechLab
/system logging
add disabled=yes topics=pppoe
add topics=wireguard
/system routerboard settings
set enter-setup-on=delete-key
/system scheduler
add interval=12w6d name=certificate_autorenew on-event=“/ip service enable www
;\r
\n/ip firewall filter disable [find comment="drop everything except from
(Hafizul IP)"];\r
\n/log info "Let’s Encrypt certificate renewal started";\r
\n\r
\n/certificate enable-ssl-certificate dns-name=redacted;\r
\n\r
\n/ip service disable www;\r
\n/ip firewall filter disable [find comment="drop everything except from
(Hafizul IP)"];\r
\n/log info "Let’s Encrypt certificate renewal completed";” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2023-07-15 start-time=00:00:00
add disabled=yes interval=1w name=user-manager_clear_unactive on-event=
“/user-manager/session/remove [find where active=no]” policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2023-07-25 start-time=00:00:00
/tool graphing
set store-every=24hours
/tool graphing interface
add
/user-manager
set certificate=*0 enabled=yes
/user-manager profile-limitation
add limitation=100Mbps profile=GPON_100Mbps
add limitation=200Mbps profile=GPON_200Mbps
add limitation=300Mbps profile=GPON_300Mbps
/user-manager router
add address=127.0.0.1 name=RADIUS

>

Mikrotik 2 (DC)

