at this point would suggest live assistance, if you have anydesk and can contact me at discord:
You are very helpful, but I don't use anydesk. Unfortunately, since they are constantly working on the server, it is not really possible to modify the config live.
The only way I can test it is to wait until dawn when no one is working and then I can try the suggestions, but I am already exhausted from all the night and early morning work.
Thank you very much for your help.
Well I could look at the server settings, and also look at the home setup, much can be gleaned... maybe tomorrow.
It seems that the Wireguard site to site VPN is working. I disabled the ipsec policy on each router so that it doesn't interfere and it seems to be working...
At least for now, I see that the IPsec VPN is not connected, but traffic is still flowing between the routers and networks.
If I log in to one of the routers with the L2TP/IPsec Road warrior VPN that exists for each router, I can also see the networks of the other routers, while the IPsec site to site VPN policy is disabled.
My only problem is that I created a separate Wireguard Road warrior VPN for each router, and when I connect to any router with them, I don't see the other networks, only the one I connected to...
This is partly understandable, because the Wireguard Road warrior does not get an IP address from the router's local network, but from Wireguard's, but how could I solve this so that I can connect to any router and reach the networks of all routers. It is not enough to set up just one route...
I lose track quickly of whos configuration is what in the zoo :-).
Suffice to say if one of your routers is the host for the other two routers, and for VPN road warriors.
Then all can be reached from a remote device/laptop. The first point to point connection is made between the remote laptop with wireguard address lets say 10.20.30.4/32 and Main Host Router (10.20.30.1/24). On the host router we ensure we have a relay rule in the forward chain that basically states:
accept in-interface=wireguard1 out-interface=wireguard1
Thus any traffic arriving at R1, but intended for admin access of R2 or R3 or subnets on R2 or R3, is permitted through the router.
Now it is important at routers 2,3 that the allowed IPs for the wireguard subnet are stated as either
including 10.20.30.0/24 (plus possible subnets) or set at 0.0.0.0/0. In this way any other assigned wireguard device is allowed to enter the router through the wireguard tunnel.
Thus for example, if I am sitting at the laptop in a hotel, or an iphone for that matter, I can connect via wireguard first to the host routerand then open up winbox (laptop) or MT app (iphone) and put in 10.20.30.2:winboxportR2 + username and password for R2 and I will gain access.
The same would hold true for reaching a server on R3 for example. ( assumes allowed IPs on remote device is set to 0.0.0.0/0 or includes the subnets on all three routers ).
However, it seems you have gone down the route of having a wireguard connection for the remote warrior for each Router.
Can I assume then that you have changed the config?? If so, nothing I say is relevant without first looking at the latest rendition.
I would expect to see then, that Router 1, still has one wireguard interface that all share in common ( including R2,R2 and road warrionr). I would expect to see Router2,and 3 with TWO wireguard interfaces, each having the common one that connects them to R1, and then an additional unique one that connects to the road warrior only. In this regard, the road warrior would require at least 3 diffferent wireguard profiles ( is that even possible in windows) or 3 profiles on iphone wireguard app, ( easy peasy )
If that is the case then for me that begs the question. Do you want to move to a mesh arrangment where each router Hosts its own wireguard and thus if one is down the other two can still converse, especially if its the primary router (the original one hosting wireguard).
In this case each router would have 3 wireguard interface, the one it hosts and the two its a client on for the routers. In addition, each router would have at least FOUR peer settings, three for the wireguard its hosting (RX,RY, road warrior), and two as client going to RX and RY (with endpoint-address, endpoint port, persistent-keep-alive)
One has to decide what one needs. 
There is no primary router, all three are equal. Each one is connected to the other two, thus creating a site to site VPN. The site to site VPN is now working, each router can access the other two routers' networks from its own network.
Each router has, or will have, a road warrior VPN for remote connection to the laptop and smartphone. I can connect to the routers with the road warrior VPNs, but only their own network is accessible to the one I connect to. Unfortunately, in this case, the network of the other two routers is not accessible, the traffic does not go into the site to site VPN.
The goal would be that no matter which router I connect to with the road warrior VPN, the other two routers' own networks should still be accessible. This is necessary because it may be possible that it is not possible to connect to one from the outside, but the site to site VPN is still working and can be accessed by connecting to another router. I had a similar problem with the IPsec VPN.
