@404
You pointed out in my proof of concept that on my CCR1009 WG Allowed IPs was wrong … you must have edited that out after the fact as I no longer see the orange highlight that you used to show which IPs where not required …You are correct … Yes I did make a mistake … thank you for pointing it out. 
Then don’t recommend it! 
I’m not sure if I should flatter you by suggesting that you’re so much original, but you may actually be the only person in the world who came up with this (= address from remote subnet on local router, in order to get route to remote subnet). Which is different from proper use of addresses (= unique connecting subnet on WG interface), which you’re so much opposed to, even though it’s default recommended way. The former is wrong, and since it’s all you, it’s in your power to stop it, before it spreads.
…
…
Your dictionary must have different definition of “worthwhile” than mine. Unless you include exploring dead ends as worthy endeavour, to be able to say “not this way, folks!” In that case, good work. And now you can move on, put this in archives next to steam engine powered toothbrush and such, and focus on something actually positively useful.
…
would be there any practical/theoretical impact of the used IPs in the WireGuard-Setup would be within an existing Subnet dedicated to an existing VLAN (due to a dedicated DHCP-Server)?
To be very honest, I don’t understand that sentence … (or put it differently, I can assume some things and see different meanings).
So it is not clear what you are asking here. At least not to me.
let me rephrase
Management VLAN:
…vlan-id=999
…name=“VLAN_MGMT”
…subnet=“10.10.9.0/24”
Management VLAN-DHCP:
…pool=10.10.9.1 - 10.10.9.200 (anything above 200 is for WireGuard)
…gateway=10.10.9.1
…DNS=10.10.9.1
/interface wireguard
add listen-port=13231 name=wireguard1
/ip address
add address=10.10.9.201/24 interface=wireguard1 ...
/interface wireguard peers
add allowed-address=10.10.9.210/32 interface=wireguard1 ...
You don’t want /24 on WG interface, that won’t work well, it should be smaller subnet covering only addresses for WG clients. But otherwise it’s possible. Throw in proxy ARP on VLAN interface and it will work. It’s the same config that was sometimes used with other kinds of VPN to make clients look local, in order to avoid setting firewall exceptions on other LAN devices.
copied MT doc thx
.
.
so only this:https://help.mikrotik.com/docs/display/ROS/ARP#ARP-ProxyARP
so
/interface ethernet> set arp=proxy-arp where name=VLAN_MGMT
.
.
same here, want to avoid to configure Firewall
one more thing, don’t forget to reduce the range of the WireGuard interface if integrated in VLAN otherwise you mess up the routing 
as said by
WRONG
/ip address
add address=10.10.9.240/24 interface=wireguard1 ...
/interface wireguard peers
add allowed-address=10.10.9.241/32 interface=wireguard1 ...
RIGHT
/ip address
add address=10.10.9.240/28 interface=wireguard1 ...
/interface wireguard peers
add allowed-address=10.10.9.241/32 interface=wireguard1 ...
I dont follow what you are doing here, but it sounds outside norms of what most require.
Why avoid a cleaner straight foward setup using firewall rules??
I dont understand the use case, are you addressing USERS needs or being cheeky and cute as admin with no real purpose???
If there is value I would like to add it to the user article.
is that answered by
My two experiences with VPN.
L2TP VPN, where one assigns a FAUX IP address, that is at the LAN level on the router but one needs firewall rules to allow traffic to and fro.
Wireguard VPN where one assigns a straightforward IP address and can add the wg interface to the LAN interface list directly but still need to apply firewall rules (if using drop all traffic).
In either case both are clean, clear and well handled by using firewall rules.
Why avoid clean and clear and go down a path of proxy arp.
I have no idea what that is, and what level one is dealing with L2, L3, what are the security concerns… how does this actually work…
Imagine you have nice small home network with one 192.168.88.0/24 subnet and few Windows computers. There are some shared folders on them and everyone happily accesses files on other computers this way. Then you need to travel away for a while, and you still want to have access to all those computers, as if you were at home. So you setup your first VPN, add another subnet for clients, allow access through firewall, connect … and nothing.
Your first problem is that you don’t see other computers as you did previously and you can’t access them by name. You’ll learn that it’s caused by them being in another L2 segment and no local name resolution works. So you’ll either add some static hostnames to router’s DNS, or you’ll access them by numeric IP address. And the result will be … still nothing.
You’ll soon discover that it’s because firewall on those devices allows access to shared folders only from local subnet. It can be changed, but you’d have to do it on all those computers at home. Come on! Isn’t there some easier way? Can’t the VPN client get 192.168.88.X address and pretend that it’s in same subnet? And the answer is that it can.
But not just like that, because other computers won’t know that it actually isn’t there. That’s the point, of course. But the trouble is that they will use ARP to ask for MAC address belonging to VPN client’s 192.168.88.X. And since it isn’t really there, it won’t answer. And that’s what proxy ARP is for, router will answer on behalf of VPN client and return own MAC address. So other devices will send packets for VPN client’s address to router, and router knows that VPN client’s address is elsewhere and will correctly forward them.
And in case you think that it’s cool and why doesn’t everyone use it, it’s not that great. It doesn’t solve everything, e.g. it won’t help with local name resolution, that still won’t work. And distinct subnets are cleaner solution, because everything has its place, you don’t have subnet on one interface and address from that subnets elsewhere. But it doesn’t mean that proxy ARP is bad. It’s just a tool with pros and cons, sometimes it’s good choice and sometimes it isn’t.
Thanks Sob, great explanation.
So that would also apply to a user coming in on wireguard to access shared resources on PCs… niche case but still works.
One EoIP between the two router, and the LAN is on the same L2 domain…
2 DHCP, one per side, each with it’s own half of ip pool, and obviously each DHCP respond only locally.
No needs of Proxy ARP, Routing or Firewall (also inside the LAN devices).
Simply works.
Proxy ARP FTW! I use whenever I can but only because I’m lazy! 