WireGuard no ping

danyrusdem · February 18, 2025, 11:20pm

Hello everyone, i am new in wireguard protocol and i have a problem. I am setup wireguard vpn(need site to site) but there is no ping with WG-1 and WG-2 adresses, but handshake with peers - successful. I have 3 static ip
P.s. There is no ad for isp
R2.rsc (4.66 KB)
R1.rsc (12.2 KB)

anav · February 19, 2025, 2:18am

Bit confusing why do both configs have endpoint addresses for the other side and both have persistent keep alive set?
Which device has access to a public IP address?

danyrusdem · February 19, 2025, 8:15am

Hello, i am setup endpoint address only in peer of r1(endpoint address obviously of r2), i have two isp on r1 and connect go through isp localnet, i would like to prefer second isp, but first will be fine too. Both of isp on r1 have static address and r2 have static address.

itimo01 · February 19, 2025, 8:48am

Can’t check the config right now but to add to anavs post:

If you got public IPS on both ends you don’t need persistent keep alive.

If you turn off persistent keep alive the tunnel will be on demand.
So it will be established everytime traffic wants to go through it. (And can be established from both ends. Aka “real” site2site)

danyrusdem · February 19, 2025, 11:25am

Hello, w/o persistent keepalive there is no connection at all

anav · February 19, 2025, 5:56pm

Okay I think I understand.

a. R1 is the client peer router for handshake. R1 attempts to contact R2 in terms of establishing a wireguard tunnel.
b. R2 is the server peer router for handshake. R2 listens on endpoint port for contact from R1
Both ISPs on R1 have static, public IPs, and the R2 ISP is also a static public IP.
What is not clear looking at R1, did you say you wanted ISP1 or ISP2 to be primary WAN for local internet traffic ( and the other only used for failover )
OR
Did you want them to be used equally by LAN users in a a sort of load balancing effort.

These questions will help determine what is the better setup for wireguard on R1.

What is the purpose of Wireguard
a. to be able to securely reach subnets at R2 by R1 users
b. to be able to securlely reach subnets at R1 by R2 users
c. to be able to configure r2 while admin is at r1
d. to be able to configure r1 while admin is at r2
e. As ADMIN to be able to remotely from any location (via laptop, smartphone etc.) configure both routers?
f. As ADMIN to be able to remotely from any location (via laptop, smartphone etc.) reach subnets on both routers?
g. allow users to be able to remotely from any location (via laptop, smartphone etc.) reach subnets on either or both routers?

danyrusdem · February 19, 2025, 6:15pm

Okay I think I understand.

a. R1 is the client peer router for handshake. R1 attempts to contact R2 in terms of establishing a wireguard tunnel.
b. R2 is the server peer router for handshake. R2 listens on endpoint port for contact from R1

Both ISPs on R1 have static, public IPs, and the R2 ISP is also a static public IP.

What is not clear looking at R1, did you say you wanted ISP1 or ISP2 to be primary WAN for local internet traffic ( and the other only used for failover )
OR
Did you want them to be used equally by LAN users in a a sort of load balancing effort.

These questions will help determine what is the better setup for wireguard on R1.

What is the purpose of Wireguard
a. to be able to securely reach subnets at R2 by R1 users
b. to be able to securlely reach subnets at R1 by R2 users
c. to be able to configure r2 while admin is at r1
d. to be able to configure r1 while admin is at r2
e. As ADMIN to be able to remotely from any location (via laptop, smartphone etc.) configure both routers?
f. As ADMIN to be able to remotely from any location (via laptop, smartphone etc.) reach subnets on both routers?
g. allow users to be able to remotely from any location (via laptop, smartphone etc.) reach subnets on either or both routers?

