Winbox unable to connect over wireguard interface

Short overview:

Problem: When connected via wireguard can access devices on network but not router for management purposes. Can ping router and receive reply, but cannnot connect via winbox or ssh, both work when connected directly to Management VLAN.

Network overview: Internet–>ISP Arris Modem/Gateway(in bridge mode)→ hap ax3 → Netgear (gs108T) →Netgear WAX615PA access point.
VLANS configured in router switch and access point.

Solutions tried: a bunch, but specifically have two rules for allowing wireguard interface

add comment=”Wireguard lan list” interface=wireguard1 list=LAN

In firewall also have:

add action=accept chain=input comment="Wireguard Port Forward" dst-port=xxxxx \ protocol=udp

add action=accept chain=input comment=\ "Allow router access from Wireguard interface" connection-state=new \ dst-port=8291 in-interface=wireguard1 protocol=tcp

Full config is as follows, but realize I’m new to RouterOS and networking in general, also some stuff is as has been recently changed trying to get this working so some things don’t match comments/don’t make sense I’m sure.

# 2025-10-09 21:27:27 by RouterOS 7.20
# software id = Y9EX-ZF9X
#
# model = C53UiG+5HPaxD2HPaxD
# 
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=ppppp name=wireguard1
/interface vlan
add interface=bridge name=CCTV vlan-id=660
add interface=bridge name="Home Office" vlan-id=110
add interface=bridge name=IoT vlan-id=440
add interface=bridge name=Management vlan-id=10
add interface=bridge name="Personal Devices" vlan-id=220
add interface=bridge name="Streaming Devices" vlan-id=330
add interface=bridge name="Xmas Lights" vlan-id=550
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=xxxx
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country="United States" .mode=ap .ssid=xxxx disabled=no \
    security=xxxx security.authentication-types=wpa2-psk,wpa3-psk .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country="United States" .mode=ap .ssid=xxxx \
    disabled=no security=xxxx security.authentication-types=wpa2-psk \
    .ft=yes .ft-over-ds=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool3 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool5 ranges=192.5.51.2-192.5.51.254
add name=dhcp_pool6 ranges=192.168.40.2-192.168.40.99
add name=dhcp_pool7 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1h name=defconf
add address-pool=dhcp_pool1 comment="Home Office" interface="Home Office" \
    name=dhcp1
add address-pool=dhcp_pool2 comment="Xmas Lights" interface="Xmas Lights" \
    name=dhcp2
add address-pool=dhcp_pool3 comment=IoT interface=IoT name=dhcp3
add address-pool=dhcp_pool4 comment=Management interface=Management name=\
    dhcp4
add address-pool=dhcp_pool5 comment="Personal Devices" interface=\
    "Personal Devices" name=dhcp5
add address-pool=dhcp_pool6 comment=CCTV interface=CCTV name=dhcp6
add address-pool=dhcp_pool7 comment="Streaming Devices" interface=\
    "Streaming Devices" name=dhcp7
/interface bridge port
add bridge=bridge comment="Management Port" hw=no interface=ether2 pvid=660
add bridge=bridge comment="NetGear AP" interface=ether3 trusted=yes
add bridge=bridge comment=BoomCT interface=ether4 pvid=660
add bridge=bridge comment="Switch Trunk Line" interface=ether5
add bridge=bridge comment=defconf interface=wifi1 pvid=660
add bridge=bridge comment=defconf interface=wifi2 pvid=220
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="Home Office" tagged=bridge vlan-ids=110
add bridge=bridge comment="Personal Devices" tagged=ether5,ether3,bridge \
    untagged=wifi2 vlan-ids=220
add bridge=bridge comment="Streaming Devices" tagged=ether5,ether3,bridge \
    vlan-ids=330
add bridge=bridge comment=IoT tagged=ether5,ether3,bridge vlan-ids=440
add bridge=bridge comment="Xmas Lights" tagged=ether5,bridge,ether3 vlan-ids=\
    550
add bridge=bridge comment=CCTV tagged=ether5,ether3,bridge untagged=wifi1 \
    vlan-ids=660
add bridge=bridge comment=Management tagged=ether5,ether3,bridge untagged=\
    ether4 vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=Management list=LAN
add comment="Wireguard lan list" interface=wireguard1 list=LAN
/interface ovpn-server server
add mac-address=FE:xx:xx:xx:xx:xx name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.60.2/32 client-address=192.168.60.2/32 comment=\
    "xxxx iphone" endpoint-address=xx.xx.xx.xx endpoint-port=xxxxx \
    interface=wireguard1 name=peer3 private-key=\
    "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=" public-key=\
    "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK="
add allowed-address=192.168.60.3/32 client-address=192.168.60.3/32 \
    client-keepalive=25s comment="xxxx Iphone" endpoint-address=\
    xx.xx.xx.xx endpoint-port=xxxxxx interface=wireguard1 name=peer4 \
    private-key="KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=" public-key=\
    "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK="
add allowed-address=192.168.60.4/32 client-address=192.168.60.4/32 comment=\
    "Linux Laptop" endpoint-address=xx.xx.xx.xx endpoint-port=xxxxx \
    interface=wireguard1 name=peer6 private-key=\
    "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK=" public-key=\
    "KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.5.51.1/24 interface="Personal Devices" network=192.5.51.0
add address=192.168.10.1/24 interface=Management network=192.168.10.0
add address=192.168.20.1/24 interface="Home Office" network=192.168.20.0
add address=192.168.30.1/24 interface="Streaming Devices" network=\
    192.168.30.0
add address=192.168.40.1/24 interface=CCTV network=192.168.40.0
add address=10.10.10.1/24 interface=IoT network=10.10.10.0
add address=10.10.20.1/24 interface="Xmas Lights" network=10.10.20.0
add address=192.168.60.1/24 interface=wireguard1 network=192.168.60.0
/ip arp
add address=192.168.40.101 interface=CCTV mac-address=xx:xx:xx:xx:xx:xx
add address=192.168.40.82 interface=CCTV mac-address=xx:xx:xx:xx:xx:xx
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.20.2 mac-address=xx:xx:xx:xx:xx:xx server=dhcp2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=192.5.51.0/24 gateway=192.5.51.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Streaming gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.5.51.0/24 list=local-networks
add address=10.10.10.0/24 list=local-networks
add address=10.10.20.0/24 list=local-networks
add address=192.168.20.0/24 list=local-networks
add address=192.168.30.0/24 list=local-networks
add address=192.168.40.0/24 list=local-networks
add address=192.168.10.0/24 list=local-networks
add address=192.168.60.0/24 list=ManagementList
add address=192.168.10.0/24 list=ManagementList
add address=192.168.60.0/24 list=local-networks
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard Port Forward" dst-port=xxxxx \
    protocol=udp
add action=accept chain=input comment=\
    "Allow router access from Wireguard interface" connection-state=new \
    dst-port=8291 in-interface=wireguard1 protocol=tcp
add action=accept chain=input comment=\
    "Allow router config access only from Management VLAN" connection-state=\
    new in-interface=Management src-address-list=ManagementList
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow new NTP service" \
    connection-state=new dst-port=123 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
    "Allow WireGuard devices access to Camera Server" connection-state=new \
    log=yes out-interface=all-vlan src-address=192.168.60.0/24
add action=accept chain=forward comment="Allow traffic across camera vlan" \
    dst-address=192.168.40.0/24 src-address=192.168.40.0/24
add action=drop chain=forward comment="Prevent Camera Server Internet Access" \
    connection-state=new disabled=yes out-interface=ether1 src-address=\
    192.168.40.97
add action=accept chain=forward comment=\
    "Allow management to access all vlans" in-interface=Management \
    out-interface=all-vlan
add action=accept chain=forward comment=\
    "allow personal devices access to other vlans" in-interface=\
    "Personal Devices" out-interface=all-vlan
add action=drop chain=forward comment=\
    "Drop new connections from Minecraft Server" connection-state=new \
    out-interface=all-vlan src-address=192.168.40.82
add action=drop chain=forward comment="drop new inter-VLan traffic" \
    connection-state=new in-interface=CCTV out-interface=all-vlan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=xxxx
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Longer version/more info:

