Hello Everyone I have a complicated scenario that I have trouble configuring it

as you can see I have multiple WANs that I have to use WG Client with one of them and WG Server with another one
I have to use WG Client from outside of my LAN using my second wan that has WG Server
this is my configuration I’m not an advanced user if any part of my configuration have problem please mention it
my main problem is with firewall and routes

# by RouterOS 7.16beta7
# model = C52iG-5HaxD2HaxD

/interface bridge
add name=LAN

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=37773 mtu=1420 name=wireguard-server

/interface macvlan
add interface=ether2 mac-address=3E:63:A2:A4:99:49 mode=private name=macvlan2

/interface pppoe-client
add dial-on-demand=yes disabled=no interface=macvlan2 name=pppoe-out2 user=*******

/ip pool
add name=dhcp_pool0 ranges=192.168.50.2-192.168.50.254

/routing table
add disabled=no fib name=IRWAN

/interface bridge port
add bridge=LAN interface=wifi2
add bridge=LAN interface=wifi1
add bridge=LAN interface=ether5
add bridge=LAN interface=ether4

/ipv6 settings
set disable-ipv6=yes

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address="VPN Endpoint" endpoint-port=\
    51820 interface=wireguard-inet name=Client persistent-keepalive=25s \
    public-key="*****"
add allowed-address=192.168.60.2/24 client-address=192.168.60.2/24 \
    client-dns=8.8.8.8 client-endpoint="My Public IP" client-listen-port=37773 \
    interface=wireguard-server is-responder=yes name=Server public-key=\
    "********"

/ip address
add address=192.168.50.1/24 interface=LAN network=192.168.50.0
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
add address=192.168.60.1/24 interface=wireguard-server network=192.168.60.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1

/ip dhcp-server network
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1

/ip dns
set allow-remote-requests=yes servers=10.2.0.1

/ip firewall address-list
add address=217.219.208.0/20 list=IranAddList
add address=217.219.224.0/19 list=IranAddList
add address=192.168.0.0/16 comment=LOCAL-IP list=LOCAL-IP
add address=172.16.0.0/12 comment=LOCAL-IP list=LOCAL-IP
add address=10.0.0.0/8 comment=LOCAL-IP list=LOCAL-IP
add address=cloud2.mikrotik.com comment="Mikrotik Cloud" list="Mik Cloud"


/ip firewall mangle
add action=mark-routing chain=output dst-address-list="Mik Cloud" log=yes new-routing-mark=IRWAN passthrough=no
add action=mark-routing chain=prerouting dst-address-list=IranAddList new-routing-mark=IRWAN passthrough=yes src-address-list=LOCAL-IP
add action=mark-routing chain=output dst-address-list=IranAddList new-routing-mark=IRWAN passthrough=yes src-address-list=LOCAL-IP
add action=mark-routing chain=output dst-address-list=!IranAddList new-routing-mark=main passthrough=yes src-address-list=LOCAL-IP
add action=mark-routing chain=prerouting in-interface=wireguard-server new-routing-mark=main passthrough=yes


/ip firewall nat
add action=masquerade chain=srcnat dst-address-list="Mik Cloud" out-interface=pppoe-out2 routing-mark=IRWAN
add action=masquerade chain=srcnat dst-address-list=IranAddList out-interface=pppoe-out2
add action=masquerade chain=srcnat out-interface=wireguard-inet src-address-list=LOCAL-IP


/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 \
    routing-table=IRWAN scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=*VPN Endpoint* gateway=192.168.1.1 \
    routing-table=main suppress-hw-offload=no

/routing rule
add action=lookup-only-in-table disabled=no routing-mark=IRWAN table=IRWAN

Will look at this tomorrow.
The first thing is to establish which users need to go out proton VPN.
Is it a whole subnet, an SSID on a wifi LAN, a vlan, a few users ???/

The server aspect is much easier to deal with.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

With that in mind, can you separate Non-proton users from other users, by that I mean, can
you put them on their own physical port from the router or behind a managed switch, or create another wifi LAN with SSID that they use for wireguard access???
The purpose would be to avoid mangling if possible.

