Hi
I’m new to Mikrotik. I have setup a hex S with a Vodafone mu5001 5G router connected to the USB and 2 ASUS RT AX92u set up as Access points in mesh configuration.
The Hex S is being used as its POE and there is no power in the loft where the 5g antenna is. In normal configuration all is working perfectly but Vodafone use CGNAT so I want to setup a VPN on the Hex for use by a single device (Playstation).
Its been a steep learning curve but I have been able to successfully set up Express VPN (EX) as a L2TP client and also set up a Wireguard (WG) peer connected to an Ubuntu peer in azure for comparison. My internet connection is around 300/40 but EX will max out at around 80-100mbps if IPSEC is disabled and WG at around 60mbps both connections are in excess of 150 when using an IOS or windows peer. Is this 1/3 download bandwidth normal for a router implementation? The CPU barely goes over 15% and the memory is not maxed out.
Strangely if using WG in Ookla speed test sometimes the download works and is snappy other times its hangs and fails to complete, upload is always ok and runs at maximum speed 40mpbs.
I have read many articles to get things working but settled on creating a routing table and a policy based rule to route traffic, to the interfaces. For testing I only have one set of rules active at a time and have tied deactivating all firewall rules and amending the fasttrack to ! routing mark as i saw that this may help but it made no difference.
I’ve posted my config (excluding ipv6) to see if there’s anything I can do to optimise (i’m sure there’s loads)
Any pointers greatly received 
# aug/24/2022 20:15:51 by RouterOS 7.4.1
# software id = 1XT1-WAN2
#
# model = RB760iGS
# serial number =
/interface bridge
add admin-mac=2C:C8:1B:90:73:F0 auto-mac=no comment=defconf name=bridge
/interface lte
set [ find ] name=Vodafone
/interface l2tp-client
add allow-fast-path=yes connect-to=uk-docklands-ubuntu-l2tp.xvnet.net \
disabled=no max-mtu=1360 name=Express user=mnwflr
/interface wireguard
add listen-port=51820 mtu=1200 name=Wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=use-Exp
add disabled=no fib name=use-WG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=Vodafone list=WAN
add interface=Wireguard list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=20.117.233.19 endpoint-port=\
51820 interface=Wireguard persistent-keepalive=25s public-key=\
"wbvn3C8z9wu2xXUv2Vn/NedFSm2lUYL298XZLDGinzM="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.100.100.3 disabled=yes interface=Wireguard network=\
10.100.100.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.214 client-id=1:1c:98:c1:c0:45:b9 mac-address=\
1C:98:C1:C0:45:B9 server=defconf
add address=192.168.88.209 client-id=1:e6:ee:51:47:45:ce mac-address=\
E6:EE:51:47:45:CE server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related,new connection-type="" hw-offload=\
yes routing-mark=!use-WG
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=Vodafone
add action=masquerade chain=srcnat out-interface=Express
add action=masquerade chain=srcnat out-interface=Wireguard
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Express routing-table=use-Exp \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Wireguard pref-src=\
"" routing-table=use-WG scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup disabled=no src-address=192.168.88.214/32 table=use-Exp