So this network was setup a couple of years ago. I followed some tutorial but I don’t even know which one now. Originally it was behind the ISP modem which was not bridged. After adding a server I wanted to be able to access it from outside my network but didn’t want to port forward so decided to try out wireguard. Had to bridge ISP modem to get that to work. The network is now outdated compared to what I need/use. There is no more home office for instance. The CCTV network has all the servers on it currently, not just the CCTV server, etc. I want to restructure the network to make sense but I have the most time to work on it while I’m away from it. So I am trying to now access the router config itself from the wireguard1 interface. I can access the router only from the Management VLAN currently and cant’ figure out why I can’t also get wireguard working. I realize I have a rule that says it allows only the management vlan to access the router but if I delete that rule I lose the ability to access the router over the wifi network completely and have to use ethernet to get into the router. While I have had this setup for about 2 years, I didn’t mess with it much until about 3 months ago…that was when my NVR died and I decided to setup a server instead. So I don’t remember too much about what I changed when this was first setup, and as I stated I am extremely new to both mikrotik and networking in general. I am hoping I have a simple config issue that I have missed. I have looked through several posts on this forum and most seem to suggest I need to add the wireguard interface to the LAN list and create two firewall rules-one for the access port to allow wireguard traffic through and a second to allow wireguard traffic to access router input chain. I believe I have these rules configured but it still doesn’t work. So I was hoping that maybe somebody could review my config and see what I’m missing? Thanks in advance!

P.S. I hope I didn’t remove something that was needed, I tried to obfuscate anything that was directly exposed to the WAN with X’s or K’s or something similiar.

Unlike other tunnel types, the WireGuard interface on RouterOS doesn’t automatically calculate the MTU. So, if you haven’t explicitly set it, it’s probably using 1420.
If your WAN (or upstream device) uses PPPoE, the effective MTU will be even smaller. Whether this actually causes issues depends on several factors — for example, whether you’re connecting over IPv6, etc.

You can try setting the MTU to 1280 for wireguard interface on both RouterOS and the client side, and see if that helps.

