Wireguard Site to site VPN problem

Hello everyone!

I have three routers ( hAP ac2, hAP ​​ax2 and hAP ax3) in different locations. All three locations have dynamic public IP addresses assigned by the ISP.

Currently the routers and their local networks are connected via IPsec VPN, fortunately rarely but occasionally due to changes in the dynamic public IP address the config needs to be modified. Now all routers are running ROS7 and have the option to configure Wireguard. However, I need Wireguard Road Warrior VPN for each router so I can access them remotely individually with a laptop. It would be nice if I could use MikroTik's IP Cloud DNS Name service and not have to regularly rewrite IP addresses in the config.

I created Wireguard Road Warrior VPNs for each router for testing purposes and they all work, I can reach the members of the network behind each router.

I created a Wireguard Site to site VPN between hAP ac2 and hAP ax2 for testing purposes and it works, I can reach the members of the networks behind them. This was a simple case because the router's config does not contain any special features such as VLANs. I created a Wireguard Site to site VPN between the hAp ac2 and hAP ax3 routers, but unfortunately it doesn't work. I can't figure out why, but there is a difference in the hAP ax3 config, in that it has VLANs. Interestingly, the hAP ax3 Wireguard Road Warrior VPN created for the aforementioned testing purpose works.

I've been browsing the forum for weeks, trying all the suggested solutions, but to no avail. I'm really stuck, I need help.

Can anyone help me? If so, please tell me what information is needed and I will send it to you.

Thank you for your help

Sure, but you need a coherent plan and that comes from a detailed accurate assessment of the user requirements.

Admin
Users at Router1
Users at Router2
Users at Router3

Admin

• configure all three routers remotely (aka from laptop)
• configure both other routers when at any one of the three routers.
• reach all router subnets when remote (laptop)
• reach all both other router subnets when at any one of the three routers
• potentially use WAN of a router when remote (on laptop)

Users router A,B,C
Reach other router LAN subnets
Anything else by Router users?

Any other remote users (non-admin) that need to be able to reach router LANS??

Also need all three configs
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys, dchp lease lists)

Of course.

I use an admin user on each router, but not with the name admin.

This is accurate, but I would add that there is a continuous server connection from one router subnet to the others.

There are no other users on the routers.

Currently, there are no other remote users (non-admin) who need to access the routers' LANs.

The central router would be ax3 and the ac2 and ax2 routers would connect to it. This is how the routers currently connect to each other with IPsec Site to site VPN. As a user, I currently connect to each router with L2TP/IPsec Road Warrior VPN and have access to the entire network and subnets.

I created a WG Road Warrior VPN for each router and it works, I can access the subnet of that router.

I have created a WG Site to site VPN between the ac2 and ax2 routers for testing, which will be terminated when the system boots up. It works and I can connect to either router (ac2 or ax2) and access the subnets of both routers. There is no VLAN configured on these routers.

I created a WG Site to site VPN between the ac2 and ax3 routers for testing, but it doesn't work, I can't reach the subnet of the other router. VLANs are configured on these routers.

This is the ac2 config

/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=hungary disabled=no installation=indoor mode=ap-bridge ssid=\
    BLUE_2Gi wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=hungary disabled=no frequency=auto installation=\
    indoor mode=ap-bridge ssid=BLUE_5Gi wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=wg3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip ipsec peer
add address=xx.xx.xx.xx/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=name1 pfs-group=\
    none
/ip pool
add name=dhcp_pool0 ranges=192.168.3.201-192.168.3.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/ppp profile
add bridge=bridge1 dns-server=192.168.3.254 local-address=192.168.3.254 name=\
    l2tp-bridge remote-address=dhcp_pool0 use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=\
    yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=wg3 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.7/32 interface=wg3 name=peer-rd1 public-key=\

add allowed-address=192.168.100.8/32 interface=wg3 name=peer-rd2 public-key=\

add allowed-address=192.168.1.0/24,192.168.100.3/24 endpoint-address=\
    aaaaaaaaaaaa.sn.mynetname.net endpoint-port=13231 interface=wg3 name=\
    peer-s2s1 public-key=
add allowed-address=192.168.2.0/24,192.168.100.1/24 endpoint-address=\
    bbbbbbbbbbbb.sn.mynetname.net endpoint-port=13231 interface=wg3 name=\
    peer-s2s2 public-key=
/ip address
add address=192.168.3.254/24 interface=bridge1 network=192.168.3.0
add address=192.168.100.2/24 interface=wg3 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.254
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=192.88.99.0/24 comment="Relay Anycast [RFC 3068]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
/ip firewall filter
add action=accept chain=input comment="Wireguard traffic enable" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept router mgmt remote network" \
    in-interface=ether1 src-address=192.168.0.0/17
add action=accept chain=input comment="Allow l2tp/ipsec IKE (500)" dst-port=\
    500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp (1701)" dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec NAT (4500)" dst-port=\
    4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec vpn (ipsec-esp)" \
    in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all input from blacklist" \
    src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist \
    address-list-timeout=2h chain=input comment=\
    "add IP address ssh request from WAN to blacklist" connection-state=new \
    dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=5d chain=input comment="add port scanners to list" \
    connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all other input" in-interface-list=\
    WAN
add action=accept chain=forward dst-address=192.168.3.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.3.0/24
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
    dst-address=192.168.3.0/24 in-interface=all-ppp src-address=\
    192.168.3.0/24
add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
    dst-address=192.168.3.0/24 out-interface=all-ppp src-address=\
    192.168.3.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" disabled=yes
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS for IPSec" \
    dst-address=192.168.1.0/24 new-mss=1350 protocol=tcp src-address=\
    192.168.3.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=\
    192.168.3.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=peer1 proposal=name1 src-address=\
    192.168.3.0/24 tunnel=yes
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=wg3 routing-table=main \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wg3 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www address=192.168.0.0/17
set winbox address=192.168.0.0/17
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=isipos profile=l2tp-bridge service=l2tp
add name=user2 profile=l2tp-bridge service=l2tp
add name=user3 profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=router
/system ntp client
set enabled=yes
/system ntp client servers
add address=82.2.46.19
add address=148.6.0.1

