Wireguard between two mikrotik

Hi.
I have done a quick search but did not find the answer.
I am trying to get my two routers connected. I am using this guide
https://help.mikrotik.com/docs/display/ROS/WireGuard
The issue is this part:


IP and routing configuration
Lastly, IP and routing information must be configured to allow traffic to be sent over the tunnel.
Office1
/ip/address
add address=10.255.255.1/30 interface=wireguard1

If I look at the address list, I see it as “invalid” and in red. Not sure what I am missing. Office1 has 10.10.10.1/24, Office2 has 20.20.20.1/24

Can someone let me know what I am doing wrong?

wg between routeros devices is very easy.

So please export your config here.

How do you set the address of two wg ends?

I know there was an command to export the conf without personal data, can not find it… Do you know it, then I can do the export.
But those are the scripts I used:
Office1

/interface/wireguard
add listen-port=13231 name=Wireguard-HotSpot

/interface/wireguard print
Flags: X - disabled; R - running
0 R name=“Wireguard-HotSpot” mtu=1420 listen-port=13231 private-key="yKt9NJ4e5qlaSgh48WnPCDCEkDmq+VsBTt/XXXXX
"
public-key=“u7gYAg5tkioJDcm3hyS7pm79eADKPs/ZUGON6/fXXXXX”

/interface/wireguard/peers
add allowed-address=20.20.20.0/24 endpoint-address=100.69.xxx.xxx endpoint-port=13231 interface=Wireguard-HotSpot public-key=“h9mk1Ns0o8l0jm8Z2fJnv7YjP6TjbHUe/vB2r47OXVc=”
/ip/address
add address=10.255.255.1/30 interface=Wireguard-HotSpot
/ip/route
add dst-address=20.20.20.0/24 gateway=Wireguard-HotSpot
/ip/firewall/filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=100.69.xxx.xxx
/ip/firewall/filter
add action=accept chain=forward dst-address=10.10.10.0/24 src-address=20.20.20.0/24
add action=accept chain=forward dst-address=20.20.20.0/24 src-address=10.10.10.0/24

Office2

/interface/wireguard
add listen-port=13231 name=Wireguard-HotSpot

/interface/wireguard/print
Flags: X - disabled; R - running
0 R name=“Wireguard-HotSpot” mtu=1420 listen-port=13231 private-key=“KMwxqe/iXAU8Jn9dd1o5pPdHep2blGxNWmXXX”
public-key=“v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M=”

/interface/wireguard/peers
add allowed-address=10.10.10.0/24 endpoint-address=176.57.xxx.xxx endpoint-port=13231 interface=Wireguard-HotSpot public-key=“ltSFUHefjAmAEJ4HXNbixgDSeSKv3cVmnb2Fu/5XXXXX”
/ip/address
add address=10.255.255.2/30 interface=Wireguard-HotSpot
/ip/route
add dst-address=10.10.10.0/24 gateway=Wireguard-HotSpot
/ip/firewall/filter
add action=accept chain=input dst-port=13231 protocol=udp src-address=176.57.xxx.xxx
/ip/firewall/filter
add action=accept chain=forward dst-address=20.20.20.0/24 src-address=10.10.10.0/24
add action=accept chain=forward dst-address=10.10.10.0/24 src-address=20.20.20.0/24

/ip/address
add address=10.255.255.1/30 interface=Wireguard-HotSpot

Yes, it is that one I tried several different configurations - same issue everytime.
On office1 I already have one working wire guard. If I change the address to that interface, I have no error. Not sure why. Can there be only one wireguard configured?
What should I export? The whole config or just the address, routing and wireguard?
Thanks!

All your answers are here.
You need to learn how to setup wireguard and why etc…
https://forum.mikrotik.com/viewtopic.php?t=182340

Quite some reading. Will take time tomorrow.
Thanks!

No problem not expecting a 100% turn around, but the questions will be more depicting someone who has studied a bit, thought about it a bit and can ask good questions!

