Wireguard - access to remote LAN

Something I have been struggling with for quite some time and I just can not get it right.
I’m sure once I see the solution, it will be something simple but I just don’t see it.

OK, to start, network diagram attached.

Requirement:
to be able to connect two sites through wireguard, both LAN environments need to be accessible from ‘the other side’.

Home environment:
Hex 7.1.1, sitting behind ISP modem with dynamic IP (though in the past I have NEVER seen it change, I consider it dynamic to be safe), port forwarding for Wireguard from ISP to Hex.
Some remote WG devices like laptop and phone, they can connect without any problem to local LAN (not on diagram).

Remote environment:
SXT LTE, CGNAT, 7.2rc3, CAPSMAN
Serving 2 APs (cAP AC and cAP Lite, both also 7.2rc3)

Wireguard between Hex and SXT works when using WG IP adresses.
The problem starts once I want to access device behind the router or use the normal LAN IP addresses.
When I’m home and want to ping 192.168.88.1 → timeout.
Ping to 192.168.88.2 → timeout

When I am in France and want to access NAS on 192.168.2.15 → timeout.
Ping to 192.168.2.1 ->timeout

But ping / Winbox from 10.255.255.1 or .2 always works. So the tunnel works but I can not get behind the router onto the LAN.
And that’s where I am lost … searched loads of relevant posts and solutions here. The only thing which “should” be there are the allowed addresses in the peer settings and some routing rules, as far as I understood. I think they are correct yet it doesn’t work.

Config files (redacted to hide all public and secret stuff)