Also, I didn’t see any MSS clamp rules in your export. That could also cause TCP-related problems (like extremely slow connections, or SSH freezing when sending large outputs such as dmesg). I remember that MSS clamping used to be part of the default config, so it’s worth checking.

If you still can’t connect, try capturing packets on the WireGuard interface with Wireshark to inspect the TCP handshake details.

And just to confirm — is your WireGuard client actually routing correct? It’s possible that the IP you’re pinging doesn’t reach your router at all (but goes to an upstream NAT gateway or similar). check "ip route" on linux client, did it route (if thie is your winbox target router ip) 192.168.60.1 or 192.168.60.0/24 to wireguard interface?

This rule is meaningless.....
add action=accept chain=input comment=\ "Allow router access from Wireguard interface" connection-state=new \ dst-port=8291 in-interface=wire

Simply put it as
add action=accept chain=input comment="WG admin to router¨ in-interface=wireguard1

Ensure that whatever you have for interface entry HERE...........includes wireguard1 as a member!
./tool mac-server mac-winbox
set allowed-interface-list=LAN

Turn this off, bridge filters are very niche specific uses.
/interface bridge settings
set use-ip-firewall=yes

Remove bridge from interface list members and add vlans to LAN interface list.
Which begs the question you have 8 pools and only seven vlans. Is it possible you made the cardinal sin of thinking the bridge should do DHCP after converting to vlans???

Simply create another vlan for that traffic, keep pool and make other necessary adjustments and it will work fine.

Clamping usually not required for own wireguard incoming (normally can be useful if connecting to third party providers)

Ok, I think I got the changes made correctly. Specifically my interface list members are as follows:

/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=Management list=LAN
add comment="Wireguard lan list" interface=wireguard1 list=LAN
add interface=CCTV list=LAN
add interface="Home Office" list=LAN
add interface=IoT list=LAN
add interface="Personal Devices" list=LAN
add interface="Streaming Devices" list=LAN
add interface="Xmas Lights" list=LAN

I turned off use-ip-firewall in the GUI in winbox. And I changed the Ip firewall rule as you said.

So I believe that my wireguard interface is set to the LAN list, and I believe the LAN list is set as the allowed interface list for ./tool mac-server mac-winbox.
The eighth dhcp pool was the default pool from before I created the VLANs. I do not think it was used anywhere however I removed it anyways. That leaves me with 7 vlans and 7 pools. I set a network up for the wireguard1 interface of 192.168.60.0/24, but did not configure a dhcp for that interface.
So with these changes I’ve made some progress as I can attempt to connect either through winbox or ssh and it “sees” the router now. But it rejects the connection for bad username/password. In winbox at least i can switch to my management vlan it goes through with same username/password combo. So doing some research I’m assuming I don’t have the ip address authorized correctly? I’m not sure however if the wireguard interface is correctly showing my clients as the 192.168.60.0/24 ip range. While connected to the personal devices network with wireguard enabled, i was able to see and ping the linux computer with the personal devices vlan ip, but not the wireguard interface ip. Then if I connect through wireguard over my cell phone instead, i can ping to the router but cannot “see” the linux computer in the arp list nor ping if I manually type in the wireguard client ip address…I’m not sure if I made sense there though. I’ll include the rest of my config below. Also, I did do a traceroute from the wireguard interface and it was one stop to router ip. I also changed the mtu as the previous poster suggested. I haven’t wiresharked the connection yet though.

Last thing, sorry for any delay in my response. I had to wait to get home to try these changes, as well I’m new so my posts must be approved by moderators before they’re visible. It will likely be tomorrow afternoon before I’m able to troubleshoot anymore. And thanks again for your help.