This is the ax2 config

/interface bridge
add name=bridge1 protocol-mode=none
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180-5885 \
    .width=20/40/80mhz configuration.country=Hungary .installation=indoor \
    .mode=ap .ssid=BLUE_5G disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .wps=disable
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz \
    configuration.country=Hungary .installation=indoor .mode=ap .ssid=BLUE_2G \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes .wps=disable
/interface wireguard
add listen-port=13231 mtu=1420 name=wg2
/interface list
add name=LAN
add name=WAN
/interface wifi channel
add band=2ghz-n disabled=no name=BLUE2GN width=20/40mhz
/interface wifi configuration
add channel=BLUE2GN country=Hungary disabled=no installation=indoor name=\
    BLUE_2GN ssid=BLUE_2GN
/interface wifi
add configuration=BLUE_2GN configuration.mode=ap .ssid=GuestWiFi \
    datapath.client-isolation=yes disabled=no mac-address= \
    master-interface=wifi2 name=wifi2-virtual2 security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=Security_BLUE_2GN wps=\
    disable
/interface wifi
add configuration=BLUE_2GN configuration.installation=indoor .mode=ap .ssid=\
    BLUE_2GN mac-address= master-interface=wifi2 name=\
    wifi2-virtual1 security=Security_BLUE_2GN security.authentication-types=\
    wpa2-psk .ft=yes .ft-over-ds=yes .wps=disable
/ip ipsec peer
add address=xx.xx.xx.xx name=peer2
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-256 nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=name1 pfs-group=\
    none
/ip pool
add name=dhcp-pool1 ranges=192.168.2.201-192.168.2.240
add name=dhcp-pool2 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp-pool1 interface=bridge1 name=dhcp-server1
add address-pool=dhcp-pool2 interface=wifi2-virtual2 name=dhcp-server2
/ppp profile
add bridge=bridge1 dns-server=192.168.2.254 local-address=192.168.2.254 name=\
    l2tp-bridge remote-address=dhcp-pool1 use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=wifi2-virtual1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=\
    yes use-ipsec=yes
/interface list member
add interface=ether2 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether3 list=LAN
add interface=ether1 list=WAN
add interface=wifi1 list=LAN
add disabled=yes interface=bridge1 list=LAN
add interface=wifi2 list=LAN
add interface=wifi2-virtual1 list=LAN
add interface=wg2 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.4/32 interface=wg2 name=peer-rd1 public-key=\
add allowed-address=192.168.3.0/24,192.168.100.2/24 endpoint-address=\
    aaaaaaaaaaaaa.sn.mynetname.net endpoint-port=13231 interface=wg2 name=\
    peer-s2s2 public-key=
/ip address
add address=192.168.2.254/24 interface=bridge1 network=192.168.2.0
add address=192.168.99.1/24 interface=wifi2-virtual2 network=192.168.99.0
add address=192.168.100.1/24 interface=wg2 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254,8.8.4.4,8.8.8.8 gateway=\
    192.168.2.254 netmask=24 ntp-server=84.2.46.19,148.6.0.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
/ip firewall filter
add action=accept chain=input comment="Wireguard traffic enable" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept router mgmt remote network" \
    in-interface=ether1 src-address=192.168.0.0/17
add action=accept chain=input comment="allow l2tp/ipsec IKE (500)" dst-port=\
    500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp (1701)" dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp/ipsec NAT (4500)" dst-port=\
    4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp/ipsec vpn (ipsec-esp)" \
    in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all input from blacklist" \
    src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist \
    address-list-timeout=2h chain=input comment=\
    "add IP address ssh request from WAN to blacklist" connection-state=new \
    dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2d chain=input comment="add port scanners to list" \
    connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all other input" in-interface-list=\
    WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=drop chain=forward comment="Drop Guest WiFi" in-interface=\
    wifi2-virtual2 out-interface=bridge1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="forward l2tp/ipsec remote client" \
    dst-address=192.168.2.0/24 in-interface=all-ppp src-address=\
    192.168.2.0/24
add action=accept chain=forward comment="forward l2tp/ipsec remote client" \
    dst-address=192.168.2.0/24 out-interface=all-ppp src-address=\
    192.168.2.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab, Related, & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" disabled=yes
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS for IPSec" \
    dst-address=192.168.1.0/24 new-mss=1350 protocol=tcp src-address=\
    192.168.2.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer2
/ip ipsec policy
add dst-address=192.168.1.0/24 peer=peer2 proposal=name1 src-address=\
    192.168.2.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www address=192.168.0.0/17
set winbox address=192.168.0.0/17
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=user1 profile=l2tp-bridge service=l2tp
add name=user2 profile=l2tp-bridge service=l2tp
add name=user profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system ntp client
set enabled=yes
/system ntp client servers
add address=84.2.46.19
add address=148.6.0.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I hope I didn't forget anything. I would be happy if you could help.

Thank you for your help

I'm attaching the ax3 config separately because it didn't fit within the message size limit.