> ```text
# 2024-07-22 20:17:55 by RouterOS 7.15.2
# software id = redacted
#
# model = CCR2004-1G-12S+2XS
# serial number = redacted
/interface bridge
add name=lan
/interface ethernet
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no speed=1G-baseX
/interface wireguard
add comment=back-to-home-vpn listen-port=4368 mtu=1420 name=back-to-home-vpn
add listen-port=13234 mtu=1420 name=wg-bintang
add listen-port=13233 mtu=1420 name=wg-chambers
add listen-port=13231 mtu=1420 name=wg-mvertica
add listen-port=13235 mtu=1420 name=wg-trion1
add listen-port=13236 mtu=1420 name=wg-trion2
add listen-port=13232 mtu=1420 name=wg-youthcity
/ip pool
add name=dhcp_pool0 ranges=172.255.0.10-172.255.0.15
/ip dhcp-server
add address-pool=dhcp_pool0 interface=lan name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/routing ospf instance
add disabled=no name=ospf-instance-1
/routing ospf area
add disabled=no instance=ospf-instance-1 name=backbone
/interface bridge port
add bridge=lan interface=ether1
add bridge=lan interface=sfp-sfpplus12
/ip firewall connection tracking
set udp-timeout=10s
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wg-mvertica is-responder=yes name=\
    Mvertica<>CJ1 public-key="zNNiAKHkr4ilR+YlswYQ/2yzVj4R5Sut+0txtNOcqUw="
add allowed-address=0.0.0.0/0 interface=wg-youthcity is-responder=yes name=\
    YouthCity<>CJ1 public-key="nP0+2K+p4sJW2eKH0M+Fb4fGVRnJNqccom5tE/U7lkQ="
add allowed-address=0.0.0.0/0 interface=wg-chambers is-responder=yes name=\
    Chambers<>CJ1 public-key="RX7krlOq+jvUCmTgk0PKTlPbQkeosmq1ZLGWJc4GTWg="
add allowed-address=0.0.0.0/0 interface=wg-bintang is-responder=yes name=\
    Bintang<>CJ1 public-key="nlq2Xpk69LypsJde9Qce1p0rERPakTRanD4/Yo0o/AQ="
add allowed-address=0.0.0.0/0 interface=wg-trion1 is-responder=yes name=\
    Trion1<>CJ1 public-key="PNiiHXsE72ujLVxrAviLqgayZGOKFFkEJTlwx3N+M38="
add allowed-address=0.0.0.0/0 interface=wg-trion2 is-responder=yes name=\
    Trion2<>CJ1 public-key="ROjuTdblIzPaXo8ko8qxemLNEXAMi0fofe29Ixgze2Q="
/ip address
add address=172.255.0.1/24 comment=defconf interface=lan network=172.255.0.0
add address=redacted interface=sfp-sfpplus1 network=redacted
add address=172.254.0.1/30 interface=wg-mvertica network=172.254.0.0
add address=172.254.0.5/30 interface=wg-youthcity network=172.254.0.4
add address=172.254.0.9/30 interface=wg-chambers network=172.254.0.8
add address=172.254.0.13/30 interface=wg-bintang network=172.254.0.12
add address=172.254.0.17/30 interface=wg-trion1 network=172.254.0.16
add address=172.254.0.21/30 interface=wg-trion2 network=172.254.0.20
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud back-to-home-users
add allow-lan=yes name=fizo private-key=\
    redacted public-key=\
    "Ssnvcx/np5AeZhwBlygsr6epgpymgyzQKiy38iDM5wc="
add allow-lan=yes name=wilson private-key=\
    redacted public-key=\
    "VhGrSrbNflE9q+M57saeGcjpYL8G+9nMEgxJUODlMRs="
/ip dhcp-server network
add address=172.255.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.255.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=redacted list=CJ1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
add action=dst-nat chain=dstnat comment="SSH tcp/22 dst-nat to Splynx Server" \
    dst-port=22 in-interface=sfp-sfpplus1 protocol=tcp to-addresses=\
    172.255.0.254 to-ports=22
add action=dst-nat chain=dstnat comment=\
    "HTTP tcp/80 dst-nat to Splynx Server" dst-port=80 in-interface=\
    sfp-sfpplus1 protocol=tcp to-addresses=172.255.0.254 to-ports=80
add action=dst-nat chain=dstnat comment=\
    "HTTP tcp/443 dst-nat to Splynx Server" dst-port=443 in-interface=\
    sfp-sfpplus1 protocol=tcp to-addresses=172.255.0.254 to-ports=443
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=redacted routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=172.16.252.0/22 gateway=172.254.0.2 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=172.16.248.0/22 gateway=172.254.0.6 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.244.0/22 gateway=172.254.0.10 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.240.0/22 gateway=172.254.0.14 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.236.0/22 gateway=172.254.0.18 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.16.232.0/22 gateway=172.254.0.22 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 route
add disabled=no dst-address=::/0 gateway=redacted routing-table=\
    main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=redacted interface=sfp-sfpplus1
/routing ospf interface-template
add area=backbone disabled=no interfaces=wg-mvertica type=ptp
add area=backbone disabled=no interfaces=wg-youthcity type=ptp
add area=backbone disabled=no interfaces=wg-chambers type=ptp
add area=backbone disabled=no interfaces=wg-bintang type=ptp
add area=backbone disabled=no interfaces=wg-trion1 type=ptp
add area=backbone disabled=no interfaces=wg-trion2 type=ptp
add area=backbone disabled=no interfaces=lan
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name=OriginTechLab-CJ1
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key

I want to route all of the users and all of the traffic to the specific WAN link. Basically I want to do PCC load balance but through the wireguard tunnel. I want to create a tunnel for each WAN links and redirect all traffic thru the tunnels

Also answer,
identify all users of wireguard tunnel
identify what traffic they need ( your input is not specific enough )

Okay,
So you want on the MT Client to have three different wireguard links to the other router, one through each ISP.
The purpose is so that local users on MT Client, will go out the internet of the other Router.
You want that traffic to be load balanced between each of your local ISPs, and more specifically through the tunnels for each.

Correct.

But I seem can’t achieve that yet because I don’t know how. I try to put routing rules but not working, same with mangle rules also not working.

I will cover this conceptually because your config is a bloated mess, in my opinion and the thought of excising it at the moment, like the sight/smell of pus or blood, makes me queasy
In no particular order:

CLIENT ROUTER

(1) Create 3 tables
add fib name=to-WG1
add fib name=to-WG2
add fib name=to-WG3

(2) Ensure all LAN users are captured by the LAN list interface. So that all users heading for the tunnels will be captured!