# 2025-10-10 20:27:11 by RouterOS 7.20
# software id = Y9EX-ZF9X
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = **********
/interface bridge
add admin-mac=************ auto-mac=no comment=defconf name=bridge \
    protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=***** mtu=1280 name=wireguard1
/interface vlan
add interface=bridge name=CCTV vlan-id=660
add interface=bridge name="Home Office" vlan-id=110
add interface=bridge name=IoT vlan-id=440
add interface=bridge name=Management vlan-id=10
add interface=bridge name="Personal Devices" vlan-id=220
add interface=bridge name="Streaming Devices" vlan-id=330
add interface=bridge name="Xmas Lights" vlan-id=550
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=********
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country="United States" .mode=ap .ssid=****** disabled=no \
    security=*********** security.authentication-types=wpa2-psk,wpa3-psk .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac configuration.country="United States" .mode=ap .ssid=******** \
    disabled=no security=********* security.authentication-types=wpa2-psk \
    .ft=yes .ft-over-ds=yes
/ip pool
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool3 ranges=10.10.10.2-10.10.10.254
add name=dhcp_pool4 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool5 ranges=192.5.51.2-192.5.51.254
add name=dhcp_pool6 ranges=192.168.40.2-192.168.40.99
add name=dhcp_pool7 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 comment="Home Office" interface="Home Office" \
    name=dhcp1
add address-pool=dhcp_pool2 comment="Xmas Lights" interface="Xmas Lights" \
    name=dhcp2
add address-pool=dhcp_pool3 comment=IoT interface=IoT name=dhcp3
add address-pool=dhcp_pool4 comment=Management interface=Management name=\
    dhcp4
add address-pool=dhcp_pool5 comment="Personal Devices" interface=\
    "Personal Devices" name=dhcp5
add address-pool=dhcp_pool6 comment=CCTV interface=CCTV name=dhcp6
add address-pool=dhcp_pool7 comment="Streaming Devices" interface=\
    "Streaming Devices" name=dhcp7
/interface bridge port
add bridge=bridge comment="Management Port" hw=no interface=ether2 pvid=660
add bridge=bridge comment="NetGear AP" interface=ether3 trusted=yes
add bridge=bridge comment=BoomCT interface=ether4 pvid=660
add bridge=bridge comment="Switch Trunk Line" interface=ether5
add bridge=bridge comment=defconf interface=wifi1 pvid=660
add bridge=bridge comment=defconf interface=wifi2 pvid=220
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="Home Office" tagged=bridge vlan-ids=110
add bridge=bridge comment="Personal Devices" tagged=ether5,ether3,bridge \
    untagged=wifi2 vlan-ids=220
add bridge=bridge comment="Streaming Devices" tagged=ether5,ether3,bridge \
    vlan-ids=330
add bridge=bridge comment=IoT tagged=ether5,ether3,bridge vlan-ids=440
add bridge=bridge comment="Xmas Lights" tagged=ether5,bridge,ether3 vlan-ids=\
    550
add bridge=bridge comment=CCTV tagged=ether5,ether3,bridge untagged=wifi1 \
    vlan-ids=660
add bridge=bridge comment=Management tagged=ether5,ether3,bridge untagged=\
    ether4 vlan-ids=10
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=Management list=LAN
add comment="Wireguard lan list" interface=wireguard1 list=LAN
add interface=CCTV list=LAN
add interface="Home Office" list=LAN
add interface=IoT list=LAN
add interface="Personal Devices" list=LAN
add interface="Streaming Devices" list=LAN
add interface="Xmas Lights" list=LAN
/interface wireguard peers
add allowed-address=192.168.60.2/32 client-address=192.168.60.2/32 comment=\
    "******** iphone" endpoint-address=*********** endpoint-port=****** \
    interface=wireguard1 name=peer3 private-key=\
     public-key=\
    add allowed-address=192.168.60.3/32 client-address=192.168.60.3/32 \
    client-keepalive=25s comment="******* Iphone" endpoint-address=\
    *********** endpoint-port=******* interface=wireguard1 name=peer4 \
    private-key=
    public-key=\
    
add allowed-address=192.168.60.4/32 client-address=192.168.60.4/32 comment=\
    "Linux Laptop" endpoint-address=********* endpoint-port=****** \
    interface=wireguard1 name=peer6 private-key=\
    public-key=\
/ip address
add address=192.5.51.1/24 interface="Personal Devices" network=192.5.51.0
add address=192.168.10.1/24 interface=Management network=192.168.10.0
add address=192.168.20.1/24 interface="Home Office" network=192.168.20.0
add address=192.168.30.1/24 interface="Streaming Devices" network=\
    192.168.30.0
add address=192.168.40.1/24 interface=CCTV network=192.168.40.0
add address=10.10.10.1/24 interface=IoT network=10.10.10.0
add address=10.10.20.1/24 interface="Xmas Lights" network=10.10.20.0
add address=192.168.60.1/24 interface=wireguard1 network=192.168.60.0
/ip arp
add address=192.168.40.101 interface=CCTV mac-address=18:60:24:23:A8:DE
add address=192.168.40.82 interface=CCTV mac-address=BC:24:11:ED:B1:FB
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.20.2 mac-address=02:FE:00:52:00:2D server=dhcp2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=192.5.51.0/24 gateway=192.5.51.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Streaming gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip dns static
/ip firewall address-list
add address=192.5.51.0/24 list=local-networks
add address=10.10.10.0/24 list=local-networks
add address=10.10.20.0/24 list=local-networks
add address=192.168.20.0/24 list=local-networks
add address=192.168.30.0/24 list=local-networks
add address=192.168.40.0/24 list=local-networks
add address=192.168.10.0/24 list=local-networks
add address=192.168.60.0/24 list=ManagementList
add address=192.168.10.0/24 list=ManagementList
add address=192.168.60.0/24 list=local-networks
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard Port Forward" dst-port=****** \
    protocol=udp
add action=accept chain=input comment=\
    "Allow router access from Wireguard interface" in-interface=wireguard1
add action=accept chain=input comment=\
    "Allow router config access only from Management VLAN" connection-state=\
    new in-interface=Management src-address-list=ManagementList
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow new NTP service" \
    connection-state=new dst-port=123 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="drop all else" disabled=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
    "Allow wireguard access to management vlan" connection-state=new \
    in-interface=wireguard1
add action=accept chain=forward comment=\
    "Allow WireGuard devices access to Camera Server" connection-state=new \
    log=yes out-interface=all-vlan src-address=192.168.60.0/24
add action=accept chain=forward comment="Allow traffic across camera vlan" \
    dst-address=192.168.40.0/24 src-address=192.168.40.0/24
add action=drop chain=forward comment="Prevent Camera Server Internet Access" \
    connection-state=new disabled=yes out-interface=ether1 src-address=\
    192.168.40.97
add action=accept chain=forward comment=\
    "Allow management to access all vlans" in-interface=Management \
    out-interface=all-vlan
add action=accept chain=forward comment=\
    "allow personal devices access to other vlans" in-interface=\
    "Personal Devices" out-interface=all-vlan
add action=drop chain=forward comment=\
    "Drop new connections from Minecraft Server" connection-state=new \
    out-interface=all-vlan src-address=192.168.40.82
add action=drop chain=forward comment="drop new inter-VLan traffic" \
    connection-state=new in-interface=CCTV out-interface=all-vlan
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=Boombastic
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Nevermind, I guess I don’t have to wait on moderators now lol