HEX

# jan/31/2022 20:38:55 by RouterOS 7.1.1
# software id = BFJX-J8NU
#
# model = RB750Gr3
# serial number = <serial Hex>
/interface bridge
add admin-mac=<mac1> auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=19685 mtu=1450 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/routing table
add fib name=""
/system logging action
set 1 disk-file-count=5 disk-file-name=disk2/log disk-lines-per-file=4096
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard list=LAN
/interface wireguard peers
add allowed-address=10.255.255.2/32,192.168.90.0/24 comment=\
    "mAP2nD 10.255.255.2" endpoint-address=10.255.255.2 endpoint-port=19685 \
    interface=wireguard persistent-keepalive=25s public-key=\
    "<public peer .2>"
add allowed-address=10.255.255.3/32 comment="Laptop  10.255.255.3" \
    endpoint-address=10.255.255.3 endpoint-port=19685 interface=wireguard \
    persistent-keepalive=25s public-key=\
    "<public peer .3>"
add allowed-address=192.168.88.0/24,10.255.255.4/32,192.168.2.0/24 comment=\
    "SXT 10.255.255.4" endpoint-address=10.255.255.4 endpoint-port=19685 \
    interface=wireguard public-key=\
    "<public peer .4>"
add allowed-address=192.168.91.0/24,10.255.255.5/32 comment=\
    "mAPLite 10.255.255.5" endpoint-address=10.255.255.5 endpoint-port=19685 \
    interface=wireguard persistent-keepalive=25s public-key=\
    "<public peer .5>"
add allowed-address=10.255.255.6/32 comment="Android S20 10.255.255.6" \
    endpoint-address=10.255.255.6 endpoint-port=19685 interface=wireguard \
    public-key="<public peer .6>"
/ip address
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=10.255.255.1/24 interface=wireguard network=10.255.255.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
	<lots of leases>
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.14 gateway=\
    192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.14
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall address-list
<Blacklist addresses>
<Whitelist addresses>
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=jump chain=input comment=\
    "Check intruders in \"Dynamic_blacklist\" chain - UDP 19685" dst-port=\
    19685 in-interface-list=WAN jump-target=dynamic_blacklist protocol=\
    udp src-address-list=!Whitelist
add action=accept chain=input comment="allow Wireguard" dst-port=19685 \
    in-interface-list=WAN log=yes log-prefix="Port 19685 - " protocol=udp
add action=accept chain=input comment=\
    "Accept Winbox from everywhere except WAN (therefor also VPN tunnels)" \
    dst-port=8291 in-interface-list=!WAN log=yes log-prefix="Port Winbox - " \
    protocol=tcp
add action=drop chain=input comment=\
    "Drop all else coming from WAN (thus allowing VPN traffic)" \
    in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.88.0/24
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related disabled=yes hw-offload=yes \
    out-interface=!wireguard
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list=bl_blacklist \
    address-list-timeout=4w chain=dynamic_blacklist connection-state=new \
    src-address-list=bl_stage2
add action=add-src-to-address-list address-list=bl_stage2 \
    address-list-timeout=10m chain=dynamic_blacklist connection-state=new \
    src-address-list=bl_stage1
add action=add-src-to-address-list address-list=bl_stage1 \
    address-list-timeout=15m chain=dynamic_blacklist connection-state=new \
    in-interface-list=WAN
add action=return chain=dynamic_blacklist comment=\
    "Return to chain that jumped into this one"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting log-prefix="" \
    src-address-list=Blacklist
add action=drop chain=prerouting comment="Drop brute forcers" log-prefix=\
    "DYNAMIC BLACKLIST IP" src-address-list=bl_blacklist
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.0.1 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.90.0/24 gateway=10.255.255.2 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=MTHex
/system logging
add action=disk topics=warning
add action=disk topics=info
add action=disk topics=error
add action=disk topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=94.224.67.24
add address=be.pool.ntp.org
/system scheduler
add interval=1m name=CheckPiHoleDNS on-event=\
    "system script run CheckPiHoleDNS;" policy=\
    ftp,reboot,read,write,policy,test,password,sensitive,romon start-date=\
    sep/06/2021 start-time=11:37:38
/system script
add dont-require-permissions=yes name=CheckPiHoleDNS owner=holvoetn policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    local currentDNS [/ip dns get server]\r\
    \n:local piholeDNS \"192.168.2.14\"\r\
    \n:local backupDNS \"208.67.222.222,208.67.220.220\"\r\
    \n:local testDomain \"www.google.com\"\r\
    \n\r\
    \n:if (\$currentDNS = \$piholeDNS) do={\r\
    \n    :do {\r\
    \n       :resolve \$testDomain server \$piholeDNS\r\
    \n    } on-error={\r\
    \n        /ip dns set servers=\$backupDNS\r\
    \n        /ip dhcp-server network set 0 dns-server=\$backupDNS\r\
    \n        :log error \"Pi-hole isn't working, using OpenDNS instead\"\r\
    \n        /tool e-mail send to=\"<mymail>\" subject=\"Mikrotik \
    DNS\" body=\"Default DNS set, PiHole DOWN\"\r\
    \n    }\r\
    \n} else={\r\
    \n    :do {\r\
    \n        :resolve \$testDomain server \$piholeDNS\r\
    \n        /ip dns set servers=\$piholeDNS\r\
    \n        /ip dhcp-server network set 0 dns-server=\$piholeDNS\r\
    \n        :log info \"Pi-hole is working again,\"\r\
    \n        /tool e-mail send to=\"<mymail>\" subject=\"Mikrotik \
    DNS \" body=\"PiHole operational again.\"\r\
    \n    } on-error={}\r\
    \n}\r\
    \n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

Routes from Hex

Flags: D - DYNAMIC; A - ACTIVE; c, s, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS      GATEWAY       DISTANCE
0  As 0.0.0.0/0        192.168.0.1          5
  DAc 10.255.255.0/24  wireguard            0
  DAc 192.168.0.0/24   ether1               0
  DAc 192.168.2.0/24   bridge               0
1  As 192.168.88.0/24  wireguard            1
2  As 192.168.90.0/24  wireguard          1