This is the ax3 config

/interface bridge
add name=br vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=ap
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface vlan
add interface=br name=GUEST vlan-id=20
add arp=proxy-arp interface=br name=MAIN vlan-id=10
add interface=br name=SRV vlan-id=30
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add name=WAN
add name=VLAN
add name=LAN
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=Security_MAIN wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=Security_GUEST wps=disable
add authentication-types=wpa2-psk disabled=no name=Security_MAIN2G wps=\
    disable
/interface wifi configuration
add country=Hungary datapath=MAIN disabled=no name=MAIN2G security=\
    Security_MAIN2G ssid=MAIN2G_Network
add country=Hungary datapath=GUEST disabled=no name=GUEST security=\
    Security_GUEST security.wps=disable ssid=GUEST_Network
add country=Hungary datapath=MAIN disabled=no name=MAIN security=\
    Security_MAIN security.wps=disable ssid=MAIN_Network
/ip ipsec peer
add address=xx.xx.xx.xx/32 name=peer2
add address=xx.xx.xx.xx/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=2m \
    dpd-maximum-failures=5 enc-algorithm=aes-256 nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=name1 pfs-group=\
    none
/ip pool
add name=dhcp_pool0 ranges=192.168.1.201-192.168.1.240
add name=dhcp_pool2 ranges=10.0.20.201-10.0.20.240
add name=dhcp_pool3 ranges=192.168.5.201-192.168.5.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MAIN name=dhcp2
add address-pool=dhcp_pool3 interface=GUEST name=dhcp3
add address-pool=dhcp_pool2 interface=SRV name=dhcp4
/ppp profile
add bridge=br dns-server=192.168.1.254 local-address=192.168.1.254 name=\
    l2tp-bridge remote-address=dhcp_pool0 use-encryption=yes
/interface bridge port
add bridge=br frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=30
add bridge=br interface=ether4
add bridge=br interface=ether3
add bridge=br frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br tagged=br,ether3,ether4 vlan-ids=20
add bridge=br tagged=br,ether3,ether4 untagged=ether2 vlan-ids=10
add bridge=br tagged=br untagged=ether5 vlan-ids=30
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=\
    yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=MAIN list=VLAN
add interface=GUEST list=VLAN
add interface=SRV list=VLAN
add interface=pppoe-out1 list=WAN
add interface=wg1 list=VLAN
/interface wifi capsman
set enabled=yes interfaces=br package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
    slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
    slave-configurations=GUEST,MAIN2G supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=yes master-configuration=MAIN2G \
    supported-bands=2ghz-n
/interface wireguard peers
add allowed-address=192.168.100.5/32 interface=wg1 name=peer-rd2 public-key=\
add allowed-address=192.168.3.0/24,192.168.100.2/24 endpoint-address=\
    aaaaaaaaaaaa.sn.mynetname.net endpoint-port=13231 interface=wg1 name=\
    peer-s2s1 public-key=
/ip address
add address=192.168.1.254/24 interface=MAIN network=192.168.1.0
add address=192.168.5.254/24 interface=GUEST network=192.168.5.0
add address=10.0.20.254/24 interface=SRV network=10.0.20.0
add address=192.168.100.3/24 interface=wg1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.254 gateway=10.0.20.254 \
    ntp-server=84.2.46.19,148.6.0.1
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254 \
    ntp-server=84.2.46.19,148.6.0.1
add address=192.168.5.0/24 dns-server=192.168.5.254 gateway=192.168.5.254 \
    ntp-server=84.2.46.19,148.6.0.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
/ip firewall filter
add action=accept chain=input comment="Wireguard traffic enable" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow router mgmt remote network" \
    in-interface=pppoe-out1 src-address=192.168.0.0/17
add action=accept chain=input comment="Allow l2tp/ipsec IKE (500)" dst-port=\
    500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp (1701)" dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec NAT (4500)" dst-port=\
    4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec vpn (ipsec-esp)" \
    in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow MAIN" in-interface=MAIN
add action=accept chain=input comment="Allow VLAN" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="drop all input from blacklist" \
    src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist \
    address-list-timeout=2h chain=input comment=\
    "add IP address ssh request from WAN to blacklist" connection-state=new \
    dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=5d chain=input comment="add port scanners to list" \
    connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all other input" in-interface-list=\
    WAN
add action=drop chain=input comment="Drop all else" disabled=yes
add action=accept chain=forward comment="Wireguard to VLAN" in-interface=wg1 \
    out-interface-list=VLAN
add action=accept chain=forward comment="Wireguard to VLAN" \
    in-interface-list=VLAN out-interface=wg1
add action=accept chain=forward dst-address=192.168.3.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.3.0/24
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=accept chain=forward comment="Accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
    dst-address=192.168.1.0/24 in-interface=all-ppp src-address=\
    192.168.1.0/24
add action=accept chain=forward comment="Forward l2tp/ipsec remote client" \
    dst-address=192.168.1.0/24 out-interface=all-ppp src-address=\
    192.168.1.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Drop VLAN inter-VLAN routing" \
    in-interface-list=VLAN out-interface-list=VLAN
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    disabled=yes
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" disabled=yes
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.3.0/24 new-mss=1350 \
    protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1350
add action=change-mss chain=forward dst-address=192.168.2.0/24 new-mss=1350 \
    protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1350
add action=change-mss chain=forward new-mss=1440 out-interface=pppoe-out1 \
    protocol=tcp tcp-flags=syn tcp-mss=!0-1440
add action=mark-packet chain=prerouting connection-mark=VoIP-Conn disabled=\
    yes new-packet-mark=VoIP-Pkt passthrough=no
add action=mark-packet chain=forward connection-mark=rtp-connection disabled=\
    yes new-packet-mark=RTP
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.3.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer2
add peer=peer1
/ip ipsec policy
add dst-address=192.168.3.0/24 peer=peer1 proposal=name1 src-address=\
    192.168.1.0/24 tunnel=yes
add dst-address=192.168.2.0/24 peer=peer2 proposal=name1 src-address=\
    192.168.1.0/24 tunnel=yes
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www address=192.168.0.0/17
set winbox address=192.168.0.0/17
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=user2 profile=l2tp-bridge service=l2tp
add name=user1 profile=l2tp-bridge service=l2tp
add name=user3 profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=cAP_Controller
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=84.2.46.19
add address=148.6.0.1
/tool mac-server mac-winbox
set allowed-interface-list=VLAN

I hope I didn't forget anything. I would be happy if you could help.

