I have tried for a couple of days now to figure out the correct setting for this. Looked at lots of the guides and videos (everything I have seen seems to be v6 not v7 guides) about WireGuard setups but can’t seem to get this last step to work.

I have a server setup from vultr.com with a public IP running ubuntu with WireGuard installed. It’s configured to masquerade all traffic from public ip down the WireGuard tunnel and back out the public IP . This works using windows client or phone to provide some kind of service. using iperf3 to test as server and client connections.
XX.XX.XX.82 is the public ip on the server
10.66.66.1 is the wg ip on the server
10.66.66.2 is the wg ip on the HAP AC2
192.168.1.1 is the isp router with CG-NAT
HAP AC2 is default configuration with just the wireguard setup added to it.

I have no problem getting WireGuard connected on the HAP AC2. The only issue with it is I can not get it to properly send response packets back into the WireGuard tunnel while its default route is the WAN interface.

Have “disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main” for the default route.
If i add any other routing tables and add dst-address=0.0.0.0/0 gateway=wg routing-table=wg_table it blocks all traffic out. If routing-table is set to main all traffic goes out the wg tunnel and response packets then get through of course just fine but I don’t want to all of it going down the vpn. I just need one device (camera DVR system) behind the HAP AC2 to be accessible on local lan and vpn ip.

I tried using step 3 https://forum.mikrotik.com/viewtopic.php?t=182340 and similar from other guides but as soon as i try adding the “dst-address=0.0.0.0/0 gwy=wg-interface-name table=use-WG” it looses all other connections.

/routing table add fib name=use-WG
/routing rule add src-address=IP address action=lookup-only-in-table table=use-WG
/ip route
dst-address=0.0.0.0/0 gwy=wg-interface-name table=use-WG

I have a few mangle rules and nat to try and force it with/without using the routing table (trying to mark vpn connections so return packets go vpn tunnel). first data stream of iperf3 works then the rest is lost.

I don’t get how to use the NAT rules and the route List/routing table. What am I missing?
Thank You.

Here is my current config.

# 2023-07-07 11:56:06 by RouterOS 7.10.1
# software id = DGII-IL3C
#
# model = RBD52G-5HacD2HnD
# serial number = ********
/interface bridge
add admin-mac=****** auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-955E7D wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-955E7E \
    wireless-protocol=802.11
/interface wireguard
add listen-port=52498 mtu=1420 name=wg
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=wg_table
add disabled=no name=list
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.66.66.0/24,0.0.0.0/0,::/0 endpoint-address=\
    XX.XX.XX.82 endpoint-port=52498 interface=wg persistent-keepalive=25s \
    public-key=""
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.2/24 interface=wg network=10.66.66.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=yes src-address=10.66.66.2
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-packet chain=prerouting in-interface=wg new-packet-mark=vpn_p \
    passthrough=yes
add action=mark-connection chain=prerouting in-interface=wg \
    new-connection-mark=vpn_con passthrough=yes
add action=log chain=prerouting connection-mark=vpn_con disabled=yes log=yes \
    log-prefix=tt
add action=route chain=prerouting connection-mark=vpn_con disabled=yes \
    in-interface=bridge passthrough=yes route-dst=10.66.66.1
add action=fasttrack-connection chain=prerouting disabled=yes in-interface=\
    bridge src-address-list=vpn_add_list
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=wg \
    routing-mark=wg_table to-addresses=192.168.88.254
add action=return chain=srcnat disabled=yes routing-mark=wg_table \
    to-addresses=0.0.0.0/0
add action=masquerade chain=srcnat disabled=yes packet-mark=vpn_p
add action=masquerade chain=srcnat disabled=yes src-address-list=vpn_add_list
add action=masquerade chain=srcnat out-interface=wg
add action=dst-nat chain=dstnat dst-port=5201 protocol=tcp to-addresses=\
    192.168.88.254 to-ports=5201
/ip route
add disabled=no distance=1 dst-address=XX.XX.XX.82/32 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wg pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 pref-src=\
    "" routing-table=wg_table scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.66.66.0/24 gateway=10.66.66.1 routing-table=\
    main suppress-hw-offload=no
add disabled=yes distance=2 dst-address=0.0.0.0/0 gateway=10.66.66.1 \
    pref-src="" routing-table=wg_table scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.66.66.1 \
    pref-src="" routing-table=wg_table scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wg pref-src="" \
    routing-table=wg_table scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wg pref-src="" \
    routing-table=wg_table scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wg pref-src="" \
    routing-table=wg_table scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=wg pref-src="" \
    routing-table=list scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=yes routing-mark=wg_table src-address=0.0.0.0/0 \
    table=wg_table
add action=lookup disabled=yes dst-address=10.66.66.1/32 interface=wg \
    routing-mark=wg_table table=wg_table
add action=lookup disabled=yes dst-address=0.0.0.0/0 min-prefix=0 \
    src-address=192.168.88.254/32 table=wg_table
add action=lookup-only-in-table disabled=yes min-prefix=0 src-address=\
    192.168.88.253/32 table=wg_table
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your description is all over the map but the config doesnt look too bad!