(especially when nothng you have done makes any sense in terms of mangling )

thank you so much for your response
first, there is an “IranAddList” address list and there are two 0.0.0.0/0 routes (Proton, PPPOE)

if the dest address of all of my Local-IPs even the WG Server users is “IranAddList” it has to go through IRWAN Table and be routed to PPPOE
and everything else that their dest address isn’t in “IranAddList” has to go through the main Table and be routed to Proton
as you see in my configuration file I’m doing this with mangle and mark routing them

and there is a mangle and address list “Mik Cloud” that I’m using for routing cloud traffic through PPPOE

I can’t go with the physical port cause my Router gonna be RB5009 it has 8 ethernets and I have multiple switches that sometimes I want to set different DHCP servers on different ports this is my ideal scenario is this gonna be the problem?

If you think any part of my setup has a problem please mention it I tried multiple setups like two table VPN and IRWAN but it still doesn’t work

Okay a bit clearer…
I understand there are two public IPs, that if are the intended destination by local users has to go out IRWAT table via PPPOE.
However not sure what you mean by wireguard users as well??

For example you have local proton users, that it would appear need to use the LTE IP DHCP client to reach Proton,
That is accomplished by establishing the connection to PROTON via the LTE interface, not up to users but to you as admin in the configuration.
Therefore these users cannot go out another WAN for those destinations.

Next you have road warriors coming to your router via the Server function of the router ( different wireguard interface ).
Are you saying that their allowed IPs ( set on their remote devices ) is set to 0.0.0.0/0
and that they should have the following occur.
a. if destination address is local, then they should be able to reach the single local subnet
b. if destination address i those two specific addresses, they should be sent out IRWIN table to PPOE
c. if destination addres is any other address, they should go out proton VPN for internet.

++++++++++++++++++++++++++++++++++++++++++

The other issue needing clarity is your business of local IPs in addresses.
Please remove as they do not appear relevant.
The only relevant subnet on the router is 192.168.50.1/24 and the two wireguard interfaces as well.

Thus why do you define these at all???
add address=192.168.0.0/16 comment=LOCAL-IP list=LOCAL-IP
add address=172.16.0.0/12 comment=LOCAL-IP list=LOCAL-IP
add address=10.0.0.0/8 comment=LOCAL-IP list=LOCAL-IP

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Finally, you have to be clear, which users on the single subnet of the bridge require access to Proton VPN for internet.
We know ALL users need to go out IRWIN, pppoe for two specific destination.
Which users should ONLY use IRWIN, pppoe for traffic
which users should ONLY use proton VPN, unless going to those two destinations.

Hint: Can you put any group of identified users into their own port? subnet? vlan? ssid/wlan ??
If not: And its not the whole existing subnet, then you may have to create a firewall address list of the ones that need identifying..

However not sure what you mean by wireguard users as well??

I mean when I connect to my WG Server I want to explore LAN services like my NAS NVR … and also I want to explore the internet using my Fiber and proton WG client just like my LAN user maybe I was wrong about Road Warrior term

I don’t have exactly local proton users all of my LAN user’s traffic gonna NAT and routed to the WG Proton Interface or PPPOE interface based on its destination in the “IranAddList” address list or not

this is the routing scenario I want to achieve

a. if destination address is local, then they should be able to reach the single local subnet
b. if destination address i those two specific addresses, they should be sent out IRWIN table to PPOE
c. if destination addres is any other address, they should go out proton VPN for internet.

I need all these 3 scenario to happen

The other issue needing clarity is your business of local IPs in addresses.
Please remove as they do not appear relevant.
The only relevant subnet on the router is 192.168.50.1/24 and the two wireguard interfaces as well.