SXT

# jan/31/2022 20:29:02 by RouterOS 7.2rc3
# software id = WZHT-RPE1
#
# model = RBSXTR
# serial number = <serial SXT>
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled \
    name=5
/caps-man datapath
add local-forwarding=yes name=2.4
add local-forwarding=yes name=5
/interface bridge
add admin-mac=<mac1> auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface lte
set [ find ] allow-roaming=yes band="" name=lte1 network-mode=3g,lte
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/interface wireguard
add listen-port=19685 mtu=1450 name=wireguard
/interface vlan
add interface=bridge name=Guest vlan-id=10
/caps-man datapath
add bridge=bridge local-forwarding=no name=Guest vlan-id=10 vlan-mode=use-tag
/caps-man rates
add basic=12Mbps name=2.4 supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic=24Mbps name=5 supported=24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk name=Guest
add authentication-types=wpa2-psk encryption="" name=MikroTik
/caps-man configuration
add channel=2.4 country=france datapath=2.4 distance=indoors hide-ssid=no \
    hw-retries=4 installation=indoor name=config2.4 rates=2.4 security=\
    MikroTik ssid=MikroTik2.4
add channel=5 country=france datapath=5 distance=indoors hide-ssid=no \
    hw-retries=4 installation=indoor name=config5 rates=5 security=MikroTik \
    ssid=MikroTik5
add channel=2.4 country=france datapath=Guest distance=indoors hide-ssid=no \
    installation=indoor name=Guest rates=2.4 security=Guest ssid=\
    LaFolliaGuest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=free default-route-distance=5 ip-type=ipv4 name=\
    FRFree
add apn=mworld.be default-route-distance=5 ip-type=ipv4 name=BEOrange
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=Guest ranges=192.168.100.100-192.168.100.149
/ip dhcp-server
add address-pool=dhcp bootp-support=none interface=bridge name=defconf
add address-pool=Guest interface=Guest name=Guest
/queue simple
add max-limit=1M/2M name=Guest target=192.168.100.0/24
/routing table
add fib name=""
/system logging action
add memory-lines=16384 name=support target=memory
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config2.4 slave-configurations=Guest
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config2.4 radio-mac=08:55:31:B0:BF:EE slave-configurations=Guest
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    config2.4 radio-mac=2C:C8:1B:1D:10:6C slave-configurations=Guest
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    config5
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wireguard list=LAN
/interface lte settings
set sim-slot=b
/interface wireguard peers
add allowed-address=192.168.2.0/24,10.255.255.0/24 endpoint-address=\
    <serial Hex>.sn.mynetname.net endpoint-port=19685 interface=wireguard \
    persistent-keepalive=25s public-key=\
    "<public Hex>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.100.1/24 interface=Guest network=192.168.100.0
add address=10.255.255.4/24 interface=wireguard network=10.255.255.0
/ip cloud
set ddns-update-interval=5m update-time=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Accept Winbox from everywhere except WAN (therefor also VPN tunnels)" \
    dst-port=8291 in-interface-list=!WAN protocol=tcp
add action=drop chain=input comment=\
    "Drop all input coming from WAN if it got here" in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.2.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.88.0/24
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack but not Wireguard" connection-state=\
    established,related disabled=yes hw-offload=yes src-address=\
    !192.168.100.0/24
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface=wireguard
/ip firewall raw
add action=drop chain=prerouting comment="Drop updates for Windows" content=\
    download.microsoft.com
add action=drop chain=prerouting content=download.windowsupdate.com
add action=drop chain=prerouting content=windowsupdate.com
add action=drop chain=prerouting content=wustat.windows.com
add action=drop chain=prerouting content=ntservicepack.microsoft.com
add action=drop chain=prerouting content=stats.microsoft.com
add action=drop chain=prerouting content=wustat.windows.com
add action=drop chain=prerouting content=windowsupdate.microsoft.com
add action=drop chain=prerouting comment="Drop updates for Apple" content=\
    appldnld.apple.com
add action=drop chain=prerouting content=mesu.apple.com
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=MTSXTLte
/system leds
set 1 type=off
/system logging
add action=support disabled=yes topics=lte
/system ntp client
set enabled=yes
/system ntp client servers
add address=45.87.76.3
add address=185.111.204.220
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
/tool netwatch
add down-script="/interface wireguard peers disable 0\r\
    \n:delay 5\r\
    \n/interface wireguard peers enable 0\r\
    \n" host=10.255.255.1
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=*A only-headers=yes

Routes from SXT

Flags: D - DYNAMIC; A - ACTIVE; c, s, m, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
#     DST-ADDRESS       GATEWAY    DISTANCE
  DAm 0.0.0.0/0         lte1              5
  DAc 10.159.45.62/32   lte1              0
  DAc 10.255.255.0/24   wireguard         0
0  As 192.168.2.0/24    wireguard         1
  DAc 192.168.88.0/24   bridge            0
  DAc 192.168.100.0/24  Guest             0

If any info is missing, please let me know.