OK, I have read most of the things, but that is still not working.
I see traffic, handshake, but can not ping between them. I have also exported the configs of SiteA (fiber optic) and siteB (mobile SXT LTE6Kit).
If someone has some time, can you take a look?
I know, the first time I have set up the Wireguard, I had similar issues. Had to make it several times as it was simply not working. Then all of a sudden, it worked. I made the same steps 20x and one time it just worked… At that time it was V6.x. Now it is the latest V7.
Export of both sites attached.
siteB.rsc (5.69 KB)
siteA.rsc (19.4 KB)

/ip route
add disabled=no dst-address=10.10.0.100/24 gateway=wireguard routing-table=
main suppress-hw-offload=no

Impossible !
Wireguard is not and never will be available in ROS6 (kernel limitation).
It only was added with ROS7.

I love this config… stretching my boundaries of acceptance of normal networking of which I have no clue!!

So for anyone reading.
YES, perfectly OKAY to have multiple IP addresses per SINGLE WG interface and not only that have both client and server functions on a router on that single interface, as long as:

a. one ensures IP routes are adequate for the scenario
b. one ensures allowed IPs are adequate for the scenario
c. in this particular case both Routers have a public IP or an upstream modem/router can forward the listening port to the MT router.


Review RouterA

(1) Since Router A is client to Router B on the 255 address schema, I would prefer the address to be .2, vice .1 Just my personal preference/comfort level.

(2) WWW is not a secure method of accessing the router and thus would remove this …
set www port=8080

(3) The FIREWALL RULES and SOURCE NAT RULES are a hairy mess of paranoia and stuff that does not really work such as attempting to block youtube etc. WASTE OF TIME. My suggestions is to go back to default rules and only add what you need for traffic flow and use drop all else rules at end of input chain and forward chain.

(4) The input chain rule for wireguard seems strange, how can you have a src-address list if you are expecting remote users. They may log in from any Cellular provider or WIFI at a restaurant/hotel and thus going to be random??? That is the point of wireguard address structure, the initial handshake doesnt need to have a defined incoming source IP. Clearly from a security perspective its always better if you can do so, but just not expected here. Must be saying that your remote warriors are always coming from same ISP and thus what I would call “FIXED” remote users vice “MOBILE” remote users.
add action=accept chain=input comment=“13231 => Allow Wireguard” dst-port=
13231 in-interface=1-WAN log=yes log-prefix=
“13231 => Wireguard MT SkupnaListaDovoljenih” protocol=udp
src-address-list=SkupnaListaDovoljenih

In conclusion, for Router A, nothing wrong with your rules here for wireguard performance, If anything is causing issues on this router it would be the Firewall/sourcenat rule mess.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Router B

(4) Okay I dont understand why both RouterA and RouterB on their peer to peer settings think they are both clients???
You have to make up your mind. If Router B cannot act as the server, due to not having a publicly accessible IP address or one cannot forward the listening port from an upstream modem/router, then this will change things but ONLY at Router A.

Supposing Router B is supposed to be only the client then nothing need change at Router B. Normally the IP address for wireguard should be the subnet to allow any other devices attached to Router A be reachable or receivable but not necessary in this particular scenario.

Carrying this forward, at Router A, remove the keep alive setting as not required.

Seriously consider removing the second Wireguard address setup as its not required.
I thought the reason you had two was for the change of Server/Client releationship for a different connection.
If your concern is security, one can simply use firewall rules etc..

So perhaps a better explanation on your part can help figure out a better config.


( also messy firewall rules but a bit less crap for sure)

( same comment forget www address, its not secure method of accessing config )

Thanks for your input.
SiteA is my main router at home. Yes I was working with security too long, so yes, I am paranoid a bit
It also has quite some rules, most of them disabled, as I used them only for playing.
SiteB IS defconf, only wireguard (with three fw rules added) added, so…
So siteA is my main, fixes, siteB is the sxt I use on vacation. Has a mobile card in it. So Site B is the client, siteA is the server.
Thanks.

Fair enough but that fails to explain why you have this rule on Router A.

add action=accept chain=forward dst-address=20.20.20.0/24 log=yes log-prefix=
Wireguard-HotSpot2 src-address=10.10.10.0/24

It says, allow people on Router A ( on the local subnet ) to reach the LAN on the Router B SXT.
That tells me there is an expectation that
a. router B is up all the time.
b. that users on router A expect to originate traffic and contact Router B.
siteB is the sxt I use on vacation. Has a mobile card in it.