I think there is a misunderstanding

# These are my firewall address list
add address=192.168.0.0/16 comment=LOCAL-IP list=LOCAL-IP
add address=172.16.0.0/12 comment=LOCAL-IP list=LOCAL-IP
add address=10.0.0.0/8 comment=LOCAL-IP list=LOCAL-IP
# These are my IP addresses
add address=192.168.50.1/24 interface=LAN network=192.168.50.0
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
add address=192.168.60.1/24 interface=wireguard-server network=192.168.60.0

if there is a problem with my address list please mention it

If not: And its not the whole existing subnet, then you may have to create a firewall address list of the ones that need identifying..

yes I created LOCAL-IP address list to achieve this
in this way I think could mangle both WG Server and my Local subnets

There is NO purpose to your local address list. Its is a list of NOTHING on your router. ???
The only local subnet you have on your router is 192.168.50.0/24


Okay I fully understand the requirements of your wireguard warriors coming on the server wireguard interface.

What you have not made clear is IF any local users, on subnet 192.168.50.0/24 should go out proton??
They all should go?
Only some of them should go?
If so which ones.

OR

is it like the wg RWs.
All local users that are going to the two identified WANIPs, should go out PPPOE
and all other destinations should go out proton???

ok I will change the address list to 192.168.50.0/24 for my LOCAL-IP

for local users is just like WG users

I need this scenario to happen

That makes more sense. The only thing the diagram is missing is Road Warriors coming in on Server Wireguard for internet and having the same flow direction outbound.

Question1: If Proton is not available for any reason, do you want wireguard users and local users access to PPPOE until Proton is back up??

Question2: Did proton give you a specific DNS server address to use??

Question3. Why use macvlan? In this case single pppple client just use ether2 in the pppoe client definition and remove macvlan.
Question4. 2. WHY did you set this to yes… removed for troubleshooting and its unknown purpose.
/ip cloud advanced
set use-local-address=yes

1. DO NOT USE LAN for bridge name, as its nomenclature already used on RoS and is extremely confusing.
   
   \

by RouterOS 7.16beta7

model = C52iG-5HaxD2HaxD

/interface bridge
add name=bridge

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=37773 mtu=1420 name=wireguard-server

/interface list
add name=WAN
add name=LAN

/interface list members
add interface=pppoe-out2 list=WAN
add interface=wireguard-inet list=WAN
add interface=bridge list=LAN
add interface=wireguard-server list=LAN

/interface pppoe-client
add dial-on-demand=yes disabled=no interface=ether2 name=pppoe-out2 user=******* use-client-dns=yes default-route=yes

/ip pool
add name=dhcp_pool0 ranges=192.168.50.2-192.168.50.254

/routing table
add fib name=use-PROTON

/interface bridge port
add bridge=bridge interface=wifi2
add bridge=bridge interface=wifi1
add bridge=bridge interface=ether5
add bridge=bridge interface=ether4
/ipv6 settings
set disable-ipv6=yes
/ipv6 firewall
add chain=input action=drop
add chain=forward action=drop

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=“VPN Endpoint” endpoint-port=
51820 interface=wireguard-inet name=Client persistent-keepalive=25s
public-key=“"
add allowed-address=192.168.60.2/24 interface=wireguard-server public-key=
"" comment=“admin laptop”

/ip address
add address=192.168.50.1/24 interface=bridge network=192.168.50.0
add address=10.2.0.2/24* interface=wireguard-inet network=10.2.0.0
add address=192.168.60.1/24 interface=wireguard-server network=192.168.60.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

/ip dhcp-client
disabled=yes

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge name=dhcp1

/ip dhcp-server network
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1

/ip dns
set allow-remote-requests=no

/ip firewall address-list
add address=217.219.208.0/20 list=IranAddList
add address=217.219.224.0/19 list=IranAddList
add address=cloud2.mikrotik.com comment=“Mikrotik Cloud” list=“Mik Cloud”
++++++++++++++++
add address=192.168.50.X list=Authorized comment=“admin PC”
add address=192.168.50.Y list=Authorized comment=“admin laptop”
add address=192.168.60.Y list=Authorized comment=“remote admin”

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“defcon: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback”
dst-address=127.0.0.1
add action=accept chain=input comment=Wireguard handshake dst-port=37773 protocol=udp
add action=accept chain=input comment=“admin access” in-interface-list=LAN src-address-list=Authorized
add action=drop chain=input comment=“drop all else”
++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard-server dst-address=192.168.50.0/24
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment=“Drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=udp to-address=10.2.0.1
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=tcp to-address=10.2.0.1
/ip route { assuming you have default route selected on pppoe, there is no need to create a manual router for pppoe)
add dst-address=0.0.0.0/0 gateway=wireguard-inet table=use-PROTON

