[Support request] Mangle rules to send traffic through Wireguard tunnel not working

Hi all.

I have a Hex S with a Wireguard interface that works as a “client”, so that I can selectively send traffic out through the tunnel whenever I want. This interface is called “VPN-Remote” in my export.

The Wireguard config itself seems to be OK, as I am also using a simple IP route that sends all the traffic with destination 192.168.1.0/24 over the Wireguard tunnel, and that part works well.

What I want to do as well, however, is use some mangle rules to select traffic that meets specific conditions (source devices, destination IPs, etc.) and send it through the tunnel. And here’s where the problems come.

I’ve reduced the mangle rules to be as simple as possible for this export: just pick the traffic coming from my phone (by MAC address) and mark it so that it’s routed through the tunnel. But it’s not working.

I’ve looked at the counters in the mangle rules and they do seem to detect traffic that meets the criteria… however, the traffic still goes out through my normal internet connection instead of the tunnel.

Could you please take a look at my config and let me know if you see anything that looks off to you? Thanks in advance!

# 2025-02-20 16:59:57 by RouterOS 7.17.2
# software id = 9A99-M04C
#
# model = RB760iGS
# serial number = [redacted]
/interface bridge
add admin-mac=[redacted] auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=19850 mtu=1420 name=VPN-Local
add listen-port=51821 mtu=1420 name=VPN-Remote
/interface vlan
add interface=sfp1 name=Internet vlan-id=63
/interface pppoe-client
add add-default-route=yes disabled=no interface=Internet name=PPPoE user=\
    [redacted]
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.10.1-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing rip instance
add afi=ipv4 disabled=no name=rip
/routing table
add comment="Routing table for VPN-Remote" disabled=no fib name=\
    VPN-Remote-table
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=PPPoE list=WAN
add interface=sfp1 list=WAN
add interface=VPN-Local list=LAN
add interface=*D list=LAN
/interface ovpn-server server
add mac-address=[redacted] name=ovpn-server1
/interface wireguard peers
add allowed-address=10.251.53.2/32 client-address=10.251.53.2/32 \
    endpoint-address=[local_public_IP] endpoint-port=51820 interface=\
    VPN-Local name="Pixel 9 Pro" public-key=\
    [redacted] responder=yes
add allowed-address=10.251.53.3/32 client-address=10.251.53.3/32 \
    endpoint-address=[local_public_IP] endpoint-port=51820 interface=\
    VPN-Local name="MacBook Pro" public-key=\
    [redacted] responder=yes
add allowed-address=0.0.0.0/0 endpoint-address=[remote_public_IP] \
    endpoint-port=51820 interface=VPN-Remote name="MikroTik Hex S" \
    preshared-key=[redacted] public-key=\
    [redacted]
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=192.168.2.100 interface=sfp1 network=192.168.2.1
add address=10.251.53.1/24 interface=VPN-Local network=10.251.53.0
add address=10.184.203.4/24 interface=*D network=10.184.203.0
add address=10.184.203.4 interface=VPN-Remote network=10.184.203.4
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
[redacted_domain_list_here-not_used_now]
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow Wireguard traffic to VPN-Local" \
    dst-port=19850 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!remote-vpn-traffic-mark connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
    VPN-Local protocol=tcp tcp-flags=syn
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
    VPN-Remote protocol=tcp tcp-flags=syn
add action=mark-connection chain=prerouting connection-state=new \
    new-connection-mark=remote-vpn-traffic-mark src-mac-address=\
    [mac_address_of_target_device]
add action=mark-routing chain=prerouting connection-mark=\
    remote-vpn-traffic-mark dst-address-type=!local in-interface-list=LAN \
    new-routing-mark=VPN-Remote-table passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VPN-Remote
/ip proxy
set enabled=yes
/ip route
add dst-address=192.168.1.0/24 gateway=VPN-Remote routing-table=\
    VPN-Remote-table
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PPPoE type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no dst-address=192.168.1.0/24 table=\
    VPN-Remote-table
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Post also the output of :

/ip route print

and of

/ip address print

Review your configuration, look for “*” (asterisk), whenever you find one, like here:

add address=10.184.203.4/24 interface=*D network=10.184.203.0

it means that something was deleted/removed/renamed and ROS left a paceholder that is in the form of asterisk+(hex) number.
Likely unrelated, still it is better to have configuration as clean as possible, same for dhcp client on eher1, disable it to avoid the warning in red.