Thank you for your help

Thanks, all clear, two other routers without any users to speak of. However there is a server, on one of the 3 routers, that needs to be accessed by the two other routers.
When at the remote router sites you use your own admin local LANIP there.

Suggesting
a. that the home router ax3 with guests uses a better security approach.
b. ipsec/ppp/l2tp removed as it will no longer be in play (just to keep config clean)
c. you do not list wlans in either /interface bridge ports-vlans because wifi datapath/capsman does that for you????
d. the ax3 is server for handshake and thus there are no peers that have endpoints identified.........

ASSUMPTION local lan on Remote Router2 is 192.168.2.0/24 with wg address 192.168.10.2/24
ASSUMPTION local lan on Remote Router3 is 192.168.3.0 with wg address 192.168.100.3/24
ASSUMPTION AX3 local router has LAN 192.168.1.0/24 (main) and wg add 192.168.100.1/24
Consistency
laptop wg 192.168.100.5
smartphone wg 192.168.100.6

e. YOUR SRCNAT attempt is flawed or misunderstood..........
There is no need to sourcenat your subnet traffic as you control both ends of the tunnels with MT routers.
Typically sourcnatting is only required if the other end is not capable of dealing with more than One IP....

f. All mangling removed, it was not identified in your requirements above and thus didnt make any sense.
I LIKE SIMPLE CLEAN

g. allowing address to a private IP address as per below is not good practice.
add action=accept chain=input comment="Allow router mgmt remote network"
in-interface=pppoe-out1 src-address=192.168.0.0/17

RMOVED!!

h. you had an allow rule for port forwarding but no corresponding dstnat rules for port forwarding so left it in but disabled.

i. Made the router the NTP server for your LANs, more efficient.

j. disabled www from services as its not a secure access method for a router and a recent vector of exploit CVE............. the more doors closed the more secure the router is.

H. limited winbox IPs, to something more practical, also limited mac server to interface list trusted with less folks with access and finally through firewall rules limited to single IPs....... Layers of defense retaining some flexibility.

AX3 (Router 1, with MAIN local lan)

/interface bridge
add name=br vlan-filtering=yes  frame-types=admit-only-vlan-tagged
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=ap
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface vlan
add interface=br name=GUEST vlan-id=20
add arp=proxy-arp interface=br name=MAIN vlan-id=10
add interface=br name=SRV vlan-id=30
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add name=WAN
add name=LAN
add name=TRUSTED
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=Security_MAIN wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=Security_GUEST wps=disable
add authentication-types=wpa2-psk disabled=no name=Security_MAIN2G wps=\
    disable
/interface wifi configuration
add country=Hungary datapath=MAIN disabled=no name=MAIN2G security=\
    Security_MAIN2G ssid=MAIN2G_Network
add country=Hungary datapath=GUEST disabled=no name=GUEST security=\
    Security_GUEST security.wps=disable ssid=GUEST_Network
add country=Hungary datapath=MAIN disabled=no name=MAIN security=\
    Security_MAIN security.wps=disable ssid=MAIN_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.201-192.168.1.240
add name=dhcp_pool2 ranges=10.0.20.201-10.0.20.240
add name=dhcp_pool3 ranges=192.168.5.201-192.168.5.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=MAIN name=dhcp2
add address-pool=dhcp_pool3 interface=GUEST name=dhcp3
add address-pool=dhcp_pool2 interface=SRV name=dhcp4
/interface bridge port
add bridge=br frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=30
add bridge=br frame-types=admit-only-vlan-tagged interface=ether4
add bridge=br  frame-types=admit-only-vlan-taggedinterface=ether3
add bridge=br frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=br tagged=br,ether3,ether4 vlan-ids=20
add bridge=br tagged=br,ether3,ether4 untagged=ether2 vlan-ids=10
add bridge=br tagged=br untagged=ether5 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=MAIN list=LAN
add interface=GUEST list=LAN
add interface=SRV list=LAN
add interface=wg1 list=LAN
add interface=wg1 list=TRUSTED
add interface=MAIN list=TRUSTED
/interface wifi capsman
set enabled=yes interfaces=br package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
    slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
    slave-configurations=GUEST,MAIN2G supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=yes master-configuration=MAIN2G \
    supported-bands=2ghz-n
/interface wireguard peers
add allowed-address=192.168.100.2/32,192.168.2.0/24 interface=wg1 name=\
    RRouter2 public-key=
add allowed-address=192.168.100.3/32,192.168.3.0/24 interface=wg1 name=\
    RRouter3 public-key=
add allowed-address=192.168.100.5/32 interface=wg1 name=laptop public-key=\
add allowed-address=192.168.100.6/32 interface=wg1 name=smartphone public-key=\
/ip address
add address=192.168.1.254/24 interface=MAIN network=192.168.1.0
add address=192.168.5.254/24 interface=GUEST network=192.168.5.0
add address=10.0.20.254/24 interface=SRV network=10.0.20.0
add address=192.168.100.1/24 interface=wg1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface=ether1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.254 gateway=10.0.20.254 \
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254 \
add address=192.168.5.0/24 dns-server=192.168.5.254 gateway=192.168.5.254 \
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.XX list=Authorized comment="admin wired local"
add address=192.168.1.YY list=Authorized comment="admin wifi local"
add address=192.168.100.5 list=Authorized comment="remote admin laptop"
add address=192.168.100.6 list=Authorized comment"remote admin smartphone"
add address=192.168.2.AA  list=Authorized comment="remote router2 admin lanIP"
add address=192.168.3.BB list=Authorized comment="remote router3 admin lanIP"
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule here but last of all rules}
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Authorized to LAN" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="LAN to Wireguard"  in-interface-list=LAN src-address=192.168.1.0/24 out-interface=wg1  
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="wireguard relay" in-interface=wg1  out-interface=wg1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst-address=192.168.2.0/24 gateway=wg1 routing-table=main
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www disabled=yes { not secure access to router }
set winbox address=192.168.1.0/24,192.168.100.0/24 192.168.3.0/24,192.168.2.0/24
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=cAP_Controller
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=84.2.46.19
add address=148.6.0.1
/system ntp server
set enabled=yes
/tool mac-server 
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