Hi there, great progress.

1. How come you set set MTU to other than default, aka to 1280 ?

2. Why did you set ethernet switch to flow control=yes, or is this some default setting that happens to show up in the config exp0rt?

3. Looking for a consistent story ,,,,,,,,, for example you have ether2 as pvid for CCTV - v660) but calling it a management port????

The netgear port ether3, has no PVID so this is a smart AP that can read vlans???

4. Note on /interface bridge ports:
   for access ports add frame-types=admit-priority-and-untagged
   for trunk ports add frame'types=admit-only-vlan-tagged

5. This setting on /interface bridge vlans is meaningless. Which port is this traffic going to probably should include either ether5, or maybe ether5 and ether3 if NETGEAR ap NEEDS IT.
   add bridge=bridge comment="Home Office" tagged=bridge vlan-ids=110

6. After reviewing both sets of settings its clear to me that ether2 should be PVID 10 and the corresponding vlan setting should have ether2 untaggged vice ether4
   Personally, I would use an off bridge port for manual admin access to the router. Often the bridge may hiccup and if your management access is based on bridge access you may find yourself restetting to defaults re-importing latest saved config. If interested just search OffBridge in mikrotik.

7. You can simplify your input chain rules to
   Removing uneeded firewall address lists and add simply to existing interface lists.

/interface list
add name=TRUSTED
/interface list members
add interface=Management list=TRUSTED
add interface=wireguard1 list=TRUSTED

THEN
add action=accept chain=input comment="admin access" in-interface=TRUSTED

(covers both allow rules in input chain AND you change the following two rules accordingly for better security and efficiency.
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

8. Forward cahin needs work!! for example your rule to allow subnet camera reach itself is meaningless for these layer3 rules. The subnet already has access to itself via normal layer2 traffic.
   for example you have a rule allowing all personal devices with access to all-vlans ( a non existent interface) and what is the point, aka if you have several devices that you wish to have access to some vlans are you saying

• its you as admin on vlan 220
• or all users should have access to some vlans.
  ( until better described, this rule has been removed )

b. to address all other issues in the forward chain -->Get rid of default rule.
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

Replace forward chain added admin rules (everything after drop invalid data) with:

add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN !src-address=192.168.40.97
add action=accept chain=forward comment="admin access" in-interface-list=TRUSTED out-interface-list=LAN
add chain=forward action=drop comment="drop all else"

8. Its not clear that two your wireguard peers has persistent-keep-alive set ??

Summary: Clean up the config and then we can better address other issues. Ensure that you have not limited the winbox allowed addresses. AKA if left blank all are allowed, my recommendation is to add managment subnet and wireguars subnet .

Hello, first thanks for your help! I hope to implement your suggested changes this evening but it may be later. As I stated part of wanting to get this was I only have limited time physically with the network to make these changes so please bear with me. Also thanks greatly for your help. I wanted to go ahead and answer some of your questions though.

It was suggested in a post above yours. Originally was I think 1420? I had changed it shortly before getting your post and just never changed it back. I will later.

I don’t remember doing this so I think it may be default? But the original vlan was set up off a tutorial about 2 years ago, so they may have had me set this then. Should I disable the flow control?

This is the reason I am trying to gain remote access. The orginal vlans were set up several years ago. Over the years some things changed and I didn’t do a very good job of updating the network as a whole, just kind of made things work and went on. I think this has led to my problems where I now try to do very simple things and it becomes a hassle because stuff is not labeled and/or set properly. Some of this was laziness and some was because I didn’t know all the places in the GUI I needed to make the changes. So I might rename something in one spot but not rename all the things that were related, if that makes sense? In the specific case of the CCTV that vlan was non-existent as a whole originally. It was added about 3 months ago. I need to check while I’m home tonight to see what is going on physically…I think I may have changed this from a management port and used it for one of the self hosting servers I set up but I need to double check that.

Yes. It can do smart vlans but another change is to eventually do away with it. While not in the scope of this discussion there are a few known bugs with the specific AP that causes issues with inter-vlan traffic and some things. Another part of why my firewall is a mess. I tried changing lots of rules before I found out it was an issue in the AP. And I don’t think I actually need the extra SSIDs. But originally I didn’t think I could host more than two WIFI ssids off the mikrotik, which is why it was setup to begin with. Again I’m very new to all of this.

Yes, this vlan is no longer used at least not intentionally.