1.Yes
2.Yes
3. I have two ISP on R1(Home Router), i am setup PBR: one vlan go through one ISP, second vlan go through another isp. I’d prefer to use 1Gb/t isp(vodafone) but on another side(R2) there is 100mb isp so that make no much difference.
4.I want site-to-site vpn like R1(Home) → R2(Job), because everytime i need to connect on rdp server, i need to run on my local pc VPN and all my traffic goes through R2 l2tp server. Tbh i am interested in roadwarrior setup too and try to setup ospf. Just for selflearning(never use wireguard and ospf on mikrotik before). Thank’s for your answer!

anav · February 19, 2025, 7:10pm

Okay I highly recommend you use the HOME Router ISP1 for the wireguard connection. It has better capacity to host
Will set up R1 such that ISP1 vodafdone 1gig is the priority but the other LAN uses WAN2 instead. All happy.

wireguard only gets address not dhcp pools etc.
There are only three vlans and thus three subnets, 3 pools etc..
Bridge should have no dhcp replace bridge subnet with vlan if you need another.
Not sure what your doing with ppp, I have removed it as not being a safe protocol to use…
Dhcp client for ether1 1gig Vodadone, should not set default route or distance here.
only need two srcnat rules or one if use interface-list=WAN. Srcnat should not be used normally to try and route traffic.
Are you planning on any port forwardings on router1 , and if so to server or servers on which LAN subnet??

danyrusdem · February 19, 2025, 7:26pm

Okay I highly recommend you use the HOME Router ISP1 for the wireguard connection. It has better capacity to host
Will set up R1 such that ISP1 vodafdone 1gig is the priority but the other LAN uses WAN2 instead. All happy.

wireguard only gets address not dhcp pools etc.

There are only three vlans and thus three subnets, 3 pools etc..

Bridge should have no dhcp replace bridge subnet with vlan if you need another.

Not sure what your doing with ppp, I have removed it as not being a safe protocol to use…

Dhcp client for ether1 1gig Vodadone, should not set default route or distance here.

only need two srcnat rules or one if use interface-list=WAN. Srcnat should not be used normally to try and route traffic.

Are you planning on any port forwardings on router1 , and if so to server or servers on which LAN subnet??

Idk how to even use dhcp for wireguard, i am only set ip for wg interface in addresses list.
Wdym, i have 3 vlans and one bridge on R1 with ether3 as trunk to crs326
3.Dhcp server work for vlan interfaces, there is no dhcp server for bridge(it’s turned off)
4.I have previously run l2tp server to R2 site-to-site.
But i have 3 routing tables, 1 for 100mb subnet and another one for different subnet and obviously main routing table.
6.This srcnat rules for nat loopback to access nvr
Nvr for example, but am i supposed to port forward rdp server? For what? I want to connect server with vpn(even now i have l2tp on R2 to do this, but want to try wireguard).