/routing rule
add action=lookup-only-in-table min-prefix=0 comment=” allows wg server to lan traffic etc."
add action=lookup-only-in-table src-address=192.168.50.0/24 dst-address=217.219.208.0/20 table=main
add action=lookup-only-in-table src-address=192.168.50.0/24 dst-address=217.219.224.0/19 table=main
add action=lookup-only-in-table src-address=192.168.60.0/24 dst-address=217.219.208.0/20 table=main
add action=lookup-only-in-table src-address=192.168.60.0/24 dst-address=217.219.224.0/19 table=main
add action=lookup-only-in table src-address=192.168.50.0/24 table=use-PROTON
add action=lookup-only-in table src-address=192.168.60.0/24 table=use-PROTON

thank you so much

If Proton is not available for any reason, do you want wireguard users and local users access to PPPOE until Proton is back up??

no, it’s only works with the LTE interface and I don’t want anything to go through the LTE interface without VPN

Did proton give you a specific DNS server address to use??

yes “10.2.0.1” but I add this too

Why use macvlan? In this case single pppple client just use ether2 in the pppoe client definition and remove macvlan.

it may sound crazy but I’m gonna use 4 PPPOE at the end I think if I understand how to handle 1 I could do the rest

I have a few questions about your config
1- I don’t understand how you separate traffic for IranAddList (did you forget to mangle it?)
2- you don’t think it’s better to use the main table for VPN and create an “IRWAN” Table my IranAddList list has 2000 CIDR
3- in the routing rule what are address1 and address2 is it getaways?(pppoe-out2 and wireguard-inet)
4- I don’t need ping but I don’t have ping of pppoe from WAN (I have static IP)
besides all of that config doesn’t work I have internet but wireguard server still has problems when it’s connected my pings for 8.8.8.8 and LAN gets timeout I tried a couple of things like mangling or using getaways for routing rule address

if you want to debug this kind of situation what kind of tools you would use?
is there some kind of tool so I could track traffic in the router itself not Traceroute I mean before traffic gets out or ingress traffic
I know about Logging but it gets so confusing

All good, macvlan is great for the case of multi ppooe so you are on the right track there!!

[quote=Anymore6630 post_id=1088336 time=1722263642 user_id=215357
I have a few questions about your config
1- I don’t understand how you separate traffic for IranAddList (did you forget to mangle it?)
2- you don’t think it’s better to use the main table for VPN and create an “IRWAN” Table my IranAddList list has 2000 CIDR
3- in the routing rule what are address1 and address2 is it getaways?(pppoe-out2 and wireguard-inet)
4- I don’t need ping but I don’t have ping of pppoe from WAN (I have static IP)
besides all of that config doesn’t work I have internet but wireguard server still has problems when it’s connected my pings for 8.8.8.8 and LAN gets timeout I tried a couple of things like mangling or using getaways for routing rule address

if you want to debug this kind of situation what kind of tools you would use?
is there some kind of tool so I could track traffic in the router itself not Traceroute I mean before traffic gets out or ingress traffic
I know about Logging but it gets so confusing
[/quote]

1. .All traffic based on standard rules and routes etc. will go out PPPOE connection for internet, including LAN and WIREGUARD users.

Through routing rules we state, ( and order is critical)
if the traffic is local to local send it through main table ( use existing routes automatically created for local subnets ( bridge and wireguard )
If the traffic from the LAN is going to the first special address use table main ( go out pppoe )
If the traffic from the LAN is going to the second special address use table main ( go out pppoe )
If the traffic from the wireguard warriors is going tot the first special address Use table main (go out pppoe )
If the traffic from the wireguard warriors is going tot the second special address Use table main (go out pppoe )

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The above rules were required to ensure traffic we next forced into the wireguard tunnel was executed first.

Its clear that without the next rule, all traffic would have gone out PPOE anyway and we would have not needed any routing rules.
However since we do force ALL traffic from LAN and WG to the PROTON tunnel the previous rules were necessary!

