Routing Mark problem after moving from RouterOS 6.49.17 to 7.15.3

My setup for ROS 6.49.17 (on an hAP lite) has only a few additions from the default configuration, just to add a PPTP Client and includes the following:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes
src-address=192.168.92.2-192.168.92.254
/ip route
add distance=1 gateway=pptp-out1 routing-mark=vpn

Likewise, my setup for ROS 7.15.3 (on a hAP ax3) also only includes the following additions (I discovered that I had to create the “routing-mark” first in the “routing table”):

/routing table
add comment=“For PPTP” disabled=no fib name=vpn
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=vpn passthrough=yes
src-address=192.168.90.2-192.168.90.254
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp-out1
routing-table=vpn scope=30 suppress-hw-offload=no target-scope=10

My PPTP tunnel is created successfully, and I can use Tools > Ping to ping sites using their IP addresses, however, when I attempt to ping using a “name” e.g. www.google.com (which works under ROS6), under ROS7 I get “Error in Ping To - ip address expected!”

It appears that the router (192.168.90.1) although still pingable is being treated differently in ROS7, and hence DNS lookups are not working.

I read in thread (http://forum.mikrotik.com/t/routing-mark-and-route-traffic-to-a-different-gw/160754/1) that something changed in handling of packets with routing marks, however I am still quite a novice with RouterOS and would appreciate a tip on what I need to change/add to regain ROS6 style handling of the router itself (i.e. 192.168.90.1 in my case).

Thanks in advance

If you use WinBox, then DNS resolution happens on client (PC where it runs). It’s not clear what it uses as DNS server. But in case the problem really is caused by routing marks, you can always exclude router by adding dst-address=!192.168.90.1 to mangle rule (or dst-address-type=!local to cover all router’s addresses).

Many many many thanks by adding dst-address=!192.168.90.1 to mangle rule my problems vanished. Problem solved.

Long live mangle rules - and the excellent response on the forum

Many many many thanks by adding dst-address=!192.168.90.1 to mangle rule my problems vanished. Problem solved.

Long live mangle rules - and the excellent response on the forum

Hi, I’m very glad you solved the problem, but I and the forum would be so much happier
if you also mark your case in this forum as solved.

See the pictures below.
Where you click on the following places on the thread that solved your problem.

So the AI can take over and know what the problems are with the respective solution.

At board style: Canvas

At board style: prosilver

Hello guys,

I’m trying to follow this tutorial https://www.youtube.com/watch?v=2pFcVRaoscE to add a VPN connection using Wireguard to warp Cloudflare.
But when I try to add mangle rules, on action “mark routing”, the ‘new routing mark’ doesn’t show the routing tables that I already add.
I’m adding routing tables on Routing → Tables, menu.

Why ? any suggestions ?

because your routing table is not marked as FIB

Post your config for assessment, I have already discovered something missing on h is config

/export file=anynameyouwish ( minus router serial number, mac address, any publicWANIP information, keys etc. )

On ros7 my routerboard has more ram space, I think, but CPU usage are more heavy rather than ros6.

here is my exported configuration.