anav · February 19, 2025, 10:36pm

R1
…

 R1 model = C53UiG+5HPaxD2HPaxD
# serial number = XXXX
/interface bridge
add arp=proxy-arp name=Bridge_LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ISP_1gbt
set [ find default-name=ether2 ] comment=ISP_2_100mb
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Ukraine .mode=ap .ssid=\
    xxxx disabled=no security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2412 .width=\
    20mhz configuration.country=Ukraine .mode=ap .ssid=xxxx .tx-power=10 \
    disabled=no security.authentication-types=wpa2-psk
add configuration.mode=ap .ssid=Xxxx disabled=no mac-address=\
    F6:1E:57:6E:C5:7A master-interface=wifi1 name=wifi3 \
    security.authentication-types=wpa2-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=Bridge_LAN name=LAN_LOCALNET vlan-id=10
add interface=Bridge_LAN name=LAN_VODAFONE vlan-id=20
add interface=Bridge_LAN name=MGMT vlan-id=99
/interface list
add name=LAN
add name=WAN
TRUSTED
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5260 name="channel 2.4 ghz slave ap" \
    width=20/40/80/160mhz
/ip pool
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool4 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=LAN_LOCALNET lease-time=1w30m name=\
    dhcp1
add address-pool=dhcp_pool3 interface=LAN_VODAFONE lease-time=1w30m name=\
    dhcp2
add address-pool=dhcp_pool4 interface=MGMT lease-time=1w30m name=dhcp3
/routing table
add disabled=no fib name=ISP1_1G
add disabled=no fib name=ISP2_100MB
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\
    zt1 name=zerotier1 network=xxxx
/interface bridge port
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-vlan-tagged  interface=ether3 comment="trunk to 326"
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=ether4 pvid=10
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=ether5 pvid=99 comment=Mgmt PC
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=wifi1 pvid=10
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=wifi2 pvid=10
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=wifi3 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=Bridge_LAN comment=Vlan_localnet tagged=ether3,Bridge_LAN  untagged=wifi1,wifi2 vlan-ids=10
add bridge=Bridge_LAN comment=Vlan_vodafone tagged=ether3,Bridge_LAN untagged=wifi3  vlan-ids=20
add bridge=Bridge_LAN comment=Vlan_MGMT tagged=ether3,Bridge_LAN untagged=ether5 vlan-ids=99
/interface l2tp-server server
set authentication=mschap2 default-profile=mc_profile enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=MGMT list=LAN
add interface=LAN_LOCALNET list=LAN
add interface=LAN_VODAFONE list=LAN
add interface=wireguard1 list=LAN
add interface=MGMT list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:BB:D9:3F:93:89 name=ovpn-server1
/interface wifi access-list
add action=accept allow-signal-out-of-range=always disabled=no signal-range=\
    -75..-30
add action=reject disabled=no signal-range=-120
/interface wireguard peers
add allowed-address=172.16.1.2/32,192.168.88.0/24  interface=wireguard1 name=workRouter  public-key="---"
/ip address
add address=92.249.126.xx/24 interface=ether2 network=92.249.126.xx
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.0.1/24 interface=LAN_LOCALNET network=192.168.0.0
add address=192.168.20.1/24 interface=LAN_VODAFONE network=192.168.20.0
add address=172.16.1.1/24 interface=wireguard1 network=172.16.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add default-route=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.20.61 client-id=1:90:e2:ba:b6:5d:11 mac-address=\
    90:E2:BA:B6:5D:11 server=dhcp2
add address=192.168.20.62 client-id=1:da:5d:8c:c7:78:6e mac-address=\
    DA:5D:8C:C7:78:6E server=dhcp2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=\
    192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=\
    192.168.20.1 netmask=24
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8,8.8.4.4
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall address-list
add address=192.168.99.0/24  list=Authorized
add address=172.16.1.3 list=Authorized comment="admin remote laptop"
add address=172.16.1.4 list=Authorized comment="admin remote smartphone/ipad"
add address=192.168.88.X  list=Authorized comment="admin while at work router - wired"
add address=192.168.88.Y  list=Authorized comment="admin while at work router - wifi"
+++++++++++
add address=93.127.122.XX  list=MyWANS comment=wan1
add address=92.249.126.XX list=MyWANS comment=wan2
++++++
add address=192.168.20.61  list=MyServers comment=MC
add address=x.x.x.x  list=MyServers comment=NVR
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid 
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="allow l2Tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="WireGuard traffic" dst-port=13231  protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert this rule here but last of all rules when everything is working }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related connection-mark=no-mark
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to LAN"  in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
{mangle for traffic to the router aka vpn}
add action=mark-connection chain=input connection-mark=no-mark  \
    in-interface=ether1 new-connection-mark=incoming-to-ISP1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark  \
    in-interface=ether2 new-connection-mark=incoming-to-ISP2  passthrough=yes
add action=mark-routing chain=output connection-mark=incoming-to-ISP1 \
    new-routing-mark=ISP1_1G  passthrough=no
add action=mark-routing chain=output connection-mark=incoming-ISP2 \
    new-routing-mark=ISP2_100MB passthrough=no
{ traffic to servers }
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=servers-via-ISP1 \
     in-interface-list=ether1  dst-address-list=MyServers  passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=servers-via-ISP2 \
     in-interface-list=ether2  dst-address-list=MyServers  passthrough=yes
add action=mark-routing chain=prerouting connection-mark=servers-via-ISP1 \
   new-routing-mark=ISP1_1G passthrough=no
add action=mark-routing chain=prerouting connection-mark=servers-via-ISP2 \
   new-routing-mark=ISP2_100M passthrough=no
{ ensure local server traffic is returned to local user }
add action=accept chain=prerouting connection-mark=no-mark src-address-list=MyServers out-interface-list=LAN 
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin vodafone"  src-address=192.168.20.0/24  dst-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="hairpin other"  src-address=192.168.0.0/24  dst-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="vodafone nat" out-interface=ether1
add action=masquerade chain=srcnat comment="localnet nat" out-interface=ether2 
add action=dst-nat chain=dstnat comment="MC Server" dst-address-list=MyWANS dst-port=\
    1488 protocol=tcp to-addresses=192.168.20.61 
add action=dst-nat chain=dstnat comment="NVR --> couldnt find NVR info ???"  
\ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping  dst-address=0.0.0.0/0 gateway=93.127.120.XX routing-table=main 
add check-gateway=ping  dst-address=0.0.0.0/0 gateway=92.249.126.1 routing-table=main
add  dst-address=0.0.0.0/0 gateway=93.127.120.XX routing-table=ISP1_1G
add  dst-address=0.0.0.0/0 gateway=92.249.126.1 routing-table=ISP2_100MB
+++++++++++++++++
add dst-address=192.168.88.0/24  gateway=wireguard1 routing-table=main comment="for traffic to/fro work router subnet"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=192.168.0.0/24
set winbox address=192.168.88.0/24,192.168.99.0/24,172.16.1.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/routing rule
add min-prefix=0 action=lookup-only-in-table   table=main
add src-address=192.168.20.0/24  action=lookup  table=ISP1_1G
add src-address=192.168.0.0/24  action=lookup  table=ISP2_100MB
/system clock
set time-zone-name=Europe/Kyiv
/system identity
set name=Home
/system logging
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
add disabled=yes prefix=WG topics=wireguard
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/user group
add name=ha policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!pol\
    icy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"