The remaining traffic (not matched by the above rules) from the LAN ( and thus going to any other public IP ) use table PROTON
The remaining traffic (not matched by the above rules) from the wireguard warriors,( and thus going to any other public IP ) use table PROTON

2. Not sure what you are saying? Are you saying the IRANaddlist has 2000 entries…???
   Well all i can say is if you have hidden facts, thats on you… I only work with provided facts in determing optimal config.
   If so, then yes mangling would be better but I will provide that part of the config depending on your answers…

3. I fixed the config above to show the addresses properly..

4. Dont understand your ping. Are you saying you are unable to ping the router from an external address like using your cell phone (turn wifi off and use cellular signal to test).

I’m so sorry i didn’t mean to confuse you I think it was obvious from its name IranADDList= Iran Address List = whole Iran country CIDRs I didn’t add all of the list to the config code above cuz its too long and made it messy
one thing you missing was cloud routing I need cloud dest addresses to go through pppoe
I know how to write mangle but I think yours is better than mine
so is this config gonna change the routing rule part?
is that possible for the main table to go through the proton? cuz you know I’m in Iran internet is so shit that sometimes ROS has trouble updating itself
and for the ping, that’s right I can’t get a ping of my PPPOE IP Address you know it’s not necessary to
tell me what to change I will try to get a ping after that maybe after that it’ll getting right both ping and wireguard server(I have a ping of the IP address before set the full config )

“one thing you missing was cloud routing I need cloud dest addresses to go through pppoe” ???

Can you please explain this better please?
Do you have a modem or modem router that provides a public IP to your router ( and its dynamic or static )

What does the cloud have to do with your ppoe??

as I showed in my first diagram my PPPOE gets a public Static IP Address and users connect to the WG Server from this interface I want Mikrotik cloud traffic to go through PPPOE so my cloud address would be PPPOE IP address and they use mynetname.net domain address as the endpoint usually in my setup it gets Proton IP address so I use mangle to fix it

Again, not very clear at all.
What I do know.
You have wireguard users coming into the router via the wireguard server you setup.
You have described that these users besides being able to access local LAN, need
a. to use PPPOE internet access for IranList
b. to use PROTON internet for all other external addresses.

This is clear and makes sense.
In fact it mirrors the same requirement as the LAN users in terms where they should go for internet traffic.

Is the above not correct, or are we talking about a different set of users…
Please explain differently as I am not getting it. ??

++++++++++++++++++++++++++++++++++++++++
Currently I am assuming that wireguard warriors reaching the wg server on teh router are using either a free dyndnsurl available from many sites,
OR the ip cloud my netname to REACH the router, this is done by the wireguard software to reach out to the router for handshake.

What other users are hitting the router externally and for what purpose??

everything you say is right
Mikrotik Cloud DDNS has to get PPPOE IP address, not the proton IP address for DDNS
for Mikrotik Cloud, I only mean DDNS not Back to home service I’m not using that
let’s forget it it’s not important I could handle it myself

With a long list, forget routing rules and use mangling.

/ip firewall address list
add address=192.168.50.0/24 list=local
add address=192.168.60.0/24 list=local
/ip firewall mangle
add action=accept chain=forward src-address-list=local dst-address-list=local
add action=accept chain=forward src-address=192.168.50.0/24 dst-address-list=IranAddList
add action=accept chain=forward src-address=192.168.60.0/24 dst-address-list=IranAddList
add action=mark-connections chain=forward connection-mark=no-mark in-interface-list=LAN
new-connection-mark=From-LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=From-LAN
new-routing-mark=use-PROTON passthrough=no

In the forward chain modify the fasttrack rule:
add action=fasttrack chain=forward connection-state=established,related connection-mark=no-mark

I still have a problem I modified it a little bit but I think it may cuz some problem
could you help me fix it
one thing I modified I’m trying to send the main table to proton and use the IRWAN table for “IranAddList” destination addresses