Also, it you spot some glaring issues/improvement, please let me know but also clarify why. I’m learning a lot from feedback from others.
Thanks in advance for your assistance.

EDIT: just noticed some private/public keys are not included in the export. Must be something related to how the export works (or doesn’t).
Don’t bother about those, the interface works. The problem is not there.
As some Llama here will surely say, it’s only about the routing

For start, “endpoint-address=10.255.255.x endpoint-port=x” on Hex is nonsense, it should be public address and reachable port, or not set at all, if peer doesn’t have any. It’s not really breaking anything, because WG roaming overrides it as soon as peer connects, but it shouldn’t be there.

Few other things:

• You don’t need 192.168.2.0/24 in allowed-address=192.168.88.0/24,10.255.255.4/32,192.168.2.0/24", because that’s local subnet, but allowed-address is for remote ones.
• You don’t need to exclude WG interface from FastTrack, and even if you’d need to, it wouldn’t work like this, because it would still catch it with incoming packets.
• You have default-allow firewall, so with WG interface in LAN list you don’t have to allow traffic between LAN subnets.
• Masquerade on WG inteface is not needed.

But neither of this is breaking it, and so far I don’t see what does.

While this might be true, winbox gives an error when I leave endpoint port blank: decimal entry needed between 1 and 65535.
So port has to be filled in.
Cleared IP address on the SXT peer, so far nothing broken (nor resolved). Left the other peers for now till I know for sure what caused the problems.

As for your other suggestions: I’ve been over all these as well in the past. While it might not be needed, it doesn’t break or solve anything either.
But while I am at it, I’ll clean up those parts…

Everything cleaned up except for this one. You lost me here.
What do you mean by “default-allow firewall” ?

You need listen-port=X for WG interface, but endpoint-port for peer is optional, same as endpoint-address. You can’t keep it empty (then you get the error message), but you need to deactivate the field with arrow at the right.

RouterOS firewall by default allows everything, so anything not allowed or blocked by any rule will be allowed if it reaches end of chain. You now have:

• allow 192.168.2.0/24 → 192.168.88.0/24
• allow 192.168.88.0/24 → 192.168.2.0/24
• fasttrack established & related
• accept established & related & untracked
• drop invalid
• drop new from WAN if not dstnatted
• <allow everything else; implicit action, not visible rule>

So you don’t need first two rules, because that traffic would be allowed anyway. That’s default-accept. Other way is default-deny, which you can have if you add unconditional drop/reject rule at the end, so anything not allowed before will be blocked.

As for the main problem, play with Torch or logging rules, to see how far packets get and where they get lost.

HEX ROUTER COMMENTS:

(1) I am not a proponent of using an IP address for the Wg interface and thus my approach would be slightly different.

/interface wireguard peers

(2) Map2nd?
add allowed-address=192.168.90.0/24 { assuming this is the incoming subnet from the map2ND }
The rest is unnecessary noise, the hex is not going to initiate a connection to the remote units behind CGNAT. { remove }
“mAP2nD 10.255.255.2” endpoint-address=10.255.255.2 endpoint-port=19685
interface=wireguard persistent-keepalive=25s public-key=
“<public peer .2>”

(3) LAPTOP Device.
Simply use a single IP address - aka the one assigned to the laptop (like I do on my iphone - a faux IP as a laptop can be behind anyone’s Ip address coffee shop, hotel etc )
If you want to use 10.255.255.3/32 that is as good an any other faux IP, but has nothing to do with interface IP addresses in my schema, its simply a random IP.