You also have a routing rule, I think this may conflict with mangle?

Thanks for your tips.

Yeah I’ll try to clean those asterisks up, I did a lot of changes back and forth trying to make this work and recreated the VPN a few times, so there’s probably some leftovers from that.

Regarding the routing rule, as said it should only capture the traffic going to 192.168.1.0/24, so I think it should not conflict with this. I had this same setup working in another MikroTik router with the routing rule in place, and it didn’t cause any issues. Unfortunately I didn’t save an export

Here are the exports you requested:

/ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY     DISTANCE
  DAv 0.0.0.0/0        PPPoE              1
  DAc 10.251.53.0/24   VPN-Local         0
  DAc 192.168.10.0/24  bridge             0
  DAc 10.184.203.4/32  VPN-Remote          0
  DAc 87.235.0.10/32   PPPoE              0
  DAc 192.168.2.1/32   sfp1               0
0  As 192.168.1.0/24   VPN-Remote          1

/ip address print
Flags: I - INVALID, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS             NETWORK       INTERFACE 
;;; defconf
0   192.168.10.1/24     192.168.10.0  bridge    
1   192.168.2.100/32    192.168.2.1   sfp1      
2   10.251.53.1/24      10.251.53.0   VPN-Local
3 D [my_public_ip]/32  87.235.0.10   PPPoE     
4 I 10.184.203.4/24     10.184.203.0  *D        
5   10.184.203.4/32     10.184.203.4  VPN-Remote

So it is these two mangle rules:

add action=mark-connection chain=prerouting connection-state=new \
    new-connection-mark=remote-vpn-traffic-mark src-mac-address=\
    [mac_address_of_target_device]
add action=mark-routing chain=prerouting connection-mark=\
    remote-vpn-traffic-mark dst-address-type=!local in-interface-list=LAN \
    new-routing-mark=VPN-Remote-table passthrough=no

that do not work?

Could it be the LAN list member not being correct? *D also there:

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=PPPoE list=WAN
add interface=sfp1 list=WAN
add interface=VPN-Local list=LAN
add interface=*D list=LAN

You have not adequately described what is going on with your wireguard interfaces, besides the fact that the peers seem wrong as well. I was expecting one interface but you have two tunnels??
Why two??
Please describe for each wg interface
LOCAL
a. is the router the peer client for handshake and if so ( where and what is at the other end aka the server peer for handshake )
b. which local users are supposed to use this tunnel, in detail!!
REMOTE
a. is the router the peer client for handshake and if so ( where and what is at the other end aka the server peer for handshake )
b. which local users are supposed to use this tunnel, in detail!!

Note since your using PPPOE for internet, ip dhcp client should be disabled.

As jac pointed out this is hosed.
add address=10.184.203.4/24 interface=*D network=10.184.203.0
add address=10.184.203.4 interface=VPN-Remote network=10.184.203.4 <— this is not really an ip address

This is no longer relevant, get rid of old static ip dns setting…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

Where is 192.168.1.0/24 located???

It surely looks strange, it is very likely intended as /32 address and in the print output it shows that ros sees it as such, but in the export should be:

add address=10.184.203.4> /32 > interface=VPN-Remote network=10.184.203.4

Many errors, but no point in sorting out until wireguard intentions are crystal clear, I could assume local is for hosting own wg on router and remote is to a third party but we need clarity and far more details on which users or which traffic intentions are to go out each tunnel etc… then and only then can one look at a combination of mangle, firewall rules, routing rules etc that make sense.