(3) Create manual routes table main
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12
add distance=2 dst-address=1.1.1.1/32 gateway=ISP1-gateway routing-table=main scope=10 target-scope=11
+++
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add distance=4 dst-address=9.9.9.9/32 gateway=ISP2-gateway routing-table=main scope=10 target-scope=11
+++
add check-gateway=ping distance=6 dst-address=0.0.0.0/0 gateweay=208.67.220.220 routing-table=main scope=10 target-scope=12
add distance=6 dst-address=208.67.220.220/32 gateway=ISP2-gateway routing-table=main scope=10 target-scope=11

By the way this automatically creates a general failover setup such that if WAN1 is not available, traffic is sent to WAN2. We will mimic this in special table routes below.
if WAN1 is not available, traffic is sent to WAN2 if avail, otherwise to WAN3
If WAN2 is not available, traffic is sent to WAN1 if avail, otherwise to WAN3
If WAN3 is not available, traffic is sent to WAN1 if avail, otherwise to WAN2

(4) Create Routes for Special Tables
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG1
add dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=to-WG2
add dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=to-WG3

(5) Create three separate wireguard interfaces ( one per is needed as allowed IPs will be using 0.0.0.0/0 ) Listening port is not critical (does not need to be same)
/interface wireguard
add listen-port=15111 mtu=1420 name=wireguard1
add listen-port=15222 mtu=1420 name=wireguard2
add listen-port=15333 mtu=1420 name=wireguard3

(6) Create addresses:
add address=10.10.10.2/30 interface=wireguard1 network=10.10.10.0
add address=10.10.20.2/30 interface=wireguard2 network=10.10.20.0
add address=10.10.30.2/30 interface=wireguard3 network=10.10.30.0

(7) Create allowed IPs
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ROUTER2-DYNDNS endpoint-port=15167 interface=wireguard1
public key=" …" persistent-keep-alive=25s
add allowed-address=0.0.0.0/0 endpoint-address=ROUTER2-DYNDNS endpoint-port=15267 interface=wireguard2
public key=" ===== " persistent-keep-alive=30s
add allowed-address=0.0.0.0/0 endpoint-address=ROUTER2-DYNDNS endpoint-port=15367 interface=wireguard3
public key=" ;;;;;;;" persistent-keep-alive=34s

(8) To keep it simpler for the admin, ( remove need on other router to have routes for non-local subnets and right subnets in allowed IPs, ) we will sourcenat the traffic

/interface list members
add interface=WAN1-interface list=WAN
add interface=WAN2-interface list=WAN
add interface=WAN3-interface list=WAN
add interface=wireguard1 list=WAN
add interface=wireguard2 list=WAN
add interface=wireguard3 list=WAN
add interface=wireguard1=Enter
add interface=wireguard2=Enter
add interface=wireguard3 list=Enter

Then this generic default masquerade rule works for all wireguard traffic as well!!
add action=masquerade chain=srcnat out-interface-list=WAN

(8) Firewall Rules Forward chain
add chain=forward action=accept comment=“Allow LAN to Tunnel” in-interface-list=LAN out-interface-list=Enter
(10) MANGLING - No servers and no incoming traffic for services, its all outgoing.
/ip firewall mangle
{capture the PCC traffic}
add chain=forward action=mark-connection connection-mark=no-mark in-interface-list=LAN
new-connection-mark=via-WAN1 dst-address-type=!local passthough=yes
per-connection-classifier=both-addresses:3/0
add chain=forward action=mark-connection connection-mark=no-mark in-interface-list=LAN
new-connection-mark=via-WAN2 dst-address-type=!local passthough=yes
per-connection-classifier=both-addresses:3/1
add chain=forward action=mark-connection connection-mark=no-mark in-interface-list=LAN
new-connection-mark=via-WAN2 dst-address-type=!local passthough=yes
per-connection-classifier=both-addresses:3/2
{route the PCC traffic}
add chain=prerouting action=mark-routing connection-mark=via-WAN1
new-routing-mark=to-WG1 passthrough=no
add chain=prerouting action=mark-routing connection-mark=via-WAN2
new-routing-mark=to-WG2 passthrough=no
add chain=prerouting action=mark-routing connection-mark=via-WAN3
new-routing-mark=to-WG3 passthrough=no

(11) I would add to the TOP of the mangle rules, to ensure decent browsing experience.
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard2 passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard3 passthrough=yes protocol=tcp tcp-flags=syn

(12) Whats left…
Doing some research on failover,
What one should realize, that if one of the WAN connections becomes broken, or one of the tunnel becomes broken you will lose 1/3 of the traffic. The router will mark 1/3 of the traffic coming from users and it will go nowhere!