add allowed-address=10.255.255.3/32 comment=“Laptop 10.255.255.3” \ OKAY
endpoint-address=10.255.255.3 endpoint-port=19685 interface=wireguard \ {remove the noise}
persistent-keepalive=25s public-key=


(4) SXT - Another GROUP Of devices using wireguard to gain access to the Main Local WG Router (hex) ON THE SAME INTERFACE, but different peers!
add allowed-address=**192.168.88.0/24,**1_0.255.255.4/32,__192.168.2.0/24 comment=_
“SXT 10.255.255.4” endpoint-address=10.255.255.4 endpoint-port=19685
interface=wireguard public-key=
“<public peer .4>”

add allowed-address=192.168.88.0/24
This covers two requirements!!
a. allowed incoming/inbound from the remote site USER IPs from their subnet, filtered and able to exit the tunnel on the Hex
b. allowed outbound destination addresses from the Local Router that are matched and selected to enter the tunnel and then get to the remote subnet.
The first one is GOOD, the second one is ip address of wg which I dont use so remove, the third, now your inventing an IP range that doesnt exist on the Remote site, at least according to your diagram!!!

Note: Now I see that 192.168.2.0/24 is a local subnet on the Local Hex Router. If that is the Subnet you want to access the Remote Site subnet, it needs to be noted at the far end.
You have already configured the wireguard to allow destination addresses of 192.168.88.0/24 and thus users on the 192.168.2.0/24 will match with their outbound traffic … So basically still remove it LOL

(5) MAPLITE - Where is tthe map lite located?? Lets say its another remote location that you want to use the same WG interface just another peer, stuff in orange is excess!
add allowed-address=192.168.91.0/24,10.255.255.5/32 comment=
“mAPLite 10.255.255.5” endpoint-address=10.255.255.5 endpoint-port=19685
interface=wireguard persistent-keepalive=25s public-key=
“<public peer .5>”

(6) An android phone this time… As stated previously any faux address will do so if 10.255.255.6/32 suits you as a faux address great, the rest is noise
add allowed-address=10.255.255.6/32 comment=“Android S20 10.255.255.6”
endpoint-address=10.255.255.6 endpoint-port=19685 interface=wireguard
public-key=“<public peer .6>”

(7) IP addresses
/ip address
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
add address=10.255.255.1/24 interface=wireguard network=10.255.255.0 {remove}

(8) FW rules. In concept, up to you to ensure they are correct and I always presume you have a drop all rule at the end of both input chain and forward chain.
A. Remote site CGNAT
INPUT CHAIN

• one rule to allow listening port TO the router with destination port and protocol UDP ( I see its in place )
  FORWARD CHAIN
• one rule to allow select subnet users from remote site to access select devices on your subnet.
  add chain=forward action=accept in-interface=wireguard src-address-list=authorized_inbound dst-address-list=authorized_Devices ****
  (*** Where authorized_inbound is a firewall address list of user IP addresses from remote subnet are allowed to access Hex subnet resources.)
  (*** Where authorizedDevices is a firewall address list of IP addresses(devices) the users on the remote subnet are allowed to access.)

If you want full subnet to full subnet access then the rule is simplified.
add chain=forward action=accept in-interface=wireguard src-address=192.168.88.0 dst-address=192.168.2.0/24

B. Laptop:
add chain=forward action=accept in-interface=wireguard src-address=10.255.255.3/32 dst-address=192.168.2.0/24

C. Haplite
add chain=forward action=accept in-interface=wireguard src-address=192.168.91.0/24 dst-address=192.168.2.0/24

D. Android
add chain=forward action=accept in-interface=wireguard src-address=10.255.255.6/32 dst-address=192.168.2.0/24

E. Map2ND
add chain=forward action=accept in-interface=wireguard src-address=192.168.90.0/24 dst-address=192.168.2.0/24

********* IF all interfaces require full access to the SUBNET then there could be ONE RULE.
add chain=forward action=accept in-interface=wireguard dst-address=192.168.2.0/24