…

Working on R2, in the meantime review each line and prepare a list of questions!
…

R2model = C53UiG+5HPaxD2HPaxD
# serial number = SomeSerial
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:29:10:26
/interface wireguard
add listen-port=13431 mtu=1420 name=wireguardWork
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1 wps=disable
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Ukraine .mode=ap .ssid=\
    Ssid disabled=no security=sec1
set [ find default-name=wifi2 ] configuration.country=Ukraine .mode=ap .ssid=\
    Ssid disabled=no security=sec1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=l2tp ranges=192.168.89.10-192.168.89.100
/ip dhcp-server
add address-pool=dhcp conflict-detection=no interface=bridge1 lease-time=\
    1w30m name=dhcp1
/queue tree
add max-limit=20M name=queue1 packet-mark=RDP_Packet parent=global priority=1 disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=profile1 enabled=yes max-sessions=15 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguardWork list=LAN
/interface ovpn-server server
add mac-address=FE:36:20:25:8A:B8 name=ovpn-server1
/interface wireguard peers
add allowed-address=172.16.1.0/24,192.168.20.0/24,192.168.0.0/24  endpoint-address=93.127.120.XX  endpoint-port=13231 interface=wireguardWork \
    name=homerouter persistent-keepalive=30s public-key="--++--"
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=188.190.231.xxx/24 interface=ether1 network=188.190.xxx.0
add address=172.16.1.2/24 interface=wireguard1 network=172.16.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.99.0/24  list=Authorized
add address=172.16.1.3 list=Authorized comment="admin remote laptop"
add address=172.16.1.4 list=Authorized comment="admin remote smartphone/ipad"
add address=192.168.88.X  list=Authorized comment="admin while at work router - wired"
add address=192.168.88.Y  list=Authorized comment="admin while at work router - wifi"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid 
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="allow l2Tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert this rule here but last of all rules when everything is working }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to LAN" src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=0.0.0.0/0 gateway=188.190.231.x   routing-table=main   comment="local WAN"
++++++++++++
add dst-address=192.168.20.0/24 gateway=wireguardWork  routing-table=main
add dst-address=192.168.0.0/24 gateway=wireguardWork  routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.99.0/24,172.16.1.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ppp secret
add name=buh1 profile=profile1
add name=buh2 profile=profile1
add name=buh3 profile=profile1
add name=serhii profile=profile1
add name=serhii1 profile=profile1
add name=danyrusdem profile=profile1
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name="R1"
/system logging
add disabled=yes prefix=WG topics=wireguard
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