I think you should be aware return traffic doesnt need a separate rule, only the originating traffic does. So I think that all you need is a firewall rule stating
add action=accept chain=forward in-interface=wireguard out-interface-list=LAN on your Router A.

This will permit all mobile and sxt Users to reach router A’s LAN. Return traffic will be allowed automatically and no extra rule is required.
I havent looked at Router B, but I have a sneaking suspicion that you have a rule alloweing Router A users to access Router B LAN which would be the same issue, not expected, but I could be wrong, so attempting to clarify. ( the only rule would expect is router B users to reach router A through wireguard etc…).

Comments/Changes:

1. Recommend setting detect internet to NONE. If you experience weird issues.
2. Removed persistent keep alive for the peer to SXT (router B client device)
3. Added firewall address to include all potential Admin LAN or wireguard IPs for access to config router in input chain.
4. Cleaned up firewall rules.
   a. On wireguard, I kept the one rule of Known IPs coming in but this is known so no need to log especially. I added a separate rule for all others and logged them but generally not needed as only those with proper key setup would work anyway. in other words really only one rule is needed but if you like to record the times you connect from WIFI hotspots, hotels, cellular etc.. then it seems reasonable. By the way, II much prefer to change the wireguard port to something non-standard like any other default port.
   b. Additionally I did the same thing with the forward chain rules, separated SXT from mobile incoming to your LAN as you seem to want to log this…
   c. Ensured only admin access to router, via firewall address list , and LAN access to DNS and NTP and all other traffic is dropped. CLean, simple!
   d. Same with forward chain, allowed WG to your LAN, basic LAN to WAN, basic port forwarding, everything else is dropped. CLean, simple!
   e. Because the wireguard interface is part of the LAN interface list, the LAN to WAN rule applies so you can use internet of Router A when coming in on wireguard.
   f. Removed RDP, access it SAFELY via wireguard!!
5. Removed LAN from tool mac-server, its not a secure method of accessing the config ( tool mac-server mac-winbox is secure )
6. Removed ip service www=8080, danger!! not a secure method of accessing the config and doubly so since its external access.
7. Removed all Raw rules --:> not required.
8. What is with RDP black lists anyway, are you hosting RDP??
9. You can remove all the IPV6 rules, not used and fil up config for nothing just keep drop rules for both chains.
10. Removed your three queuing lines, as it appears you may have been ‘playing with queues’ at one time but its incomplete.
11. Duplicate source nat rule removed for WAN (first one, aka default one is fine).
12. Removed the mess of hairpin nat rules you put in, and replaced with the single rule required.
13. Cleaned up dst nat rules, only funny thing is all are limited by firewall address list except for the first TRACAR rule…???
    
    
    Site A - Didnt list some default settings/normal stuff but focussed on changes/problem areas.