(9) Routes
add dst-address=192.168.88.0/24 gwy=wireguard table=main **** { Sxt both flow directions }
add dst-address=192.168.91.0/24 gwy=wireguard table=main { haplite }
add dst-address=192.168.90.0/24 gwy=wireguard table=main { map2nd )
add dst-address=10.255.255.3/32 gwy=wireguard table=main { laptop }
add dst-address=10.255.255.6/32 gwy=wireguard table=main { android }

**** Note, this IP route does double duty!
(i) It ensures any replies from the local subnet devices to user traffic are returned through the tunnel back to the user
(2) it directs all queries originating on the local Router destined for the remote subnet, to go out the appropriate route.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SXT DEVICE


(10) _/interface wireguard peers
add allowed-address=192.168.2.0/24,10.255.255.0/24 endpoint-address=
.sn.mynetname.net endpoint-port=19685 interface=wireguard
persistent-keepalive=25s public-key=_

Looks good, just remove the unnecessary bit in orange. We need to recognize one thing though. You stated you wanted the Main Router also to be able to connect to the Remote SXT subnet!
" both LAN environments need to be accessible from 'the other side "
As in the case of the Local Router (hex), the address entry of the subnet above has DUAL Purpose.

The address fulfils the functionality of the outgoing part of allowed addresses, for the SXT to match user destination addresses from users on its subnet, to those noted by the admin in peer settings, to send them through the correct route and thus successfully enter the tunnel.
The address also reflects also the functionality required for incoming traffic which filters according to this list and thus you have source address of the other subnet coming in which can only exit the tunnel and enter the SXT if the associated IP addresses are authorized.

(11) FIREWALL RULES

add chain=forward action=accept in-interface=wireguard dst-address=192.168.88.0/24

(12) IP ROUTES

dst-address=192.168.2.0/24 gwy=wireguard table=main **** { ensures queries to the SXT subnet are returned back through the tunnel to the HEX subnet originated traffic )

**** This also acts as as route decision for the SXT router to handle its own subnet users wanting to reach the HEX subnet.

I don’t want to nitpick, but how is this (three routes):

better than this (single address that also provides automatic route to all above addresses):

?

Fixed, give me a fricken second it was a long post and lots of tiny error LOL.

NOW have at! Its perfect 100% I get a cookie!!

PS Sob, I know it will be hard to type as the tears of incredulity pour down your face reading the masterpiece post above!!
I may even bronze my hand print and make it available for you at a special price of an RB5009 shipped to my location, taxes and duties included

Ok, new question, how are two routes better than one address?

Clarity of purpose and design in my brain. Attempting to use IP addresses for wireguard interfaces confuses the crap out of me, especially when people try to assign or associate interface IP addresses with actual subnets…

No IP address is clean, clear and direct. I know exactly what traffic is allowed and what routes are provided, nothing automagic! ALL AVAILABLE ON AN IP CONFIG PRINT. Same reasons I HATE seeing bridge vlan settings without manual insertion of UNTAGGED

One other point, the less assumptions made by the new configurer the better, it shows an understanding of how traffic is being flowed. If you are as smart as Sob, one can do it anyway they like but I bet they will get it right and thus wont be here asking for help LOL.

In conclusion: All users with issues on wireguard as smart as sob, please ignore the non-IP address advice!!!
That must be at least what 0.5% of posters jajajajajajajajajajaja

But it’s the same as with ethernet, wireless, or any other interface. If addresses and netmasks don’t scare you there, why does it happen with WG? In fact, it should be easier, if it’s the same everywhere and there are no exceptions.

@anav: https://www.youtube.com/watch?v=9NMOllP3eN4

Lets agree to disagree…
I get confused, and thus many other lay person non-it trained people will get confused.

In your honour I have adjusted my ARTICLE>>>>

_CONFIGURING THE CLIENT ROUTE[/b]
There are two cases that are normally discussed that match up with the type of allowed addresses discussed above at (i), (ii).