danyrusdem · February 20, 2025, 1:26pm

R1
…

 R1 model = C53UiG+5HPaxD2HPaxD
# serial number = XXXX
/interface bridge
add arp=proxy-arp name=Bridge_LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=ISP_1gbt
set [ find default-name=ether2 ] comment=ISP_2_100mb
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Ukraine .mode=ap .ssid=\
    xxxx disabled=no security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2412 .width=\
    20mhz configuration.country=Ukraine .mode=ap .ssid=xxxx .tx-power=10 \
    disabled=no security.authentication-types=wpa2-psk
add configuration.mode=ap .ssid=Xxxx disabled=no mac-address=\
    F6:1E:57:6E:C5:7A master-interface=wifi1 name=wifi3 \
    security.authentication-types=wpa2-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=Bridge_LAN name=LAN_LOCALNET vlan-id=10
add interface=Bridge_LAN name=LAN_VODAFONE vlan-id=20
add interface=Bridge_LAN name=MGMT vlan-id=99
/interface list
add name=LAN
add name=WAN
TRUSTED
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5260 name="channel 2.4 ghz slave ap" \
    width=20/40/80/160mhz
/ip pool
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool4 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool2 interface=LAN_LOCALNET lease-time=1w30m name=\
    dhcp1
add address-pool=dhcp_pool3 interface=LAN_VODAFONE lease-time=1w30m name=\
    dhcp2
add address-pool=dhcp_pool4 interface=MGMT lease-time=1w30m name=dhcp3
/routing table
add disabled=no fib name=ISP1_1G
add disabled=no fib name=ISP2_100MB
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\
    zt1 name=zerotier1 network=xxxx
/interface bridge port
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-vlan-tagged  interface=ether3 comment="trunk to 326"
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=ether4 pvid=10
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=ether5 pvid=99 comment=Mgmt PC
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=wifi1 pvid=10
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=wifi2 pvid=10
add bridge=Bridge_LAN  ingress-filtering=yes  frame-types=admit-only-priority-and-untagged  interface=wifi3 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=Bridge_LAN comment=Vlan_localnet tagged=ether3,Bridge_LAN  untagged=wifi1,wifi2 vlan-ids=10
add bridge=Bridge_LAN comment=Vlan_vodafone tagged=ether3,Bridge_LAN untagged=wifi3  vlan-ids=20
add bridge=Bridge_LAN comment=Vlan_MGMT tagged=ether3,Bridge_LAN untagged=ether5 vlan-ids=99
/interface l2tp-server server
set authentication=mschap2 default-profile=mc_profile enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=MGMT list=LAN
add interface=LAN_LOCALNET list=LAN
add interface=LAN_VODAFONE list=LAN
add interface=wireguard1 list=LAN
add interface=MGMT list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:BB:D9:3F:93:89 name=ovpn-server1
/interface wifi access-list
add action=accept allow-signal-out-of-range=always disabled=no signal-range=\
    -75..-30
add action=reject disabled=no signal-range=-120
/interface wireguard peers
add allowed-address=172.16.1.2/32,192.168.88.0/24  interface=wireguard1 name=workRouter  public-key="---"
/ip address
add address=92.249.126.xx/24 interface=ether2 network=92.249.126.xx
add address=192.168.99.1/24 interface=MGMT network=192.168.99.0
add address=192.168.0.1/24 interface=LAN_LOCALNET network=192.168.0.0
add address=192.168.20.1/24 interface=LAN_VODAFONE network=192.168.20.0
add address=172.16.1.1/24 interface=wireguard1 network=172.16.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add default-route=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.20.61 client-id=1:90:e2:ba:b6:5d:11 mac-address=\
    90:E2:BA:B6:5D:11 server=dhcp2
add address=192.168.20.62 client-id=1:da:5d:8c:c7:78:6e mac-address=\
    DA:5D:8C:C7:78:6E server=dhcp2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=\
    192.168.0.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1,8.8.8.8 gateway=\
    192.168.20.1 netmask=24
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=8.8.8.8,8.8.4.4
/ip dns adlist
add ssl-verify=no url=\
    https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip firewall address-list
add address=192.168.99.0/24  list=Authorized