I will, thanks!

So for the rest I will make those changes, please bear with me it may take me a couple days though.

Not sure why. I checked the linux laptop and my iphone and that is enabled client side. Since I manually setup the config (didn’t export or use the QR code) I may have fudged this up server side but still set it client side, I’m not sure. I’ll set it server side when I make the other changes.

Once again thanks for all your help. Give me a bit and I’ll make the changes, post the updated config, and hopefully get the problem resolved. One last thing I kinda stumbled on late last night. In winbox if i’m connected to the local network and have wireguard on I can access winbox as stated. If I don’t close winbox or logout and change to cellular connection leaving wireguard up it continues to work and i can make changes to router. if I disconnect or close winbox, when trying to reconnect it won’t reconnect. Probably doesn’t mean anything until I get my config cleaned up but I thought it interesting

Yup, I dont put any client setting info on my router peers settings for the client, it just adds confusion IMHO, I was sure you had your clients devices setup properly with persistent-keep-alive

Ok, I believe I’ve made the changes and cleaned up the config some. I do have a couple things I’m unsure of still. Specifically:

add address=192.168.88.1/24 interface=bridge network=192.168.88.0    

was added under /ip address by the quick setup in GUI. I hit it while searching for something and it popped up and had a red field and wouldn’t let me exit until I put something in it. Initially I put 192.168.10.1 but then changed it to this. Can I just remove this or should it be set? If set should it be same as for router access or a separate IP address? Everything seemed to work without it being set so i think I could remove it from CLI?

I found a writeup about moving a port off bridge for management access. It said to create two interfaces, a MGMT and a MGNTandLAN specifically. I believed I could use the TRUSTED interface we setup instead of MGMTandLAN so created only the MGMT interface. But then I couldn’t add the MGMT interface to the TRUSTED list for some reason, either through GUI or CLI it wouldn’t work. So I set ether5 to the TRUSTED list instead. But after doing this I believe that leaves MGMT as unneeded? So specifically I think this could be removed?

add comment="Management only" name=MGMT

I haven’t tried connecting through the ether5 port yet, so not sure if it will work the way I have it set-up.

Last thing before I post the whole new config file. I discovered the problem with accessing the router is due to my cell service. I had been trying to access using mobile hotspot the whole time. I happened to be at a relatives house last night and tried from their wifi network and everything worked. I have found several posts online about people having issues with my carrier. The fixes range from reinstalling the wireguard client to setting up wireguard with ipv6 instead of ipv4. So not sure what I’ll do. The only real change in the works network side is to move my 3d printer from personal devices to the Server vlan, and I don’t think that will require config changes. And as always thanks for all your help!

# 2025-10-12 20:41:30 by RouterOS 7.20.1
# software id = Y9EX-ZF9X
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ***********
/interface bridge
add admin-mac=*********** auto-mac=no comment=defconf fast-forward=no \
    name=bridge protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=*********** mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=Management vlan-id=10
add interface=bridge name="Personal Devices" vlan-id=220
add interface=bridge name=Servers vlan-id=660
add interface=bridge name="Streaming Devices" vlan-id=330
add interface=bridge name="Xmas Lights" vlan-id=550
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Trusted Interfaces" name=TRUSTED
add comment="Management only" name=MGMT

