Wireguard S2S multiple WAN routing

Hello everyone,
I’ve been trying to get WireGuard S2S working for many days, but it’s not working as I’d like.
I’m using 3 MikroTik devices in a test environment: R1 (Wireguard Server), R2 (Wireguard Client), and R3 (Router).

The 3 MikroTik devices are connected as follows:
R1 ether1 → R3 ether1
R1 ether2 → R3 ether2
R2 ether1 → R3 ether3
R2 ether2 → R3 ether4

On router R1, I created 2 WireGuard servers, and I want server 1 to operate only on ether1 and server 2 only on ether2. Similarly, on router R2, I created 2 WireGuard clients. I want client 1 to go out through ether1 of R2 and connect to ether1 of R1’s server, and client 2 to go out through ether2 of R2 and connect to ether2 of R1’s server.
Unfortunately, it’s not working very well. Sometimes only one tunnel works, and other times both work but they both use the same ether interface. I believe I made a mistake marking the traffic in the mangle rules, as WireGuard is not behaving exactly as I want.

These are the configurations of the three routers:

#R1
/interface bridge
add name=bridge1
add name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment="WAN 1"
set [ find default-name=ether2 ] comment="WAN 2"
/interface wireguard
add listen-port=13231 mtu=1420 name=WG1 private-key=""
add listen-port=13232 mtu=1420 name=WG2 private-key=""
/routing table
add disabled=no fib name=ISP1_table
add disabled=no fib name=ISP2_table
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge2 interface=ether4
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=WG1 name=peer1 persistent-keepalive=25s preshared-key="" private-key="" public-key=\
    "" responder=yes
add allowed-address=0.0.0.0/0 interface=WG2 name=peer2 persistent-keepalive=25s preshared-key="" private-key="" public-key=\
    "" responder=yes
/ip address
add address=10.1.0.2/30 interface=ether1 network=10.1.0.0
add address=10.1.1.2/30 interface=ether2 network=10.1.1.0
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.10.1/24 interface=bridge2 network=192.168.10.0
add address=10.100.100.1/24 interface=WG1 network=10.100.100.0
add address=10.200.200.1/24 interface=WG2 network=10.200.200.0
/ip firewall mangle
add action=mark-connection chain=output connection-mark=no-mark dst-port=13233 new-connection-mark=ISP1 protocol=udp
add action=mark-connection chain=output connection-mark=no-mark dst-port=13234 new-connection-mark=ISP2 protocol=udp
add action=mark-connection chain=prerouting connection-state=new in-interface=ether1 new-connection-mark=ISP1
add action=mark-connection chain=prerouting connection-state=new in-interface=ether2 new-connection-mark=ISP2
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=ISP1_table
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=ISP2_table
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add comment=WAN1 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=WAN2 disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WAN1 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.1.0.1 routing-table=ISP1_table scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment=WAN2 disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=ISP2_table scope=30 suppress-hw-offload=no target-scope=10
/system identity
set name=R1

#R2
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="WAN 1"
set [ find default-name=ether2 ] comment="WAN 2"
/interface wireguard
add listen-port=13233 mtu=1420 name=WG1 private-key=""
add listen-port=13234 mtu=1420 name=WG2 private-key=""
/routing table
add disabled=no fib name=ISP1_table
add disabled=no fib name=ISP2_table
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=10.1.0.2 endpoint-port=13231 interface=WG1 name=peer1 persistent-keepalive=25s preshared-key="" public-key=""
add allowed-address=0.0.0.0/0 endpoint-address=10.1.1.2 endpoint-port=13232 interface=WG2 name=peer2 persistent-keepalive=25s preshared-key="" public-key=""
/ip address
add address=10.2.0.2/30 interface=ether1 network=10.2.0.0
add address=10.2.1.2/30 interface=ether2 network=10.2.1.0
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
add address=10.100.100.2/24 interface=WG1 network=10.100.100.0
add address=10.200.200.2/24 interface=WG2 network=10.200.200.0
/ip firewall mangle
add action=mark-connection chain=output dst-port=13231 new-connection-mark=ISP1 protocol=udp
add action=mark-connection chain=output dst-port=13232 new-connection-mark=ISP2 protocol=udp
add action=mark-connection chain=prerouting connection-state=new in-interface=ether1 new-connection-mark=ISP1
add action=mark-connection chain=prerouting connection-state=new in-interface=ether2 new-connection-mark=ISP2
add action=mark-routing chain=output connection-mark=ISP1 new-routing-mark=ISP1_table
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=ISP2_table
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.2.1.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.2.0.1 routing-table=ISP1_table scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.2.1.1 routing-table=ISP2_table scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.1.0/24 gateway=10.100.100.1 routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.10.0/24 gateway=10.200.200.1 routing-table=main suppress-hw-offload=no
/system identity
set name=R2

#R3
/ip settings
set rp-filter=strict tcp-syncookies=yes
/ip address
add address=10.1.0.1/30 interface=ether1 network=10.1.0.0
add address=10.1.1.1/30 interface=ether2 network=10.1.1.0
add address=10.2.0.1/30 interface=ether3 network=10.2.0.0
add address=10.2.1.1/30 interface=ether4 network=10.2.1.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/system identity
set name=R3

Please provide a diagram of your network as you explanation was not clear.
Does each device have its own internet connection for example.
Do any have a public IP address on an upstream device that gets a public IP address that can forward ports to the MT.

Not sure why you use two bridges.
Your R1 Server peer setup is all wrong.
How many WANs do you have on R1 and what is the purpose of them vis-a-vis the wireguard connections (seeing as you have two interfaces for some unknown reason)

what is purpose of access to R3?

• access LAN resources?
• use internet of R3?
• able to config R3?

On R2 ( client )
Is the intent to access internet of R1?
What about accessing config of R1 or R3 ??
What about accessing LAN entities on R1 or R3 ???

Same question for R3 (router).
What is the purpose of the wireguard tunnel setup

• to use internet of R1?
• to access LAN resources on R1?
• To access config of R1?

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Overall, why do you have two wireguard interfaces on each device?

This is the diagram of my network.

This network is just a test environment:
R1 simulates the main office router
R2 simulates a remote office router
R3 simulates the internet

At the moment two bridges are not necessary.
The most important thing is to make Wireguard work.
The goal of this test is to create two VPN tunnels using two separate internet connections, ensuring redundancy.
If I manage to get the two VPN tunnels working, I would like to connect the LAN networks of the two sites and use OSPF for dynamic routing.
However, for now, none of these routers is actually connected to the internet.
I would like to use two WireGuard interfaces to establish two VPN tunnels over two separate ‘internet connections’ and to balance the load between them.

Okay enjoy,
When you provide a network diagram and finished type of endstate plan more than willing to help.
Not interested in hypotheticals…