add address=172.16.1.3 list=Authorized comment="admin remote laptop"
add address=172.16.1.4 list=Authorized comment="admin remote smartphone/ipad"
add address=192.168.88.X  list=Authorized comment="admin while at work router - wired"
add address=192.168.88.Y  list=Authorized comment="admin while at work router - wifi"
+++++++++++
add address=93.127.122.XX  list=MyWANS comment=wan1
add address=92.249.126.XX list=MyWANS comment=wan2
++++++
add address=192.168.20.61  list=MyServers comment=MC
add address=x.x.x.x  list=MyServers comment=NVR
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid 
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="allow l2Tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="WireGuard traffic" dst-port=13231  protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert this rule here but last of all rules when everything is working }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related connection-mark=no-mark
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to LAN"  in-interface-list=TRUSTED out-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
{mangle for traffic to the router aka vpn}
add action=mark-connection chain=input connection-mark=no-mark  \
    in-interface=ether1 new-connection-mark=incoming-to-ISP1 passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark  \
    in-interface=ether2 new-connection-mark=incoming-to-ISP2  passthrough=yes
add action=mark-routing chain=output connection-mark=incoming-to-ISP1 \
    new-routing-mark=ISP1_1G  passthrough=no
add action=mark-routing chain=output connection-mark=incoming-ISP2 \
    new-routing-mark=ISP2_100MB passthrough=no
{ traffic to servers }
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=servers-via-ISP1 \
     in-interface-list=ether1  dst-address-list=MyServers  passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark new-connection-mark=servers-via-ISP2 \
     in-interface-list=ether2  dst-address-list=MyServers  passthrough=yes
add action=mark-routing chain=prerouting connection-mark=servers-via-ISP1 \
   new-routing-mark=ISP1_1G passthrough=no
add action=mark-routing chain=prerouting connection-mark=servers-via-ISP2 \
   new-routing-mark=ISP2_100M passthrough=no
{ ensure local server traffic is returned to local user }
add action=accept chain=prerouting connection-mark=no-mark src-address-list=MyServers out-interface-list=LAN 
/ip firewall nat
add action=masquerade chain=srcnat comment="hairpin vodafone"  src-address=192.168.20.0/24  dst-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="hairpin other"  src-address=192.168.0.0/24  dst-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="vodafone nat" out-interface=ether1
add action=masquerade chain=srcnat comment="localnet nat" out-interface=ether2 
add action=dst-nat chain=dstnat comment="MC Server" dst-address-list=MyWANS dst-port=\
    1488 protocol=tcp to-addresses=192.168.20.61 
add action=dst-nat chain=dstnat comment="NVR --> couldnt find NVR info ???"  
\ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping  dst-address=0.0.0.0/0 gateway=93.127.120.XX routing-table=main 
add check-gateway=ping  dst-address=0.0.0.0/0 gateway=92.249.126.1 routing-table=main
add  dst-address=0.0.0.0/0 gateway=93.127.120.XX routing-table=ISP1_1G
add  dst-address=0.0.0.0/0 gateway=92.249.126.1 routing-table=ISP2_100MB
+++++++++++++++++
add dst-address=192.168.88.0/24  gateway=wireguard1 routing-table=main comment="for traffic to/fro work router subnet"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=192.168.0.0/24
set winbox address=192.168.88.0/24,192.168.99.0/24,172.16.1.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/routing rule
add min-prefix=0 action=lookup-only-in-table   table=main
add src-address=192.168.20.0/24  action=lookup  table=ISP1_1G
add src-address=192.168.0.0/24  action=lookup  table=ISP2_100MB
/system clock
set time-zone-name=Europe/Kyiv
/system identity
set name=Home
/system logging
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
add disabled=yes prefix=WG topics=wireguard
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/user group
add name=ha policy="read,test,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!pol\
    icy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"