To help clarify confirm.
Hapac is not the server device, its simply a client on the wireguard network served up by the ubuntu in the cloud.
You wish the one subnet on the hapac to go out the wireguard for internet??

(1) /interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=
XX.XX.XX.82 endpoint-port=52498 interface=wg persistent-keepalive=25s
public-key=“”

It would appear you want to be able to access both internet and lets say a subnet on another device also connected to the unbuntu or a subnet on the ubunut
allowed-addresses=10.66.66.0/24,subnetOtherdevice …

(2) you can get rid of this default setting…
_/ip dns static
add address=192.168.88.1 comment=defconf name=ro_uter.lan

(3) This rule you can get rid of as it serves no real purposse
add action=accept chain=input disabled=yes src-address=10.66.66.2

You may want instead to state one like
add action=accept chain=input in-interface=wg src-address-list=authorized
Where the address list is your admin IPs on various devices (aka road warrior wg address on iphone/laptop, or lan ip from any other router device that also connects to ubuntu )

(4) Prefer the more secure rules
add action=accept chain=input comment=“accept all LAN traffic” in-interface-list=LAN
add action=drop chain=input comment=“drop all else”

(5) NO NEED for mangle rules ( which would have interfered with fastrack rules )

(6) Also prefer clearer firewall rules as to what I want to allow and by default block all else rather then allowing everything and blocking only the things I can think of or know about…

Thus remove this
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

And replace with
add action=accept chain=forward comment=“allow internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow wg traffic” src-address=192.168.88.0/24 out-interface=wg
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(7) For sourcenat just keep these rules get rid of rest…

/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg

(8) A tad confused by your destination nat rule.
First it appears you have a server on your subnet.

a. What is the purpose of the server
b. Who does it serve. CLearly people cannot reach the server via your normal WANIP (non public IP, port forwarding from ISP not possible).
c. do people in the same subnet, on the router, need to reach the server and if so how do they do it? ( by lanip? by other? )

(9) Basic single routing rule probably required
add src-address=192.168.88.0/24 action=lookup table=wg_table

(10) IP routes is a messy mix of not needed…

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main { assuming 192.168.1.1 is the gateway of the WANIP provided by the upstream router }
add dst-address=0.0.0.0/0 gateway=wg routing-table=wg_table

Yes the HAP AC is the only WireGuard client and the cloud Ubuntu is the server.
No I don’t want WireGuard being used for internet use. The WireGuard connection is to view the security cameras that are plugged into the HAPAC LAN port.

purpose is camera DVR.
phone app ↔ cloud server (static public IP) ← wireguard → (starlink) routeros ↔ camera system.
phone app ↔ local lan/wifi <—> camera system.

The previous ISP had a static public IP with a Hairpin NAT allowing the external IP to work with the phone app on local LAN and from other internet locations. LAN IP can also be used to connected when on site.
The new ISP is Starlink which is why I needed to setup this WireGuard tunnel to get into the cameras from remote locations.

Yeah was trying to figure out why routes and tables where not working and just disabled instead of removing things.


I think I got all the changes done.