/ip pool
add name=Xmas_pool ranges=10.10.20.2-10.10.20.254
add name=Management_pool ranges=192.168.10.2-192.168.10.254
add name=Personal_Devices_Pool ranges=192.5.51.2-192.5.51.254
add name=Server_Pool ranges=192.168.40.2-192.168.40.50
add name=Streaming_Pool ranges=192.168.30.2-192.168.30.254
add comment="Wireguard pool" name=Wireguard_Pool ranges=\
    192.168.60.2-192.168.60.254
/ip dhcp-server
add address-pool=Xmas_pool comment="Xmas Lights" interface="Xmas Lights" \
    name=dhcp2
add address-pool=Management_pool comment=Management interface=Management \
    name=dhcp4
add address-pool=Personal_Devices_Pool comment="Personal Devices" interface=\
    "Personal Devices" name=dhcp5
add address-pool=Server_Pool comment=Servers interface=Servers name=dhcp6
add address-pool=Streaming_Pool comment="Streaming Devices" interface=\
    "Streaming Devices" name=dhcp7
/interface bridge port
add bridge=bridge comment="Switch Trunk Line" frame-types=\
    admit-only-vlan-tagged interface=ether2
add bridge=bridge comment="NetGear AP" frame-types=admit-only-vlan-tagged \
    interface=ether3 trusted=yes
add bridge=bridge comment="Proxmox Server 100 on CCTV" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=660
add bridge=bridge comment=defconf interface=wifi1 pvid=660
add bridge=bridge comment=defconf interface=wifi2 pvid=220
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge comment="Personal Devices" tagged=ether3,bridge,ether2 \
    untagged=wifi2 vlan-ids=220
add bridge=bridge comment="Streaming Devices" tagged=ether3,bridge,ether2 \
    vlan-ids=330
add bridge=bridge comment="Xmas Lights" tagged=bridge,ether3,ether2 vlan-ids=\
    550
add bridge=bridge comment=Servers tagged=ether3,bridge,ether2 untagged=wifi1 \
    vlan-ids=660
add bridge=bridge comment=Management tagged=ether3,bridge,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=Management list=LAN
add comment="Wireguard lan list" interface=wireguard1 list=LAN
add interface=Servers list=LAN
add interface="Personal Devices" list=LAN
add interface="Streaming Devices" list=LAN
add interface="Xmas Lights" list=LAN
add interface=Management list=TRUSTED
add interface=wireguard1 list=TRUSTED
add interface=bridge list=LAN
add comment=OffBridge interface=ether5 list=MGMT
add interface=ether5 list=TRUSTED
/interface wireguard peers
add allowed-address=192.168.60.2/32 client-address=192.168.60.2/32 comment=\
    "*********** iphone" endpoint-address=*********** endpoint-port=*********** \
    interface=wireguard1 name=peer3 private-key=\
    *********** public-key=\
    ***********
add allowed-address=192.168.60.3/32 client-address=192.168.60.3/32 \
    client-keepalive=25s comment="*********** Iphone" endpoint-address=\
    *********** endpoint-port=*********** interface=wireguard1 name=peer4 \
    private-key=*********** public-key=\
    ***********
add allowed-address=192.168.60.4/32 client-address=192.168.60.4/32 comment=\
    "Linux Laptop" endpoint-address=*********** endpoint-port=*********** \
    interface=wireguard1 name=peer6 private-key=\
    *********** public-key=\
    ***********
/ip address
add address=192.5.51.1/24 interface="Personal Devices" network=192.5.51.0
add address=192.168.10.1/24 interface=Management network=192.168.10.0
add address=192.168.20.1/24 interface=*A network=192.168.20.0  #Removed this after printing out the config file...
add address=192.168.30.1/24 interface="Streaming Devices" network=\
    192.168.30.0
add address=192.168.40.1/24 interface=Servers network=192.168.40.0
add address=10.10.20.1/24 interface="Xmas Lights" network=10.10.20.0
add address=192.168.60.1/24 interface=wireguard1 network=192.168.60.0
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip arp
add address=192.168.40.101 interface=Servers mac-address=***********
add address=192.168.40.82 interface=Servers mac-address=***********
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.20.2 mac-address=*********** server=dhcp2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=192.5.51.0/24 gateway=192.5.51.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Streaming gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1 gateway=192.168.40.1
add address=192.168.60.0/24 gateway=192.168.60.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.5.51.0/24 list=local-networks
add address=10.10.10.0/24 list=local-networks
add address=10.10.20.0/24 list=local-networks
add address=192.168.20.0/24 list=local-networks
add address=192.168.30.0/24 list=local-networks
add address=192.168.40.0/24 list=local-networks
add address=192.168.10.0/24 list=local-networks
add address=192.168.60.0/24 list=ManagementList
add address=192.168.10.0/24 list=ManagementList
add address=192.168.60.0/24 list=local-networks
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard Port Forward" dst-port=*********** \
    protocol=udp
add action=accept chain=input comment=\
    "Allow router access from Wireguard interface" in-interface-list=TRUSTED
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - UDP" \
    connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow new NTP service" \
    connection-state=new dst-port=123 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN src-address=!192.168.40.97
add action=accept chain=forward comment="admin access" in-interface-list=\
    TRUSTED out-interface-list=LAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=***********
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

P.S. it seems everytime I review the config I find something I’ve messed up. So I think I need to remove the two addresses under /ip arp. These are outside the /ip pool range now and set statically on the clients…

1. Remove pool for wireguard, there is no such thing. Available addresses are determined by the IP address line itself.

2. Okay I see what you have done separating management and trusted but in reality only need one. The management interface describes admin access to everything including ether5 interface, and as well is where all smart devices get their subnet Ip address from the managment vlan interface so get rid of MGMT interface list and the associated ether5 entry, and just use TRUSTED for ether5. Dont forget to add ether5 to LAN as well. Remove Bridge as any interface on the interface list members.

3. As noted either get rid of any bridge with IP address and add a sixth vlan if required. As noted there are no ports now using the bridge subnet, so probably just get rid of it in IP address and interface list members.

4. MISSING!! is an IP address for ether5 ???
   give it something like
   add address=192.168.55.1/30 interface=ether5 network=192.168.55.0

Then connect PC to router on ether5 by changing IPV4 address to 192.158.55.2 and with username and password should have connectivity (and off the bridge).