Ok, step by step:

Yes, exactly. If I look at them live while using my phone, they do seem to flag the traffic, but it’s not being sent through the tunnel. Instead, it’s coming out of my home internet connection directly.

Not sure if there could be something wrong with the routing tables, or the way the traffic is marked… it was working fine on my previous router, which is what’s driving me crazy.

I’ve removed it, no change. It was probably an old version of the Wireguard interface that I deleted but forgot to clean up here.

VPN-Local: Wireguard interface used to connect to this router (home). So here the MikroTik acts as the “server” if you want. Two peers connect to it: my phone and my laptop. This is working fine and is not the reason for my post.

VPN-Remote: Wireguard interface to connect to a VPN I have set up in a different location, running on a Raspberry Pi if you must know (PiVPN). The MikroTik router here acts as the “client”, so I can send the traffic I want through that tunnel. I’m currently using it for two different things.

1. Send all the traffic with destination 192.168.1.0/24 through the tunnel. This is the subnet used by the LAN at the remote site, so by doing this I can easily access the LAN resources at that location. This works perfectly fine.
2. Selectively send some internet traffic through that tunnel as well, so that said traffic goes out to the internet from that location and not from my home internet connection. This is what I’m trying to achieve with mangle rules. I’ve currently simplified this so that it just sends ALL the traffic coming from my phone (selected by its MAC address) through this tunnel. But once I have this working I want to fine tune this a bit more, which is why I need to use mangle rules (e.g.: only send traffic that’s headed towards specific IPs/DNS).

Besides my MikroTik router, I’m also connecting to this tunnel directly from some other devices (using the Wireguard client), and it works perfectly. In fact, this same tunnel was working fine with my previous MikroTik router, and has been for years. So whatever is wrong, it must be on my MikroTik config, not on the Raspberry Pi.

Oops good catch, deleted. Leftover from defconf I guess.

I’m not even using eth1 for internet, as I’m plugging the fiber directly to the SFP module. So eth1 now is just a regular port in the LAN bridge.

I’ve already deleted the orphan (*D) address, no change. Probably a leftover from a previous attempt.

Regarding the second line, it’s a /32. RouterOS just deletes the unneeded /32 when you save:
https://i.imgur.com/r4wrNn0.mp4

Yep, I’ve actually set it to my current router IP now. Just wanted to fix the Wireguard stuff before getting into the static IPs leases and DNS.

It’s the LAN at the remote location, as mentioned above. I’m just using this traffic rule to access the local resources at that location, and that works fine. So the tunnel itself seems to be ok.

I meant:

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=PPPoE list=WAN
add interface=sfp1 list=WAN
add interface=VPN-Local list=LAN

Ok , but what is VPN-Remote, LAN, WAN or something else?

Then, in IP route, you have only two routes with VPN-Remote as gateway, a /32 Dynamic one (autogenerated by the IP address):
DAc 10.184.203.4/32 VPN-Remote 0 ← this one has to be checked, but it should be generated in table “main”
and a static one (which is the one actually “triggered” by the routing rule):
0 As 192.168.1.0/24 VPN-Remote 1
Maybe you need a 0.0.0.0/0 with gateway 10.184.203.4/32 (or something similar) in that VPN-Remote-table?

Oh god, that was it! I had missed adding the actual route so that generic internet traffic could also find its way out through the tunnel.

I actually added the wireguard interface as gateway:

add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=VPN-Remote routing-table=VPN-remote-table scope=30 suppress-hw-offload=no target-scope=10

Regarding the interface list, I have now added it to both the LAN and WAN lists to keep things tidy, as I’m really using it for both purposes. But the routing also works without adding the interface to any list, so that wasn’t causing the issue.

Thanks a lot for your support jaclaz!

I think VPN-Remote (or more generally “this side” of a wireguard tunnel) should be LAN, otherwise there might be some issue with firewall, but of course it depends on firewall rules.

Happy it is now workiing .

Okay great answers except for the vagueness

CLEAR

1. Send all the traffic with destination 192.168.1.0/24 through the tunnel. This is the subnet used by the LAN at the remote site, so by doing this I can easily access the LAN resources at that location. This works perfectly fine.