Third - Then make the associated route rule
src-address=192.168.50.0/24
Action=Lookup-only-in-table
Table=useWG
Note: If the admin wants the users to be able to access internet locally if WG is down then use ACTION=Lookup
Note:2 If you have multiple peers going through the same tunnel/interface then you may need multiple such routes._
(ii) Route for Subnet/IP. To ensure user(s)/subnet(s) are also sent through the tunnel when attempting to reach destination IP addresses on the far site, a much simpler IP Route is required.
/ip route
dst-address=IPsubnet (or IP address) gwy=WG-interface table=main (where the dst address matches an allowed address entry).
Note: If you are as smart as SOB, and are still having wireguard issues, you are not that smart after all, and thus dont use IP addresses for the WG interface. ;-PPPP
But if you do, then the IP route will be created dynamically (automatically)..

I recommend the full lesson!
https://www.youtube.com/watch?v=xpAvcGcEc0k

No its the role of an IP address that is not a source address that bothers me.
for example
add chain=forward action=accept src-address=IPofwiregard interface IS NOT the same as Src address of subnet that needs to be allowed, its too confusing.

Much better
add chain=forward action=accept in-interface=wg src-address=subnet dst-address=subnet
WHERE MULTIPLE SUBNETS or IPs may be EXITING THE TUNNEL as in this case!!! Its just cleaner and simpler to understand IMHO.

That’s firewall, addresses and routes are on slightly different level. Imagine if we wanted to make VPN between us, but instead of using some VPN protocol over internet, we’d use one very (veeeeeeeeeeeery) long cable between ethernet ports of our routers. Wouldn’t you put some addresses on those interfaces?

Me, probably not! Im happy knowing which port I am using and the vlan address I would be using to run through it. Some people are just interface ip address happy!!

@anav,
while I do appreciate your input (I REALLY do !), please take into account not everyone is able to digest the amount of info you provide in the way you do. Certainly when large parts are completely unrelated to the question.
I did not ask anything about phone, laptop, maplite, map, … those work !
The only thing I do not seem to get working is between Hex and SXT.
Also, the Wireguard help page from Mikrotik specifies to use IP addresses for the endpoint. You do not use them, I get it. But I do. So do most of other setups I’ve seen.
Just like you can not get your head around using these addresses, I can not get it without.

Hex

1. noted. I do use IP addresses. We agree to disagree here.
2. Map2nd - irrelevant for this problem, lab setup (and it works)
3. laptop - irrelevant for this problem. Besides, when using WG on my laptop, I CAN access all LAN devices in 192.168.2.0/24.
4. SXT - use of 192.168.2.0/24 in peer on Hex side has been removed already as per Sob’s comments.
5. Maplite - irrelevant. Road Warrior toy I’m using to experiment with.
6. Android phone - see laptop. This works.
7. IP adresses - as stated, I am not going to remove that address.
   firewall
   A -forward chain - Sob mentioned these subnet rules are not needed. And now I look at them, I see they are not being hit anyhow, so to be removed ?
   B- not needed. It works !
   C- Haplite, should be maplite, I think ? Not needed. it works.
   D- Same
   E- Same
8. routes - I don’t see where you are going with your comments …

SXT device
10) Same as 9. I don’t see where you are going with your comments.
11) See comment Hex 8/A - those rules are not being hit already as they are now. So why change them to any source and specify the interface. They will still not hit ?
12) Nothing to do here ?

Cmd-terminal on laptop:
ping 192.168.2.15 -t
Times out every time (I didn’t expect it to start working overnight …).

Torch on SXT - ether1
ICMP from src 192.168.88.237 (laptop) to 192.168.2.14 - so far so good

Torch on SXT - bridge
Same, makes sense ?

Torch on SXT - wireguard
tcp from src 10.255.255.4 to 192.168.88.237 = return from ping ? But where is the start then ?

Torch on hex - wireguard
tcp from 192.168.88.237 to 10.255.255.1

On hex I don’t see anything coming or going from/to 192.168.88.0/24, whatever interface I check.

So something seems to be coming back. But where does it stop ?
I checked the firewall drop rules, nothing is increasing at the same rate as that ping.