5. Dont need any firewall address lists that I can see. ( and where does 192.5.51.1 come from ?? )

6. Dont understand your input chain rules should be short N sweet.. after the dst-address=127.0.0.1 rule

/ip firewall filter
....
....
add action=accept chain=input comment="wg handshake¨dst-port=***** protocol=udp
add action=accept chain=input comment=¨admin access¨ in-interface-list=TRUSTED
add action=accept chain=input comment="users to services¨ in-interface-list=LAN
dst-port=53,123 protocol=udp
add action=accept chain=input comment="users to services¨ in-interface-list=LAN
dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"

Ok, went through and think I have made all the recommended changes. The 192.5.51.0/24 subnet was something I did a couple years ago just so i could easily tell what was on the Personal Devices subnet. I didn’t think about it being part of public ip pool and never had any conflictst that i was aware of so had just left it alone. I changed it in this last config since I deleted a few vlans and freed up a couple more 192.168 nets under .100…

As always appreciate the help and input. newest config as follows

# 2025-10-13 18:18:06 by RouterOS 7.20.1
# software id = Y9EX-ZF9X
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = **********
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf fast-forward=no \
    name=bridge protocol-mode=none vlan-filtering=yes
/interface wireguard
add listen-port=********** mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=Management vlan-id=10
add interface=bridge name="Personal Devices" vlan-id=220
add interface=bridge name=Servers vlan-id=660
add interface=bridge name="Streaming Devices" vlan-id=330
add interface=bridge name="Xmas Lights" vlan-id=550
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Trusted Interfaces" name=TRUSTED
/interface wifi security
removed for brevity

/ip pool
add name=Xmas_pool ranges=10.10.20.2-10.10.20.254
add name=Management_pool ranges=192.168.10.2-192.168.10.254
add name=Personal_Devices_Pool ranges=192.168.20.2-192.168.20.254
add name=Server_Pool ranges=192.168.40.2-192.168.40.50
add name=Streaming_Pool ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=Xmas_pool comment="Xmas Lights" interface="Xmas Lights" \
    name=dhcp2
add address-pool=Management_pool comment=Management interface=Management \
    name=dhcp4
add address-pool=Personal_Devices_Pool comment="Personal Devices" interface=\
    "Personal Devices" name=dhcp5
add address-pool=Server_Pool comment=Servers interface=Servers name=dhcp6
add address-pool=Streaming_Pool comment="Streaming Devices" interface=\
    "Streaming Devices" name=dhcp7
/interface bridge port
add bridge=bridge comment="Switch Trunk Line" frame-types=\
    admit-only-vlan-tagged interface=ether2
add bridge=bridge comment="NetGear AP" frame-types=admit-only-vlan-tagged \
    interface=ether3 trusted=yes
add bridge=bridge comment="Proxmox Server 100 on CCTV" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=660
add bridge=bridge comment=defconf interface=wifi1 pvid=660
add bridge=bridge comment=defconf interface=wifi2 pvid=220
/interface bridge settings
set allow-fast-path=no
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge comment="Personal Devices" tagged=ether3,bridge,ether2 \
    untagged=wifi2 vlan-ids=220
add bridge=bridge comment="Streaming Devices" tagged=ether3,bridge,ether2 \
    vlan-ids=330
add bridge=bridge comment="Xmas Lights" tagged=bridge,ether3,ether2 vlan-ids=\
    550
add bridge=bridge comment=Servers tagged=ether3,bridge,ether2 untagged=wifi1 \
    vlan-ids=660
add bridge=bridge comment=Management tagged=ether3,bridge,ether2 vlan-ids=10
/interface list member
add comment=defconf interface=ether1 list=WAN
add comment=defconf interface=Management list=LAN
add comment="Wireguard lan list" interface=wireguard1 list=LAN
add interface=Servers list=LAN
add interface="Personal Devices" list=LAN
add interface="Streaming Devices" list=LAN
add interface="Xmas Lights" list=LAN
add interface=Management list=TRUSTED
add interface=wireguard1 list=TRUSTED
add interface=ether5 list=TRUSTED
add interface=ether5 list=LAN
/interface wireguard peers
removed for brevity
/ip address
add address=192.168.20.1/24 interface="Personal Devices" network=192.168.20.0
add address=192.168.10.1/24 interface=Management network=192.168.10.0
add address=192.168.30.1/24 interface="Streaming Devices" network=\
    192.168.30.0
add address=192.168.40.1/24 interface=Servers network=192.168.40.0
add address=10.10.20.1/24 interface="Xmas Lights" network=10.10.20.0
add address=192.168.60.1/24 interface=wireguard1 network=192.168.60.0
add address=192.168.55.1/30 interface=ether5 network=192.168.55.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.20.2 mac-address=********** server=dhcp2
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 comment=Streaming gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=1.1.1.1 gateway=192.168.40.1
add address=192.168.60.0/24 gateway=192.168.60.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wg-handshake dst-port=********** protocol=\
    udp
add action=accept chain=input comment="Admin Access" in-interface-list=\
    TRUSTED
add action=accept chain=input comment="Allow LAN DNS queries - UDP" dst-port=\
    53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN src-address=!192.168.40.97
add action=accept chain=forward comment="admin access" in-interface-list=\
    TRUSTED out-interface-list=LAN
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/system identity
set name=**********
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=192.168.10.1 enabled=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Probably up to snuff now, should only have minor comments.

1. You could add frame-types=admit-priority-and-untagged to the two wifi entries in bridge ports.

2. I dont see why you have the first dhcp-server network entry, aka the first one with addresses 10.10.10.... subnet does not exist.

3. Remove dhcp-server entry for wireguard1, wireguard only needs a wireguard address.

4. If not using IPV6 then ensure its disabled, all ipv6 firewall lists should be removed and the only two firewall rules should be:

add chain=input action=drop
add chain=forward action=drop