VAGUE
2. Selectively send some internet traffic through that tunnel as well, so that said traffic goes out to the internet from that location and not from my home internet connection. This is what I’m trying to achieve with mangle rules. I’ve currently simplified this so that it just sends ALL the traffic coming from my phone (selected by its MAC address) through this tunnel. But once I have this working I want to fine tune this a bit more, which is why I need to use mangle rules (e.g.: only send traffic that’s headed towards specific IPs/DNS).

Which traffic? For your phone much easier to use IP address? In general better if many IP addresses to use firewall address list and mangle, just a few IPs then routing rules.
If you have vlans and separate subnets would be real easy, for ex. a separate WLAN, those given the SSID password can use a wifi connection to go out remote WWW. VERY EASY to use a routing rule for an entire subnet as well. So subnet approach is easiest and if you have wired, then two options mangling or routing rules.

In your case, its very simple. You have a single routing rule in the main table pointing to 192.168.1.0/24 pointing to the VPN remote interface.
This covers all that traffic!
Then you need simply to ‘direct’ traffic from select users into the tunnel.
HOW, two options… mangle a set of IPs ( firewall address list ) OR using routing rules for a small group of users.
Ive included both options in config below.

1. Remove all the noise from wireguard peer settings not required. Including remote peer
2. MISSING persistent keep alive on peer setting to remote site.
3. Add remote vpn to WAN list, so that all traffic leaving MT for PI, will have single IP address of MT, nothing fancy needed on pi side for subnets.
4. Why is their an address for SFP1, 192.168.2??? its already assigned a VLAN for the purposes of terminating the pppoe ISP connection?? REMOVE!
5. Provide VPN remote a proper IP address format in IP address…
6. Removed all users with access to router and config and allow only to services .aka dns.
7. Clamp rule only applies on the client side and thus only to the pi server… aka vpn remote NOT local.
8. If not using ipv6, then disable IPV6, remove all address lists and rule save two
   input chain=drop
   forward chain=drop
9. Add necessary routing rules if not mangling. or remove mangling and keep routing rules…
   …