AX2 ( Remote Router2)

notes; Dont need to assign ports to LAN interface that are already identified on the bridge port listing.
Only one wireguard peer and that is to the AX3 !!

/interface bridge
add name=bridge1 protocol-mode=none
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180-5885 \
    .width=20/40/80mhz configuration.country=Hungary .installation=indoor \
    .mode=ap .ssid=BLUE_5G disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .wps=disable
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz \
    configuration.country=Hungary .installation=indoor .mode=ap .ssid=BLUE_2G \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes .wps=disable
/interface wireguard
add listen-port=15556 mtu=1420 name=wg2
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface wifi channel
add band=2ghz-n disabled=no name=BLUE2GN width=20/40mhz
/interface wifi configuration
add channel=BLUE2GN country=Hungary disabled=no installation=indoor name=\
    BLUE_2GN ssid=BLUE_2GN
/interface wifi
add configuration=BLUE_2GN configuration.mode=ap .ssid=GuestWiFi \
    datapath.client-isolation=yes disabled=no mac-address= \
    master-interface=wifi2 name=wifi2-virtual2 security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=Security_BLUE_2GN wps=\
    disable
/interface wifi
add configuration=BLUE_2GN configuration.installation=indoor .mode=ap .ssid=\
    BLUE_2GN mac-address= master-interface=wifi2 name=\
    wifi2-virtual1 security=Security_BLUE_2GN security.authentication-types=\
    wpa2-psk .ft=yes .ft-over-ds=yes .wps=disable
/ip pool
add name=dhcp-pool1 ranges=192.168.2.201-192.168.2.240
add name=dhcp-pool2 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp-pool1 interface=bridge1 name=dhcp-server1
add address-pool=dhcp-pool2 interface=wifi2-virtual2 name=dhcp-server2
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=wifi2-virtual1
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wifi2-virtual2 list=LAN
add interface=wg2 list=LAN
add interface=bridge1 list=TRUSTED
add interface=wg2 list=TRUSTED
/interface wireguard peers
add allowed-address=192.168.100.0/24,192.168.3.0/24,192.168.1.0/24 endpoint-address=\
    aaaaaaaaaaaaa.sn.mynetname.net endpoint-port=13231 interface=wg2 name="To AX3" \
   public-key=+---+  persistent-keep-alive=20sec
/ip address
add address=192.168.2.254/24 interface=bridge1 network=192.168.2.0
add address=192.168.99.1/24 interface=wifi2-virtual2 network=192.168.99.0
add address=192.168.100.2/24 interface=wg2 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254,8.8.4.4,8.8.8.8 gateway=\
    192.168.2.254
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=192.168.1.XX list=Authorized comment="remote router1 adminLANIP wired"
add address=192.168.1.YY list=Authorized comment="remote router1 adminLANIP  wifi"
add address=192.168.100.5 list=Authorized comment="remote admin laptop"
add address=192.168.100.6 list=Authorized comment"remote admin smartphone"
add address=192.168.2.AA  list=Authorized comment="admin wired local"
add address=192.168.3.BB list=Authorized comment="remote router3 admin lanIP"
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=TRUSTED src-address-list=Authorized
add action=accept chain=input interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule here but last of all rules}
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Authorized to LAN" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="LAN to Wireguard"  in-interface-list=LAN src-address=192.168.2.0/24 out-interface=wg2  { edit fixed }  
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add dst=address=192.168.1.0/24 gateway=wg2 routing-table=main
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www disabled=yes
set winbox address=192.168.1.0/24,192.168.100.0/24 192.168.3.0/24,192.168.2.0/24
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=84.2.46.19
add address=148.6.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

AC2 ( RRouter3)

Notes: only1 peer to ax3 required.