# 2024-07-30 06:50:40 by RouterOS 7.16beta7
# model = C52iG-5HaxD2HaxD
/interface bridge
add name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-inet
add listen-port=37773 mtu=1420 name=wireguard-server
/interface macvlan
add interface=ether2 mac-address=3E:63:A2:A4:99:49 mode=private name=macvlan2
/interface pppoe-client
add dial-on-demand=yes disabled=no interface=macvlan2 name=pppoe-out2 user="****"
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp_pool0 ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge name=dhcp1
/routing table
add disabled=no fib name=IRWAN
/interface bridge port
add bridge=bridge interface=wifi2
add bridge=bridge interface=wifi1
add bridge=bridge interface=ether5
add bridge=bridge interface=ether4
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=pppoe-out2 list=WAN
add interface=bridge list=LAN
add interface=wireguard-server list=LAN
add interface=wireguard-inet list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address="VPN Endpoint" endpoint-port=\
    51820 interface=wireguard-inet name=a persistent-keepalive=25s \
    public-key=""
add allowed-address=192.168.60.2/24 client-address=192.168.60.2/24 \
    client-dns=8.8.8.8 client-endpoint="my pppoe ip address" client-listen-port=37773 \
    interface=wireguard-server is-responder=yes name=s public-key=""
/ip address
add address=192.168.50.1/24 interface=bridge network=192.168.50.0
add address=10.2.0.2/30 interface=wireguard-inet network=10.2.0.0
add address=192.168.60.1/24 interface=wireguard-server network=192.168.60.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip firewall address-list
add address=2.57.3.0/24 comment="Iran (Islamic Republic of)" list=IranAddList
add address=2.144.0.0/14 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=2.176.0.0/12 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.1.43.0/24 comment="Iran (Islamic Republic of)" list=IranAddList
add address=5.10.248.0/24 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.22.0.0/17 comment="Iran (Islamic Republic of)" list=IranAddList
add address=5.22.192.0/21 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.22.200.0/22 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.23.112.0/21 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.34.192.0/20 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.42.217.0/24 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.42.223.0/24 comment="Iran (Islamic Republic of)" list=\
    IranAddList
add address=5.52.0.0/16 comment="Iran (Islamic Republic of)" list=IranAddList
add address=cloud2.mikrotik.com comment="Mikrotik Cloud" list="Mik Cloud"
add address=192.168.50.0/24 list=local
add address=192.168.60.0/24 list=local
add address=192.168.50.0/24 list=Authorized
add address=192.168.60.0/24 list=Authorized
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="defcon: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback" \
    dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=drop chain=input comment="drop all else"
add action=accept chain=input comment="Wireguard handshake" dst-port=37773 \
    protocol=udp
add action=fasttrack-connection chain=forward connection-mark=no-mark \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.50.0/24 in-interface=\
    wireguard-server
add action=drop chain=forward comment="Drop all else"
/ip firewall mangle
add action=accept chain=forward dst-address-list=local src-address-list=local
add action=accept chain=forward dst-address-list=IranAddList src-address=\
    192.168.50.0/24
add action=accept chain=forward dst-address-list=IranAddList src-address=\
    192.168.60.0/24
add action=mark-routing chain=prerouting connection-mark=From-LAN \
    new-routing-mark=IRWAN passthrough=no
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface-list=LAN new-connection-mark=From-LAN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
    udp to-addresses=10.2.0.1
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
    tcp to-addresses=10.2.0.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=IRWAN \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address="Proton endpoint" gateway=192.168.1.1 \
    routing-table=main suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=IRWAN table=IRWAN

Look where you put the wireguard handshake rule… it will never be seen!!
Not familiar with your route methodology so unable to comment.

From my limitied knowledge, leaving PPPOE( your only real WAN connection) as primary, ensures router to ISP initial connectivity is available and also that one can make the initial connection to proton through a working PPPOE connection. Hence why my idea was to leave PPPOE as primary, which covers the above and your requirement for all traffic to the IRAN destination address list to use PPPOE satisfied. Then what is left to do is mangle all other traffic to PROTON.

I will seek to figure out if there is a way to do the reverse but dont think so.

no no, you’re right I will change the PPPOE to primary and test it but if you find any way please mention it