…

Working on R2, in the meantime review each line and prepare a list of questions!
…

R2model = C53UiG+5HPaxD2HPaxD
# serial number = SomeSerial
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:29:10:26
/interface wireguard
add listen-port=13431 mtu=1420 name=wireguardWork
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1 wps=disable
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Ukraine .mode=ap .ssid=\
    Ssid disabled=no security=sec1
set [ find default-name=wifi2 ] configuration.country=Ukraine .mode=ap .ssid=\
    Ssid disabled=no security=sec1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=l2tp ranges=192.168.89.10-192.168.89.100
/ip dhcp-server
add address-pool=dhcp conflict-detection=no interface=bridge1 lease-time=\
    1w30m name=dhcp1
/queue tree
add max-limit=20M name=queue1 packet-mark=RDP_Packet parent=global priority=1 disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=profile1 enabled=yes max-sessions=15 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguardWork list=LAN
/interface ovpn-server server
add mac-address=FE:36:20:25:8A:B8 name=ovpn-server1
/interface wireguard peers
add allowed-address=172.16.1.0/24,192.168.20.0/24,192.168.0.0/24  endpoint-address=93.127.120.XX  endpoint-port=13231 interface=wireguardWork \
    name=homerouter persistent-keepalive=30s public-key="--++--"
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=188.190.231.xxx/24 interface=ether1 network=188.190.xxx.0
add address=172.16.1.2/24 interface=wireguard1 network=172.16.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.99.0/24  list=Authorized
add address=172.16.1.3 list=Authorized comment="admin remote laptop"
add address=172.16.1.4 list=Authorized comment="admin remote smartphone/ipad"
add address=192.168.88.X  list=Authorized comment="admin while at work router - wired"
add address=192.168.88.Y  list=Authorized comment="admin while at work router - wifi"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid 
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="allow l2Tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=udp
add action=accept chain=input comment="user to services"  in-interface-list LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert this rule here but last of all rules when everything is working }
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin to LAN" src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat 
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=0.0.0.0/0 gateway=188.190.231.x   routing-table=main   comment="local WAN"
++++++++++++
add dst-address=192.168.20.0/24 gateway=wireguardWork  routing-table=main
add dst-address=192.168.0.0/24 gateway=wireguardWork  routing-table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.99.0/24,172.16.1.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ppp secret
add name=buh1 profile=profile1
add name=buh2 profile=profile1
add name=buh3 profile=profile1
add name=serhii profile=profile1
add name=serhii1 profile=profile1
add name=danyrusdem profile=profile1
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name="R1"
/system logging
add disabled=yes prefix=WG topics=wireguard
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Oh, this in tough one. If i corretly understand: we make addresses list with LANs, we disable on dhcp client “add default route” option because router for vpn use main routing table, after that we use mangle to mark the route for both of isp’s and segregate this connections in terms of vpn, after that we made authorized addresses list for mgmt on both routers, am i correctly understand algorithm and logic of R1? On R2, we just connect to R1 and announce routes?
P.s. Thx for this big config, i am only mtcna in mikrotik, so mangle and vps at this moment complicated to me.