# 2024-10-22 15:55:45 by RouterOS 7.16.1
# software id = #
#
# model = RB941-2nD
# serial number = #
/interface bridge
add admin-mac=# auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=indonesia distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=Scale wireless-protocol=802.11
/interface wireguard
add comment="Cloudflare WireGuard" listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment=guestconf interface=bridge name=vlan22 vlan-id=22
/interface bonding
add name=bonding1 slaves=ether3,ether4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
add eap-methods="" name=guest supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=# master-interface=\
    wlan1 multicast-buffering=disabled name=wlan2 security-profile=guest \
    ssid="Scale Guest" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=guest-dhcp ranges=192.168.84.2-192.168.84.8
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=guest-dhcp interface=vlan22 lease-time=10m name=guestconf
/queue simple
add max-limit=1M/1M name=queue-guest target=vlan22
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add comment="Cloudflare WireGuard" disabled=no name=to-Cloudflare
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=\
    10 path-cost=10
add bridge=bridge ingress-filtering=no interface=wlan2 internal-path-cost=10 \
    path-cost=10 pvid=22
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,bonding1 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 comment="Cloudflare WireGuard" \
    endpoint-address=engage.cloudflareclient.com endpoint-port=2408 \
    interface=wireguard1 name="cloudflare wireguard" public-key=\
    "#"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.84.1/28 comment=guestconf disabled=yes interface=vlan22 \
    network=192.168.84.0
add address=192.168.100.100/24 comment=wan1 interface=ether1 network=\
    192.168.100.0
add address=192.168.2.100/24 comment=wan2 interface=ether2 network=\
    192.168.2.0
add address=172.16.0.2 comment="Cloudflare WireGuard" interface=wireguard1 \
    network=172.16.0.2
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add comment=defconf disabled=yes interface=ether2
/ip dhcp-server lease
add address=192.168.88.2 client-id=# mac-address=\
    # server=defconf
add address=192.168.88.6 mac-address=# server=defconf
add address=192.168.88.3 client-id=# mac-address=\
    # server=defconf
add address=192.168.88.4 client-id=# mac-address=\
    # server=defconf
add address=192.168.88.5 mac-address=# server=defconf
/ip dhcp-server network
add address=192.168.84.0/28 comment=guestconf dns-server=8.8.8.8,1.1.1.1 \
    gateway=192.168.84.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.100.1 name=wan1.logi.lo type=A
add address=192.168.2.1 name=wan2.logi.lo type=A
add address=192.168.88.6 name=stb1.logi.lo type=A
add address=127.0.0.1 name=stb2.logi.lo type=A
add address=192.168.88.4 name=eap1.logi.lo type=A
add address=192.168.100.254 name=cpe1.logi.lo type=A
add address=192.168.88.2 name=switch1.logi.lo type=A
add address=192.168.88.3 name=switch2.logi.lo type=A
add address=192.168.88.5 name=tlmr1.logi.lo type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="guestconf: drop to ether2" \
    in-interface=vlan22 out-interface=ether2
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Cloudflare WireGuard" \
    out-interface=wireguard1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=# name="Redmi-10C;2" user=""
add mac-address=# name="ESP-67B077;6" user=""
/ip route
add check-gateway=ping comment=Recursive disabled=no dst-address=0.0.0.0/0 \
    gateway=8.8.8.8 target-scope=30
add check-gateway=ping comment=Main disabled=no dst-address=8.8.8.8/32 \
    gateway=192.168.100.1
add check-gateway=ping comment=Backup disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=192.168.2.1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
/system scheduler
add interval=2d name=reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2021-02-28 start-time=16:32:56
add interval=2h name="dns clear" on-event="/ip dns cache flush" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2021-02-28 start-time=16:35:12
add comment="trigger duckdns updater" interval=1m name="duckdns updater" \
    on-event="/system script run duckdns" policy=read,write,policy,test \
    start-time=startup
/system script
add comment="duckdns updater" dont-require-permissions=no name=duckdns owner=\
    admin policy=read,write,policy,test source=":local resolvedIP [:resolve \"\
    #.duckdns.org\"];\
    \n:local currentIP [/ip cloud get public-address];\
    \n:local currentIP [:pick \$currentIP 0 [:find \$currentIP \"/\"]];\
    \n\
    \n:if (\$resolvedIP != \$currentIP) do={\
    \n    :log info (\"Trying to update DuckDNS with actual IP \".\$currentIP.\
    \", resolved IP is \".\$resolvedIP);\
    \n    :local response [/tool fetch url=(\"https://www.duckdns.org/update\?\
    domains=#&token=\
    \#&ip=\".\$currentIP) check-certificat\
    e=yes as-value output=user];\
    \n    :if (\$response->\"status\" = \"finished\") do={\
    \n        :if (\$response->\"data\" = \"OK\") do={\
    \n            :log info (\"Successfully updated DuckDNS with new IP \".\$c\
    urrentIP);\
    \n        } else={\
    \n            :log error (\"Failed to update DuckDNS with new IP \".\$curr\
    entIP);\
    \n        }\
    \n    }\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I already rebooted the router, and then the routing tables came up.

But there is more problem, I’m using recursive failover, wan 1 to my main internet, and wan 2 to my second internet as backup.
When I follow the last tutorial it

• add mangle “chain prerouting, src. address range of default-dhcp, action mark-routing, new routing mark to-Cloudflare”
• add routes that “Dst. Address 0.0.0.0/0 to gateway wireguard1, and routing table to-Cloudflare”,
  It works, and my internet connection follows the wireguard VPN, but after apply route my winbox disconnected from my routerboard and can’t connect via IP, only via mac address, any suggestion ?