/interface bridge
add admin-mac=DC:2C:6E:ageing-time=1d auto-mac=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name="2-switch 24G"
set [ find default-name=ether3 ] name=3-STB
set [ find default-name=ether4 ] name=4-nas
set [ find default-name=ether5 ] name=5-videonadzor
set [ find default-name=ether6 ] name="6-delovna L"
set [ find default-name=ether7 ] name="7-WiFi + switch 5G POE"
set [ find default-name=ether8 ] name="8-WiFi + switch 5G POE"
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.10.10.120-10.10.10.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=8h name=DHCP
/interface bridge port
add bridge=bridge comment=defconf interface="2-switch 24G"
add bridge=bridge comment=defconf interface=3-STB
add bridge=bridge comment=defconf interface=4-nas
add bridge=bridge comment=defconf interface=5-videonadzor
add bridge=bridge comment=defconf interface="6-delovna L"
add bridge=bridge comment=defconf interface="7-WiFi + switch 5G POE"
add bridge=bridge comment=defconf interface="8-WiFi + switch 5G POE"
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet  
set detect-interface-list=NONE internet-interface-list=NONE lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface=1-WAN list=WAN
add interface=wireguard list=LAN
/interface wireguard peers
add allowed-address=10.6.0.10/32 comment="Uros Laptop" interface=wireguard \
    public-key="xxx"
add allowed-address=10.6.0.11/32 comment="Uros Telefon" interface=wireguard \
    public-key="xxx"
add allowed-address=10.255.255.2/32,20.20.20.0/24 comment="Mobile Router" \  { removed keep alive }
    interface=wireguard public-key="PublichFromSiteB"
/ip address
add address=10.10.10.1/24 interface=bridge network=10.10.10.0
add address=10.6.0.1/24 interface=wireguard network=10.6.0.0
add address=10.255.255.1/30 interface=wireguard network=10.255.255.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add interface=1-WAN script="/system script run GoDaddy_DDNS_Update_Script;\r\
    \n/system script run WAN_IP_change_Mail;"
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.3,10.10.10.1,9.9.9.9,1.1.1.1 \
    gateway=10.10.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address=10.10.10.1 comment=defconf name=router.lan
add address=10.10.10.52 name=srebrni ttl=3w
add address=10.10.10.4 name=nas
/ip firewall address-list
add address=10.6.0.0/24  list=Authorized (admin from mobile devices)
add address=20.20.20.X/32  list=Authorized (admin from SXT client laptop)
add address=20.20.20.X/32  list=Authorized (admin from SXT client  ipad/iphone)
add address=10.10.10.X/32  list=Authorized ( admin from local desktop )
add address=10.10.10.X/32  list=Authorized ( admin from local laptop )
add address=10.10.10.X/32  list=Authorized ( admin from local iphone )
add address=10.10.10.X/32  list=Authorized ( admin from local ipad )
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=Authorized
add action=accept chain=input dst-port=13231 protocol=udp comment="Known Source IP"  src-address-list=SkupnaListaDovoljenih
add action=accept chain=input dst-port=13231 protocol=udp  log=yes  prefix="Wireguard Handshake" comment="Unknown Source IP"
add action=accept chain=input comment="Allow LAN DNS queries-UDP&NTP" \
     dst-port=53,123 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain}
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow wg traffic SXT"  in-interface=wireguard src-address=20.20.20.0/24 \ 
    out-interface-list=LAN  log=yes  log-prefix=SXT-Incoming
add action=accept chain=forward comment="allow wg traffic Mobiile"  in-interface=wireguard src-address=10.6.0.0/24 \
    out-interface-list=LAN  log=yes log-prefix=MOBILE-Incoming
add action=accept chain=forward comment="wireguard relay"  in-interface=wireguard out-interface=wireguard
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin Nat Rule" src-address=10.10.10.0/24 dst-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat comment=\
    "DIRECT ALL DNS REQUESTS TO MIKROTIK INTERNAL DNS SERVER" dst-port=53 \
    protocol=udp to-addresses=10.10.10.1 to-ports=53
add action=dst-nat chain=dstnat comment="NAS dostop" dst-port=21,80,443,5000 \
    in-interface=1-WAN protocol=tcp src-address-list=SkupnaListaDovoljenih \
    to-addresses=10.10.10.4
add action=dst-nat chain=dstnat comment="TracCar Allow All" dst-port=5027 \
    in-interface=1-WAN log=yes log-prefix="TracCar Allow All 5027" protocol=\
    tcp to-addresses=10.10.10.8
add action=dst-nat chain=dstnat comment="TracCar Allow Private IP" dst-port=\
    8082 in-interface=1-WAN protocol=tcp src-address-list=\
    SkupnaListaDovoljenih to-addresses=10.10.10.8 to-ports=8082
add action=dst-nat chain=dstnat comment="8123 HomeAssistant Private IP" \
    dst-port=8123 in-interface=1-WAN log-prefix=\
    "8123 HomeAssistant Private IP" protocol=tcp src-address-list=\
    SkupnaListaDovoljenih to-addresses=10.10.10.5 to-ports=8123
add action=dst-nat chain=dstnat comment=\
    "37777 => Videonadzor dostop NAT SkupnaListaDovoljenih" dst-port=37777 \
    in-interface=1-WAN log=yes log-prefix=\
    "Videonadzor dostop NAT SkupnaListaDovoljenih" protocol=tcp \
    src-address-list=SkupnaListaDovoljenih to-addresses=10.10.10.10 to-ports=\
    37777
/ip route
add disabled=no dst-address=20.20.20.0/24 gateway=wireguard routing-table=\
    main suppress-hw-offload=no
/ipv6 firewall filter
add action=drop chain=input comment="drop everything else"
add action=drop chain=forward comment="drop everything else"
/ip service
set www disabled=yes
set www-ssl disabled=no
set winbox address=10.10.10.0/24,20.20.20.0/24,10.6.0.0/24
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=2.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
add address=si.pool.ntp.org
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The rule was done because it is described that way in the description I have provided in original post.
Normally siteB is not accessed from siteA, but I also have another location (also mobile card), where I would like to access the router on location C. So if bith are configured the dame way, it does not hurt. Bur all sites connect to siteA, not the other way around.
SiteC was not set up yet, as I have to come to it first
Will make the rule as you described and check.
Thanks for your help.