New config:

# 2023-07-07 23:20:31 by RouterOS 7.10.1
# software id = DGII-IL3C
#
# model = RBD52G-5HacD2HnD
# serial number = HE908MRWZDW
/interface bridge
add admin-mac=48:A9:8A:95:5E:79 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-955E7D wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-955E7E \
    wireless-protocol=802.11
/interface wireguard
add listen-port=52498 mtu=1420 name=wg
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=wg_table
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.66.66.0/24,0.0.0.0/0,::/0 endpoint-address=\
    104.238.165.82 endpoint-port=52498 interface=wg persistent-keepalive=25s \
    public-key="By6te5VToRt0+p5qc4p6RQDMBXbvJakvBf4r8/UToHc="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.66.66.2/24 interface=wg network=10.66.66.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="accept all LAN traffic" \
    in-interface-list=LAN
add action=drop chain=input comment="default drop"
add action=accept chain=forward comment="allow internet" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="allow wg traffic" out-interface=wg \
    src-address=192.168.88.0/24
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="default drop"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg
add action=dst-nat chain=dstnat src-address=!192.168.88.0/24 to-addresses=192.168.88.254
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=wg routing-table=wg_table \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=wg_table
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Now any devices on the subnet 192.168.88.0/24 appear to be using the WireGuard IP XX.XX.XX.82 for internet.
had to add src-address=!192.168.88.0/24 to add action=dst-nat chain=dstnat to-addresses=192.168.88.254 or it would stop LAN to WAN traffic.

This is usable with this setup with changing it to only affect the camera systems ip 192.168.88.254/32. At least its just one device and only some data.

Is it possible to have it only use the WireGuard gateway for traffic that originated over WireGuard?
phone app ↔ cloud server (static public IP) ← wireguard → (starlink) routeros ↔ camera system.

Thanks so much for your assistance.

Okay My bad,
So the hapac is a client so that you can reach devices behind the hapac, and not for hapac users to access the internet.
That is significantly differerent requirement!

With that in mind......
You do not need any port forwarding.
You are basically entering the router at the LAN type level when you hit the hapac.

Lets state the requirement as
roadwarrior ( laptop, iphone etc ) needs to reach LAN servers or devices remotely.
The hapac needs to establish a tunnel to a server as its public IP is not accessible.

Points for config adjustments.
a. allowed addresses needs only to be the wireguard subnet as the incoming traffic are roadwarrior IPs on that subnet. No originating outgoing traffic IPs to worry about ( so 0.0.0.0/0 is not required ).
b. firewall rules will done separately as you have messed them up LOL
c. since you are not going to a third party provider, we can remove the sourcenat rule for wireguard.
d. no port forwarding is required.
e. only the manual route for the WAN is required
f. the routing rule and route for wireguard is not required.
g. the table is not required

_# 2023-07-07 23:20:31 by RouterOS 7.10.1

/interface bridge
add admin-mac=48:A9:8A:95:5E:79 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
disabled=no distance=indoors frequency=auto installation=indoor mode=
ap-bridge ssid=MikroTik-955E7D wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=MikroTik-955E7E
wireless-protocol=802.11_
/interface wireguard
add listen-port=52498 mtu=1420 name=wg
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=10.66.66.0/24 endpoint-address=
104.238.165.82 endpoint-port=52498 interface=wg persistent-keepalive=25s
public-key="B="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.66.66.2/24 interface=wg network=10.66.66.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
suppress-hw-offload=no

errors in fw rules…
orange → remove
purple → in wrong order or location
green → Needs slight adjustment

WARNING: DO NOT REMOVE ORANGE RULE UNTIL you have moved associated PURPLE RULE right below it and then move the DROP rule AFTER the this as the last input chain rule.
If you put the drop rule before the allow LAN rule on the input chaing, you will lock yourself out of the router and will have to reset the router.

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input comment=“accept all LAN traffic”
in-interface-list=LAN
add action=drop chain=input comment=“default drop”
add action=accept chain=forward comment=“allow internet” in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow wg traffic” out-interface=wg
src-address=192.168.88.0/24
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“default drop”

++++++++++++++++++++++++++++++++++++
Adjusted notes:
Since we only need to be concerned about incoming to the hapac over wireguard, the forward chain rule allows incoming on wireguard with dst of the subnet!!
…

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept all LAN traffic" \
    in-interface-list=LAN
add action=drop chain=input comment="default drop"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="allow wg traffic" in-interface=wg \
    dst-address=192.168.88.0/24
add action=accept disabled=yes chain=forward comment="allow port forwarding" \  { disable or remove }
    connection-nat-state=dstnat
add action=drop chain=forward comment="default drop"