 model = RB760iGS
# serial number = [redacted]
/interface bridge
add admin-mac=[redacted] auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=19850 mtu=1420 name=VPN-Local
add listen-port=51821 mtu=1420 name=VPN-Remote
/interface vlan
add interface=sfp1 name=Internet vlan-id=63
/interface pppoe-client
add add-default-route=yes disabled=no interface=Internet name=PPPoE user=\
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.10.1-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/routing rip instance
add afi=ipv4 disabled=no name=rip
/routing table
add fib name=VPN-Remote-table  comment="supports mangling of users to vpn remote if required"
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=PPPoE list=WAN
add interface=sfp1 list=WAN
add interface=VPN-Remote list=WAN  comment="removes need for separate sourcenat rule later and allows LAN users out this WAN in forward chain"
add comment=defconf interface=bridge list=LAN
add interface=VPN-Local list=LAN
/interface ovpn-server server
add mac-address=[redacted] name=ovpn-server1
/interface wireguard peers
add allowed-address=10.251.53.2/32 interface=VPN-Local name="Pixel 9 Pro" public-key="---"
add allowed-address=10.251.53.3/32 interface=VPN-Local name="MacBook Pro" public-key="+++"
add allowed-address=0.0.0.0/0 endpoint-address=[remote_public_IP] endpoint-port=51820 interface=VPN-Remote name="MikroTik Hex S" \
    preshared-key=[redacted] public-key=++-----+"  persistent-keep alive=30s
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=10.251.53.1/24 interface=VPN-Local network=10.251.53.0
add address=10.184.203.4/24 interface=VPN-Remote network=10.184.203.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
[redacted_domain_list_here-not_used_now]
++++++
add address=192.168.10.X  list=Authorized comment="local admin wired"
add address=192.168.10.Y   list=Authorized comment="local admin wifi"
add address=10.251.53.2  list=Authorized comment="remote admin smartphone"
add address=10.251.53.2  list=Authorized comment="remote admin laptop"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WG handshake" dst-port=19850 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert here last of all rules }
+++++++++++++++++++++++++++++++
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward  connection-state=established,related connection-mark=no-mark   comment="no-mark added if mangling"
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward   connection-state=invalid
add action=accept chain=forward comment="ALL internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
    VPN-Remote protocol=tcp tcp-flags=syn
{ mangle rules for group of IPs for vpn remote, if required }
add action=accept chain=prerouting  src-address=192.168.10.0/24  dst-address=192.168.10.0/24 comment="ensure local traffic is not affected"
add action=mark-connection chain=forward connection-mark=no-mark src-address-list=REMOTE \
new-connection-mark=to-VPNR  passthrough=yes
add action=mark-route chain=prerouting connection-mark=to-VPNR \
new-routing-mark=VPN-Remote-table  passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip proxy
set enabled=yes
/ip route
add dst-address=192.168.1.0/24 gateway=VPN-Remote  routing-table=main comment="sends all traffic for remote subnet through vpn remote"
add dst-address=0.0.0.0/0  gatetway=VPN-Remote routing-table=VPN-Remote-table   comment="required if mangling" 
/routing rule
add action=lookup-only-in-table src-address=192.168.10.0/24  dst-address=192.168.10.0/24 comment="ensures local traffic is not affected by following routing rules"
add action=lookup-only-in-table src-address==192.168.10.X  table=VPN-Remote-table   { if not mangling a group of IPs }
add action=lookup-only-in-table src-address==192.168.10.X  table=VPN-Remote-table   { if not mangling }
..............
add action=lookup-only-in-table src-address==192.168.10.N  table=VPN-Remote-table  { if not mangling }
/ip upnp
set enabled=no
/ipv6 settings
disabled=yes
/ipv6 firewall 
add action=drop chain=input
add action=drop chain=forward 
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=none  comment="not secure dont use"
/tool mac-server mac-winbox
set allowed-interface-list=LAN

As said in my message:

(e.g.: only send traffic that’s headed towards specific IPs/DNS)

As explained before, I had simplified the mangle rules as much as possible to allow for easier troubleshooting. I know it wouldn’t make sense to use mangle if all I wanted was to route ALL traffic from a specific device through the VPN, I could use normal IP routes for that. But my end goal (which I’ve now implemented successfully after fixing the issue), is to select traffic that:

1. Is coming from a specific device
2. Is headed towards any of the destinations contained in a custom address list I maintain, which includes public internet DNS’ and not static IPs.

This requires mangle rules.

As explained above, not what I intended to do.

1. Could you be more specific here? What should I remove from the Wireguard config?
2. Why do I need a persistent keepalive? For the remote VPN, my MikroTik will always be the initiator of the connection. I don’t need to keep the VPN alive if there’s no outgoing traffic from my home to the remote site. That’s why it’s intentionally not marked as “Responder”, unlike the local VPN.
3. I’ve heard mixed advice on this, some people recommend adding it to LAN, others to WAN, others to both Keep in mind I’m also using this VPN to access “local” addresses (192.168.1.0/24) on the remote site. Not sure if that changes anything with regards to the LAN/WAN lists.
4. The ODI SFP module I’m using provides a management interface (both web and SSH/telnet), and that interface needs to be configured in a separate subnet, as it’s a different DHCP. Out of the box, it uses 192.168.1.1, but since I’m already using that for other things, I changed it to 192.168.2.1. It makes no sense to remove it, otherwise I wouldn’t be able to access its management interface.
5. Not sure what you mean by this? As explained in my previous message, it’s a 10.184.203.4/32. RouterOS just removes the /32 after saving. Did you see the video I uploaded?
6. The original “admin” user is disabled, only my user is enabled.
7. Thanks, good point, I’ll remove that.
8. Yep, will do.
9. Already explained.