/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=hungary disabled=no installation=indoor mode=ap-bridge ssid=\
    BLUE_2Gi wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country=hungary disabled=no frequency=auto installation=\
    indoor mode=ap-bridge ssid=BLUE_5Gi wps-mode=disabled
/interface wireguard
add listen-port=14567 mtu=1420 name=wg3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.3.201-192.168.3.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wg3 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.0/24,192.168.1.0/24,192.168.2.0/24 endpoint-address=\
    aaaaaaaaaaaa.sn.mynetname.net endpoint-port=13231 interface=wg3 name="to-AX3"
	persistent-keep-alive=30sec
/ip address
add address=192.168.3.254/24 interface=bridge1 network=192.168.3.0
add address=192.168.100.3/24 interface=wg3 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.254
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=192.168.1.XX list=Authorized comment="remote router1 adminLANIP wired"
add address=192.168.1.YY list=Authorized comment="remote router1 adminLANIP  wifi"
add address=192.168.100.5 list=Authorized comment="remote admin laptop"
add address=192.168.100.6 list=Authorized comment"remote admin smartphone"
add address=192.168.2.AA  list=Authorized comment="remote router2 admin lanIP"
add address=192.168.3.BB list=Authorized comment="admin wired local"
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid packets" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input interface-list=LAN dst-port=53,123 protocol=udp
add action=accept chain=input interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { put this rule here but last of all rules}
+++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Authorized to LAN" src-address-list=Authorized out-interface-list=LAN
add action=accept chain=forward comment="LAN to Wireguard"  in-interface-list=LAN src-address=192.168.3.0/24 out-interface=wg3   { edit fixed }
add action=accept chain=forward comment="RRouter1 LAN to local LAN"  in-interface=wg3 src-address=192.168.1.0/24 dst-address=192.168.3.0/24  { edit fixed }
add action=accept chain=forward comment="RRouter2LAN to local LAN"  in-interface=wg3 src-address=192.168.2.0/24 dst-address=192.168.3.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=wg3 routing-table=main \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wg3 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www disabled=yes   { edit fixed }
set winbox address=192.168.1.0/24,192.168.100.0/24 192.168.3.0/24,192.168.2.0/24
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=router
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=82.2.46.19
add address=148.6.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Dear @anav , a huge amount of work in an incredibly short time! I wouldn't have thought...

Thank you very much for the suggestions, I will look through them, try to understand and try how they work. I hope I will understand everything and everything will work, but if there is a problem, I don't understand something, I will ask. I will report with the final result, but it will take me a little longer than you...

Thank you very much for your help.

No problems, ask any questions you need to, for understanding before applying....

@anav A few quick comments, because I haven't finished it yet, but I'm having trouble with some things, or don't understand them. If I do, there will probably be more...

I think the configs don't match the original scenario. According to the configs, ax2 is the central router, to which the other pouters are connected via WG Site to site VPN.

According to the original idea, the public router should be ax3, because that's where the server is and everything else.

The IPsec, L2TP, PPP entries have been deleted from the configs, but why were the entries referring to ssh-blacklist, bogonlist, etc. deleted?

You created an Authorized address list, I think you should enter fixed IP addresses here, but I don't understand the XX, YY, AA, BB markings in the IP addresses, because the laptop gets an IP address with or without a dock via DHCP (dock ethernet or laptop ethernet connector or wifi) and I don't use a desktop. How do you think I should set these up?

There is no TRUSTED interface list and associated entries in the ac2 config. Is this intentional?

The ac2 would only connect to ax3, but the responsible route to ax2 remained under the /ip route. Did this remain so by accident?

I think the /ip service www should also be disabled in the ac2 config due to the security risk you suggested. Is correct?

Thank you for your help

Good questions!

1. Yes, the AX3 is the CENTRAL router and the first config I presented. That is the only router with multiple wireguard allowed addresses, one for each client.

2. Other lists --> Because, they are not needed at the moment. You will note we drop all traffic not explicitly allowed. Very solid defense, if you feel like you need more, then we can address it after we get everything else up and running smoothly.

3. I did use fixed IP addresses for the Authorized List which is common to all three devices. Since you didnt provide the necessary level of detail in requirements ( admin IPs on AX3 (R1), on AX2 (R2), or AC2 (R3), I had to put placeholders xx/yy/AA/BB.

As long as you identify which IP address is pertinent for Admin IPs on each router and add those to the Authorized address list and the two wireguard IPs ( laptop and smartphone/ipad ) you are good to go.
Typically one connects both wired and wireless ( desktop, laptop, smartphone, ipad )

4. Whenever you have more than one subnet on a router aka the LAN describes two or more subnets, that tells me that there is usually one subnet that is not trusted and thus we need to break it out.
   The R3 (AC2) only has a single subnet the bridge ( ax3 has multiples/vlans ), and ( ax2 has guest wifi subnet 99.0 )

5. The reason why you still need routes is for the admin arriving at R2 or R3 after connecting to R1. We dont worry about the admin coming in on remote wireguard (from laptop etc.) as those routes already exist on each device, since wireguard is a subnet identified on each device ( aka a local subnet the router knows about).

The admin will need to access R2 and R3 from 192.168.1.x and thus one needs this route on Routers 2,3 so theose routers know where to send reply traffic ( as 192.168.1.0 is not local).
The same logic applies to R1 and R3 for when the admin is on R2 and wants to reach subnets on R1 and R3.
The same logic applies to R1 and R2 for when the admin is on R3 and wants to reach subnets on R1 and R2
The above describes the admin needs, often this is duplicated in that user to server traffic is required and we have to make sure that return traffic paths are identified. You will note we allow admin traffic to LANs and to the router config by way of the authorized source address and its use in input chain and forward chain.

A general rule of thumb is that IP routes should match the additional subnets identified in allowed-addresses.

7. Yes it should, good catch.
   +++++++++++++++++++++++++++++++++++++++++

I will review the configs to see if I had any errors, the one thing to note is I dont think you neededThe two forward chain rules on AX2 R2 ( router 3 users on lan orginate traffic to router 2 and router 1 users on LAN originate traffic to router 2 ). Thats why I put the notes on there to remove those if not required.

On Router 3 ( three minor fixes (typos) done ).
Understand that both OTHER routers ( R1 & R2 ) local users need access to server on this router.