A clear set of requirements and traffic flows, including current and planned, helps put the design in the proper context.
Will look at Router B later…

Really great input. Will need some time to go through it.
Am currently busy as you can see in my attachment

Heheh, know the feeling!!

Router B…
(1) Changed allowed IPs to .255.0/24
(2) No need for input chain port for wg.
(3) keeping it consistent add wireguard to LAN interface list.
(4) Fixed extra IP route for 10.10.10.0/24 traffic.
(5) If you want to allow you as admin from RouterA or Mobile To config router… will make necessary changes.
(have to add to allowed IPs and routes etc.)
Note: I didnt include any rules for 10 LAN to reach 20 LAN or for mobile users 10.6 to reach 20 LAN as the SXT is temp and you are on site with SXT.
(6) Mac server set to NONE

…

/interface bridge
add admin-mac=48:A9:8A:8F:96:BC auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=yes band="" network-mode=lte
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
add apn=fast.t-mobile.com ip-type=ipv4 name=T-com
/ip pool
add name=dhcp ranges=20.20.20.100-20.20.20.200
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=12h name=Default
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=NONE all internet-interface-list=NONE \
    lan-interface-list=LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wireguard list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=10.255.255.0/24,10.10.10.0/24,10.6.0.0/24 \
    endpoint-address="ExternalIPofSiteA" endpoint-port=13231 interface=wireguard \
    persistent-keepalive=30s public-key=\
    "KeyFromSiteA"
/ip address
add address=20.20.20.1/24 comment=defconf interface=bridge network=20.20.20.0
add address=10.255.255.2/24 interface=wireguard network=10.255.255.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=20.20.20.2 client-id=1:5c:62:8b:20:fc:1c mac-address=\
    5C:62:8B:20:FC:1C server=Default
/ip dhcp-server network
add address=20.20.20.0/24 comment=defconf dns-server=\
    20.20.20.1,9.9.9.9,1.1.1.1 gateway=20.20.20.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address=20.20.20.1 comment=defconf name=router.lan
/ip firewall address-list
add address=20.20.20.X/32  list=Authorized ( admin from local laptop )
add address=20.20.20.X/32  list=Authorized ( admin from local ipad/iphone )
add address=10.10.10.X/32  list=Authorized ( admin from Router A device )
add address=10.10.10.X/32  list=Authorized (admin from Router A device )
add address=10.6.0.0/24  list=Authorized  (admin from mobile)
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input in-interface-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
     dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
{forward chain}
(default rules)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow outgoing wg traffic to Router A"  in-interface-list=LAN src-address=20.20.20.0/24 \ 
    out-interface-list=Wireguard LAN  log=yes  log-prefix=SXT-Outgoing
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route
add disabled=no dst-address=10.10.10.0/24 gateway=wireguard routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=10.6.0.0/24 gateway=wireguard routing-table=\
    main suppress-hw-offload=no
/ip service
set www disabled
set winbox address=10.10.10.0/24,20.20.20.0/24,10.6.0.0/24
/ppp secret
add name=vpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="Mobile HotSpot"
/system logging
add topics=watchdog
add topics=firewall
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN