So Im trying to configure my settings 1 subnet for wifi, second for vpn, when I connect to second no network at all, but I can ping google or connect to VPN
Im gonna use 1 wifi for direct network and other wifi for VPN connection
Im using cloudflare dns over DOH
/interface bridge add admin-mac=DC:2C:6E:97:B8:B2 auto-mac=no comment=defconf name=bridge
/interface bridge add name=bridge-vpn
/interface lte set [ find default-name=lte1 ] allow-roaming=no band="" nr-band=""
/interface wireless set [ find default-name=wlan1 ] country=thailand disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-97B8B7 wireless-protocol=802.11
/interface wireless set [ find default-name=wlan2 ] country=thailand disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-97B8B8 wireless-protocol=802.11
/interface wireguard add listen-port=13231 mtu=1420 name=wg0
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=VPN-rm
/interface lte apn set [ find default=yes ] use-peer-dns=no
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip pool add name=dhcp-wg ranges=192.168.129.10-192.168.129.254
/ip dhcp-server add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/ip dhcp-server add address-pool=dhcp-wg comment=VPN interface=bridge-vpn lease-time=10m name=vpnconf
/interface bridge port add bridge=bridge comment=defconf interface=ether1
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge-vpn comment=defconf interface=wlan2
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=lte1 list=WAN
/interface list member add interface=bridge-vpn list=VPN-rm
/interface list member add interface=*C list=VPN-rm
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=138.199.60.2 endpoint-port=51820 interface=wg0 persistent-keepalive=25s public-key="sFHv/qzG7b6ds5pow+oAR3G5Wqp9eFbBD3BmEGBuUWU="
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=10.65.44.7 interface=wg0 network=10.65.44.7
/ip address add address=192.168.129.1/24 interface=bridge-vpn network=192.168.129.0
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dhcp-server network add address=192.168.129.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.129.1
/ip dns set allow-remote-requests=yes use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip dns static add address=104.16.248.249 name=cloudflare-dns.com
/ip dns static add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle add action=change-mss chain=postrouting new-mss=1380 out-interface=bridge-vpn passthrough=no protocol=tcp tcp-flags=syn
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall nat add action=redirect chain=dstnat dst-port=53 protocol=tcp
/ip firewall nat add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall nat add action=masquerade chain=srcnat out-interface=bridge-vpn
#error exporting "/ip/ssh" (timeout)
/routing rule add action=lookup-only-in-table dst-address=0.0.0.0/0 interface=bridge-vpn src-address=192.168.129.0/24 table=*1
/routing rule add action=lookup-only-in-table dst-address=192.168.129.0/24 interface=*C src-address=0.0.0.0/0 table=*1
/system clock set time-zone-name=Asia/Bangkok
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=time.google.com
/system ntp client servers add address=0.pool.ntp.org
So I did check all points and try to complete step by step, looks like all the settings is right, but when Im connected it shows no network and no ping 8.8.8.8
ping in mikrotik by interface wg0 to 8.8.8.8 is works
by firewall rule, did You mean mangle? Im also tried it
Get rid of the 2 mangle rules not useful. /ip firewall mangle add action=accept chain=forward in-interface=bridge-vpn out-interface=wg0
/ip firewall mangle add action=accept chain=forward in-interface=wg0 out-interface=bridge-vpn
This indicates a problem,
/interface list member add interface**=C* list=VPN-rm
You dont need that list anyway.
For the wireguard IP address on the router should be in the correct format
from: /ip address add address=10.65.44.7**???** interface=wg0 network=10.65.44**.7**
TO /ip address add address=10.65.44.7/24 interface=wg0 network=10.65.44.0
Get rid of this static DNS setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan
Last item… These two rules… the only one you need is allowing your traffic to enter the tunnel. Return traffic is allowed automatically. /ip firewall filter add action=accept chain=forward in-interface=bridge-vpn out-interface=wg0 /ip firewall filter add action=accept chain=forward in-interface=wg0 out-interface=bridge-vp [ get rid of this one]
Alright from now all is works
First wlan1 [2ghz] goes directly to network threw cloudflare DOH DoH server connection error and I did change google ntp to cloudflare
Second wlan2 [5ghz] goes threw mullvad VPN, I did hide SSID from view.
For other ppl just required to add Your own private key for mullvad or any other and name it as wg0