Router2. With that in mind I removed the extra incoming traffic rules to Router 2 (ax2). As besides the admin there are no lan users on R1 or R3 originating traffic to R2.

On Router1 . With that in mind I remove the extra incoming traffic rules to Router1 (ax3). As besides the admin there are no lan users on R2 or R3 originating traffic to R1.

Trying to simplify all the time.
So the only xtra traffic rules needed are on R3, where we identifying incoming traffic over wireguard for the servers on 192.168.3.0 from users on Router 1 and Router 2.

@anav I'm trying to understand the changes you made. I'll try to break them down into three groups, 1. simplification, 2. security changes, 3. WG VPN setup. I have and will have more and more requests.

A. Now I'm asking, in the ax2 config, the wifi2-virtual1 interface and its bridge port are still listed under the /interface list member. The wifi2-virtual1 interface is not a VLAN, it's just a child of the wifi2 interface and the wifi2-virtual1 traffic is only separated from the LAN traffic by a firewall filter. Shouldn't this be removed from the /interface list member?

B. Since wifi2-virtual1 is not organized into a VLAN, isn't it unnecessary to create a TRUSTED interface list and firewall rules?

C. I don't want to restrict access to IP addresses for now, so I'd like to leave out the Authorized list and the related firewall rules for now. I think it's both unnecessary and excessive, but I might set it up later...

D. With the config I made earlier, ac2 and ax2 WG Site to site VPN worked, with the current settings you can only ping and connect in one direction. The situation is similar between ac2 and ax3, and ax2. You can't ping and connect from ax3 to ac2 and ax2. The WG Road Warrior connections work, the network of the router you're currently connected to can be pinged and accessed.

E. It seems to me that the WG VPN traffic on the ax3 router is not getting into the MAIN VLAN, or is not reaching the wg1 interface, even though the /ip route is set. I'm seeing the same problem with my AX2 router... The ac2 router WG VPN setup seems to be working fine.

Unfortunately, I had to reset the ipsec, l2tp, ppp connections, because the network needs to work...

Thank you for your help

A. You are mistaken, remember each WIFI instance should be considered an interface, just like a port. But just like ports, if they are on the bridge, they need not be listed, only the bridge ( assuming no vlans of course )
Secondly, you may have mis-identified the instance on the interface list, it is correctly identified as
wifi2-virtual2 ( not virtual1 )

You should note that is particular wifi instance (port), is NOT on the bridge and thus you have correctly given it an IP address, and pool and dhcp-server etc....
Therefore, it needs to be identified separately from the bridge on the LAN interface list. Thusly it gets DNS, and access to internet through associated filter rules.

B. ????? Its an interface, that should not have any access other than to DNS and internet. To separate it from the other subnet, we ensure by good security practices/layers that its not permitted to do what other subnets can do. Sorry, I dont reduce security approaches for anyone.

C. See above, your choice, I will only provide secure approaches in configs. { rant on } Not interested in what you believe, ( security is not a religion) but more interested in the facts, and the facts are that routers are hacked all the time, not on purpose, but by vendor firmware screwups or design screwups (rare) to config errors by admins ( very common ), and further by mixing IOT equipment on trusted networks, devices that phone home may do other things, so we dont give them that opportunity, and lastly assuming all ones users will not click on 'bad links/sites" or emails, is just wishful thinking and naive. By ensuring a layered defense approach and shutting down what is not used, one reduces vectors for exploitation. { rant off } Common Sense!

D. Please provide more exact detail of what you mean you cannot ping from ax3 to ax2 or ac2.
Please provide more exact detail of what you mean you cannot connect to ax2 or ac2 from ax3.

From which IP address on ax3 to what Ip addresses, on ax2, ac2 for connecting.
From which device on ax3, to which IP addresses for pinging.

Finally, one would have to see the state of affairs since you have probably made changes, aka all three configs again, to determine why this is the case.

E. Again, sparse on details. It would appear you are saying you have incoming traffic on AX3 destined for the main LAN, 192.168.1.0/24, but from which source IP address on R2 ax2 and which source IP address on R3 ac2. In other words, need more info to investigate.

I may have a mistake in the configs or flaw in logic, but this is my thinking.

Lets recap on AX3.
MAIN vlan is all allowed entry into wg1 and any return traffic from ax2 or ac3 does not require additional firewall rules.

add action=accept chain=forward comment="LAN to Wireguard"  in-interface-list=LAN src-address=192.168.1.0/24 out-interface=wg1  

As far as I understand, there are no other USERS on LANS from ax2 or ac2 that require access to main lan on router1 (ax3). Yes, the admin does but that is already provided on this rule.

add action=accept chain=forward comment="Authorized to LAN" in-interface-list=TRUSTED src-address-list=Authorized out-interface-list=LAN

Where these following addresses are allowed to reach the LAN ( and the router for config for that matter (input chain)

/ip firewall address-list
add address=192.168.1.XX list=Authorized comment="admin wired local"
add address=192.168.1.YY list=Authorized comment="admin wifi local"
add address=192.168.100.5 list=Authorized comment="remote admin laptop"
add address=192.168.100.6 list=Authorized comment"remote admin smartphone"
add address=192.168.2.AA  list=Authorized comment="remote router2 admin lanIP"
add address=192.168.3.BB list=Authorized comment="remote router3 admin lanIP"

Lets recap on ax2
My understanding here is similar to that of AX3, that no users need to visit AX2 for any reason.
The AX2 LAN is allowed to go out the wireguard tunnel as per:

add action=accept chain=forward comment="LAN to Wireguard"  in-interface-list=LAN src-address=192.168.2.0/24 out-interface=wg2 