here is my new configuration that I already follow that tutorial

# 2024-10-22 16:57:18 by RouterOS 7.16.1
# software id = #
#
# model = RB941-2nD
# serial number = #
/interface bridge
add admin-mac=# auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=indonesia distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge ssid=Scale wireless-protocol=802.11
/interface wireguard
add comment="Cloudflare WireGuard" listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment=guestconf interface=bridge name=vlan22 vlan-id=22
/interface bonding
add name=bonding1 slaves=ether3,ether4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
add eap-methods="" name=guest supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=# master-interface=\
    wlan1 multicast-buffering=disabled name=wlan2 security-profile=guest \
    ssid="Scale Guest" wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=guest-dhcp ranges=192.168.84.2-192.168.84.8
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=guest-dhcp interface=vlan22 lease-time=10m name=guestconf
/queue simple
add max-limit=1M/1M name=queue-guest target=vlan22
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add comment="Cloudflare WireGuard" disabled=no fib name=to-Cloudflare
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no \
    interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=pwr-line1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=\
    10 path-cost=10
add bridge=bridge ingress-filtering=no interface=wlan2 internal-path-cost=10 \
    path-cost=10 pvid=22
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,bonding1 vlan-ids=22
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 comment="Cloudflare WireGuard" \
    endpoint-address=engage.cloudflareclient.com endpoint-port=2408 \
    interface=wireguard1 name="cloudflare wireguard" public-key=\
    "#"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.84.1/28 comment=guestconf disabled=yes interface=vlan22 \
    network=192.168.84.0
add address=192.168.100.100/24 comment=wan1 interface=ether1 network=\
    192.168.100.0
add address=192.168.2.100/24 comment=wan2 interface=ether2 network=\
    192.168.2.0
add address=172.16.0.2 comment="Cloudflare WireGuard" interface=wireguard1 \
    network=172.16.0.2
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add comment=defconf disabled=yes interface=ether2
/ip dhcp-server lease
add address=192.168.88.2 client-id=# mac-address=\
    # server=defconf
add address=192.168.88.6 mac-address=# server=defconf
add address=192.168.88.3 client-id=# mac-address=\
    # server=defconf
add address=192.168.88.4 client-id=# mac-address=\
    # server=defconf
add address=192.168.88.5 mac-address=# server=defconf
/ip dhcp-server network
add address=192.168.84.0/28 comment=guestconf dns-server=8.8.8.8,1.1.1.1 \
    gateway=192.168.84.1
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1 \
    gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.100.1 name=wan1.logi.lo type=A
add address=192.168.2.1 name=wan2.logi.lo type=A
add address=192.168.88.6 name=stb1.logi.lo type=A
add address=127.0.0.1 name=stb2.logi.lo type=A
add address=192.168.88.4 name=eap1.logi.lo type=A
add address=192.168.100.254 name=cpe1.logi.lo type=A
add address=192.168.88.2 name=switch1.logi.lo type=A
add address=192.168.88.3 name=switch2.logi.lo type=A
add address=192.168.88.5 name=tlmr1.logi.lo type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="guestconf: drop to ether2" \
    in-interface=vlan22 out-interface=ether2
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Cloudflare WireGuard" \
    new-routing-mark=to-Cloudflare passthrough=no src-address=\
    192.168.88.10-192.168.88.254
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Cloudflare WireGuard" \
    out-interface=wireguard1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=# name="Redmi-10C;2" user=""
add mac-address=# name="ESP-67B077;6" user=""
/ip route
add check-gateway=ping comment=Recursive disabled=no dst-address=0.0.0.0/0 \
    gateway=8.8.8.8 target-scope=30
add check-gateway=ping comment=Main disabled=no distance=1 dst-address=\
    8.8.8.8/32 gateway=192.168.100.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=Backup disabled=no distance=2 dst-address=\
    0.0.0.0/0 gateway=192.168.2.1
add comment="Cloudflare WireGuard" disabled=yes distance=1 dst-address=\
    8.8.8.8/32 gateway=wireguard1 routing-table=to-Cloudflare scope=30 \
    suppress-hw-offload=no target-scope=10
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Asia/Jakarta
/system note
set show-at-login=no
/system scheduler
add interval=2d name=reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2021-02-28 start-time=16:32:56
add interval=2h name="dns clear" on-event="/ip dns cache flush" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2021-02-28 start-time=16:35:12
add comment="trigger duckdns updater" interval=1m name="duckdns updater" \
    on-event="/system script run duckdns" policy=read,write,policy,test \
    start-time=startup
/system script
add comment="duckdns updater" dont-require-permissions=no name=duckdns owner=\
    admin policy=read,write,policy,test source=":local resolvedIP [:resolve \"\
    #.duckdns.org\"];\
    \n:local currentIP [/ip cloud get public-address];\
    \n:local currentIP [:pick \$currentIP 0 [:find \$currentIP \"/\"]];\
    \n\
    \n:if (\$resolvedIP != \$currentIP) do={\
    \n    :log info (\"Trying to update DuckDNS with actual IP \".\$currentIP.\
    \", resolved IP is \".\$resolvedIP);\
    \n    :local response [/tool fetch url=(\"https://www.duckdns.org/update\?\
    domains=#&token=\
    \#&ip=\".\$currentIP) check-certificat\
    e=yes as-value output=user];\
    \n    :if (\$response->\"status\" = \"finished\") do={\
    \n        :if (\$response->\"data\" = \"OK\") do={\
    \n            :log info (\"Successfully updated DuckDNS with new IP \".\$c\
    urrentIP);\
    \n        } else={\
    \n            :log error (\"Failed to update DuckDNS with new IP \".\$curr\
    entIP);\
    \n        }\
    \n    }\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Way before wireguard you have to fix the errors in your config…
Firstly, you state ether2 is a WAN port and yet you have ether2 on the bridge… It should be removed.