To avoid this, we do the following by replacing the THREE routes we had for special tables.
You will see that the first route of each block is identical to the basic three we had before, but we need to allow the router to access the other wireguards if necessary.

add check-gateway=ping dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG1 distance=2
add dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=to-WG1 distance=3
add dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=to-WG1 distance=4

add check-gateway=ping dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=to-WG2 distance=2
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG2 distance=3
add dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=to-WG2 distance=4

add check-gateway=ping dst-address=0.0.0.0/0 gateway=wireguard3 routing-table=to-WG3 distance=2
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-WG3 distance=3
add dst-address=0.0.0.0/0 gateway=wireguard2 routing-table=to-WG3 distance=4



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Looking At REMOTE ROUTER (server for handshake)

(13) Create three separate wireguard interfaces ( one per is needed as allowed IPs will be using 0.0.0.0/0 )
/interface wireguard
add listen-port=15167 mtu=1420 name=wireguard-one
add listen-port=15267 mtu=1420 name=wireguard-two
add listen-port=15367 mtu=1420 name=wireguard-three

(14) add address=10.10.10.1/30 interface=wireguard-one network=10.10.10.0
add address=10.10.20.1/30 interface=wireguard-two network=10.10.20.0
add address=10.10.30.1/30 interface=wireguard-three network=10.10.30.0

(15) Create allowed IPs
/interface wireguard peers
add allowed-address=10.10.10.2 interface=wireguard-one public key=" …" comment=“incoming remote WAN1”
add allowed-address=10.10.20.2 interface=wireguard-two public key=" == " comment='incoming remote WAN2"
add allowed-address=10.10.30.2 interface=wireguard-three public key=" ;;;;;" comment=“incoming remote WAN3”

(16) Interface lists…
/interface list members
add interface=wireguard-one=list=LAN
add interface=wireguard-two list=LAN
add interface=wireguard-three list=LAN

(17) Firewall rules
/input chain
add chain=input action=accept comment=“wireguard handshake” dst-port=15167 protocol=udp
add chain=input action=accept comment=“wireguard handshake” dst-port=15267 protocol=udp
add chain=input action=accept comment=“wireguard handshake” dst-port=15367 protocol=udp

Ensure LAN users have access to dns services
add chain=input action=accept comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add chain=input action=accept comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp

Ensure LAN users have access to internet in the FORWARD CHAIN
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN

Review write down any questions, pose them here.

How do I know the WireGuard will initiate the connection using specific WAN links?

That is a very good question. Thanks for finding a missing link LOL.

Probably add;;;;;;;;;;;;
(1) Create 6 tables
add fib name=to-WG1
add fib name=to-WG2
add fib name=to-WG3
add fib name=to-WAN1
add fib name=to-WAN2
add fib name=to-WAN3

(2) More special Table Routes one for each WAN (not wireguard tunnels)
add dst-address=0.0.0.0/0 gateway=ISP1-gateway routing-table=to-WAN1
add dst-address=0.0.0.0/0 gateway=ISP2-gateway routing-table=to-WAN2
add dst-address=0.0.0.0/0 gateway=ISP3-gateway routing-table=to-WAN3

Mangle rules at the top PRIOR TO PCC. Dont quote me, they could be wrong… but my first thought is the following!!

/ip firewall mangle.
add chain=output action=mark-routing new-routing-mark=to-WAN1 dst-address=DYNDNSURL dst-port=15167
protocol=udp
add chain=output action=mark-routing new-routing-mark=to-WAN2 dst-address=DYNDNSURL dst-port=15267
protocol=udp
add chain=output action=mark-routing new-routing-mark=to-WAN3 dst-address=DYNDNSURL dst-port=15367
protocol=udp