Lets recap on ac2
My understanding here is is that unlike the other two routers, USERS do need to visit Router 3 ac2 ( from both R1 and R2 )
The ac2 LAN is allowed to go out the wireguard tunnel as per ( and in this case is simply for the admin to do so):

add action=accept chain=forward comment="LAN to Wireguard"  in-interface-list=LAN src-address=192.168.3.0/24 out-interface=wg3

Furthemore we detailed the following two rules to permit users to access the server on the LAN

add action=accept chain=forward comment="RRouter1 LAN to local LAN"  in-interface=wg3 src-address=192.168.1.0/24 dst-address=192.168.3.0/24 
add action=accept chain=forward comment="RRouter2LAN to local LAN"  in-interface=wg3 src-address=192.168.2.0/24 dst-address=192.168.3.0/24

So so far I see no issues for any traffic via wireguard??
As to ac2 above I would consolidate the two rules into one rule after looking at it again.

/firewall address-list ( on ac2)
add address=192.168.1.0/24 list=Users-4-Server
add address=192.168.2.0/24 list=Users-4-Server

add action=accept chain=forward comment="RR1 & RR2 to local Server"  in-interface=wg3 \
src-address-list=Users-4-Server dst-address=192.168.3.0/24

Review of wireguard settings

AX3 - Error in peer settings for R3 - peer, missing comma and extra space between the two addresses

add allowed-address=192.168.100.3/32 192.168.3.0/24 interface=wg1 name=\
    RRouter3 public-key=

should be:

add allowed-address=192.168.100.3/32,192.168.3.0/24 interface=wg1 name=\
    RRouter3 public-key=

AX2 - FINE

AC2 - FINE

@anav Unfortunately there are other errors, but I have corrected them myself. For example,

/tool ​​mac-server set allowed-interface-list=NONE correctly

/tool ​​mac-server set allowed-interface-list=none

because it only accepts lowercase letters, or for example, for ax2 and ac2

out-interfacewg1 correctly

outinterface=wg2 and out-intreface=wg3

The routers are running 24/7 on IPsec VPN for work traffic. This makes it very difficult to modify, test, and restore the configuration, as I have not yet managed to get the WG Site to site and Road Warrior VPNs working. If there is a problem, the routers are about an hour's drive from me...

I understand that you do not compromise on security, but unfortunately I do not see which of the things you suggested could cause the problem, so it would help a lot if we divided the task into two parts, 1. WG VPN solution and 2. increasing security.

I am open to all suggestions, so I am happy to accept your suggestions regarding security, I will incorporate them, but for now let's separate them so that we can find the cause of the problem more easily. I will continue to use ssh-backlist and bogonlist filtering, because it helps a lot by putting the knockers on a blacklist, not just throwing them away. This way it reduces the load on the router (DDOS)...

Can you help with this?

Thank you for your help

The router is incapable of handling DDOS, so your wasting energy there.
Yes, I am capable of typos, glad you found them, typically the router susses those out for you. I think I went back and fixed all of them in the 3 samples provided.
I typically use upper case to EMPHASIZE an entry but quite correct tis lower case.

As far as mac server. The entries should be generically speaking:

/tool mac-server
set allowed-interface-list=none   { reason as this is not a secure method for access so we deny it }
/tool mac-server mac-winbox
set allowed-interface-list=(WHATEVER THE TRUSTED INTERFACE LIST IS)

So in case of of ax3 and ax2

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

and for the ac2

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Yes, regardless of the rest, the wireguard should be working.
Lets focus on the wireguard, in order to do that please post 3 full configs again so I can review the wireguard bits as they currently stand.

@anav Unfortunately, I solved the problem by restoring the backup so that there was no "garbage" left in the config.

Therefore, I can't attach the config I tested now. However, I noticed afterwards that some devices connected to WiFi (MAIN_Network) were disconnected from WiFi when I changed the bridge fame-types=admit all rule to the frame-types=admit-only-vlan-tagged rule. This is because I also use untagged traffic.

I'm looking for a solution, but until this is resolved, unfortunately it won't work.

For testing, I disabled IPsec Site to site VPN and left L2TP/Ipsec Road Warrior VPN enabled. I connected to the routers one by one with L2TP/IPsec from my laptop and used the Linux terminal running on the laptop to ping, as well as the Firefox browser. The ping results showed that it worked in both directions between ax2 and ac2, but it did not work in both directions between ax3 and ax2 or ax3 and ac2. The Firefox connection test also showed the same result.

Then I disabled L2TP/Ipsec Road Warrior VPN and connected to the routers one by one with WG Road Warrior VPNs from my laptop and used the Linux terminal running on the laptop to ping, as well as the Firefox browser. According to the ping result, it only worked in one direction between ax2 and ac2, it did not work in both directions between ax3 and ax2 or ax3 and ac2. The Firefox connection test also showed the same thing.

Could you attach a clean, simple working config containing only the Wireguard VPN settings without anything extra, so that I can finally see a working WG VPN with my own config?

I am very grateful for your help.

The bridge itself setting of frame-types=admit-only-vlan-tagged, has no ill effects on any
untagged traffic on bridge ports or wifi ports attached to the bridge.
It is only for the purpose of ensuring no leakage occurs from users attached to the ports, on the background vlan-id=1 that the bridge uses.

I have already provided a workign wireguard solution. However if you repost your latest config, with what you have attempted I can work with that. You do have a public IP address correct.

It may be more useful for me to access your setup LIVE, using something like anydesk.......... we can leave bridge settings to admit all as that works for you and is optional for most unless one wants to be real sticky on vlan security.