It also states that you ahve ether3, and ether4 on the bridge but earlier you have them bonded and you also have the bond on the bridge.
Im no expert but one does not put all of them on the bridge and I would hazard a guess just the bond.

Now you have the bonding on the bridge and bridge doing dhcp hands out iP addresses for .88 subnet.
Why do you have the bond associated with vlan22 on the single interface bridge vlan rule??
/interface bridge vlan
add bridge=bridge tagged=bridge,bonding1 vlan-ids=22

It should be…
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=wlan2 vlan-ids=22

Fix interface list members.
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan22 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN

Why is vlan22 disabled??

For wireguard allowed IPs modify this:
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 comment=“Cloudflare WireGuard”
endpoint-address=engage.cloudflareclient.com endpoint-port=2408
interface=wireguard1 name=“cloudflare wireguard” public-key=
“#”
TO
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=“Cloudflare WireGuard”
endpoint-address=engage.cloudflareclient.com endpoint-port=2408
interface=wireguard1 name=“cloudflare wireguard” public-key=
“#” persistent-keep-alive=35s

Fix IP address for wireguard… to:
add address=172.16.0.2 comment=“Cloudflare WireGuard” interface=wireguard1
network=172.16.0.0

Remove current mangle rule…
Add routing rule instead.
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=192.168.88.0/24 lookup-only-in-table table=to-Cloudflare


NEED to adjust Routes accordingly.
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=8.8.8.8 scope=10 target-scope=12
add check-gateway=ping dst-address=8.8.8.8/32 gateway=192.168.100.1 scope=10 target-scope=11
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=to-Cloudflare

Recommend adding this mangle rule to ensure help with potential MTU issues.
/ip mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535


++++++++++++++++++++++++++++
What is going on IP addresses between 192.168.88.2-192.168.88.9 >>>>???
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.2 name=switch1.logi.lo type=A
add address=192.168.88.3 name=switch2.logi.lo type=A
add address=192.168.88.5 name=tlmr1.logi.lo type=A

etc…
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Its not on already disabled

It also states that you ahve ether3, and ether4 on the bridge but earlier you have them bonded and you also have the bond on the bridge.
Im no expert but one does not put all of them on the bridge and I would hazard a guess just the bond.

Now you have the bonding on the bridge and bridge doing dhcp hands out iP addresses for .88 subnet.
Why do you have the bond associated with vlan22 on the single interface bridge vlan rule??
/interface bridge vlan
add bridge=bridge tagged=bridge,> bonding1 > vlan-ids=22

It should be…
/interface bridge vlan
add bridge=bridge tagged=bridge > untagged=wlan2 > vlan-ids=22

Fix interface list members.
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=vlan22 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN

Im trying to follow you, remove bonding1 from tagged vlan bridge, and add vlan22 on lan interface list, but it doesn’t work. My access point using vlan to divide wireless. The diagram its on image attachments. Or do I made mistakes here ?

Why is vlan22 disabled??

Its on already enabled.

++++++++++++++++++++++++++++
What is going on IP addresses between 192.168.88.2-192.168.88.9 >>>>???
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.2 name=switch1.logi.lo type=A
add address=192.168.88.3 name=switch2.logi.lo type=A
add address=192.168.88.5 name=tlmr1.logi.lo type=A

etc…
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I make that IP reserved for that devices.

For wireguard allowed IPs modify this:
/interface wireguard peers
add allowed-address=> 0.0.0.0/0,::/0 > comment=“Cloudflare WireGuard”
endpoint-address=engage.cloudflareclient.com endpoint-port=2408
interface=wireguard1 name=“cloudflare wireguard” public-key=
“#”
TO
/interface wireguard peers
add allowed-address=> 0.0.0.0/0 > comment=“Cloudflare WireGuard”
endpoint-address=engage.cloudflareclient.com endpoint-port=2408
interface=wireguard1 name=“cloudflare wireguard” public-key=
“#” > persistent-keep-alive=35s

Fix IP address for wireguard… to:
add address=172.16.0.2 comment=“Cloudflare WireGuard” interface=wireguard1
network=172.16.0.> 0

Remove current mangle rule…
Add routing rule instead.
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=192.168.88.0/24 lookup-only-in-table table=to-Cloudflare

After I add routing rules, winbox can’t connect to router using IP address, why ?

==== ====
I think my question is out of this topic, so I made the new topic for my questions… https://forum.mikrotik.com/viewtopic.php?t=212011&sid=d60011cf12d294c3b04ebca9c2ab3ac0