You see, the config has been changed, I removed the VLANs and simplified the structure. I will try to download the config and send it.
Thank you for your help.
No problems, yes can help once I see what you have.......
The current configuration of the ax3.
/interface bridge
add name=br protocol-mode=none
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=Security_MAIN wps=disable
add authentication-types=wpa2-psk disabled=no name=Security_MAIN2G wps=\
disable
/interface wifi configuration
add country=Hungary disabled=no name=MAIN2G security=Security_MAIN2G ssid=\
MAIN2G_Network
add country=Hungary disabled=no name=MAIN security=Security_MAIN \
security.wps=disable ssid=MAIN_Network
/interface wifi
set [ find default-name=wifi1 ] configuration=MAIN configuration.country=\
Hungary .mode=ap .ssid=MAIN_Network .station-roaming=no disabled=no \
security=Security_MAIN security.ft=yes .ft-over-ds=yes .wps=disable
set [ find default-name=wifi2 ] configuration=MAIN configuration.country=\
Hungary .mode=ap .ssid=MAIN_Network disabled=no security=Security_MAIN \
security.ft=yes .ft-over-ds=yes
add configuration=MAIN2G configuration.mode=ap .ssid=MAIN2G_Network disabled=\
no mac-address= master-interface=wifi2 name=\
wifi2-virtual1 security.wps=disable
/ip ipsec peer
add address=XX:XX:XX:XX/32 name=peer2
add address=XX:XX:XX:XX/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=2m \
dpd-maximum-failures=5 enc-algorithm=aes-256 nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name= pfs-group=\
none
/ip pool
add name=dhcp_pool0 ranges=192.168.1.201-192.168.1.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=br name=dhcp1
/ppp profile
add bridge=br dns-server=192.168.1.254 local-address=192.168.1.254 name=\
l2tp-bridge remote-address=dhcp_pool0 use-encryption=yes
/interface bridge port
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=wifi1
add bridge=br interface=wifi2
add bridge=br interface=wifi2-virtual1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=\
yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether2 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether3 list=LAN
add interface=wifi1 list=LAN
add interface=wg1 list=LAN
add interface=wifi2 list=LAN
/interface wifi capsman
set enabled=yes interfaces=br package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=MAIN \
slave-configurations=MAIN2G supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.100.5/32 interface=wg1 name=peer-rd2 public-key=\
""
add allowed-address=192.168.3.0/24,192.168.100.3/32 endpoint-address=\
.sn.mynetname.net endpoint-port=13231 interface=wg1 name=\
peer-s2s3 persistent-keepalive=25s public-key=\
""
add allowed-address=192.168.2.0/24,192.168.100.2/32 endpoint-address=\
.sn.mynetname.net endpoint-port=13231 interface=wg1 name=\
peer-s2s2 persistent-keepalive=25s public-key=\
""
/ip address
add address=192.168.1.254/24 interface=br network=192.168.1.0
add address=192.168.100.1/24 interface=wg1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254,8.8.4.4,8.8.8.8 gateway=\
192.168.1.254 netmask=24 ntp-server=84.2.46.19,148.6.0.1
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,193.110.57.4,193.110.56.8,208.67.222.222,208.67.220.220
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
/ip firewall filter
add action=accept chain=input comment="Accept Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Accept Wireguard RW traffic" \
src-address=192.168.100.0/24
add action=accept chain=input comment="Allow Estab & Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop Invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="Allow router mgmt remote network" \
in-interface=pppoe-out1 src-address=192.168.0.0/17
add action=accept chain=input comment="Allow l2tp/ipsec IKE (500)" dst-port=\
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp (1701)" dst-port=1701 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec NAT (4500)" dst-port=\
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec vpn (ipsec-esp)" \
in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="drop all input from blacklist" \
src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist \
address-list-timeout=2h chain=input comment=\
"add IP address ssh request from WAN to blacklist" connection-state=new \
dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=5d chain=input comment="add port scanners to list" \
connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all other input" in-interface-list=\
WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=accept chain=forward comment="WG RW" in-interface=wg1 \
out-interface=wg1
add action=accept chain=forward comment="LAN1 to LAN3" dst-address=\
192.168.1.0/24 src-address=192.168.3.0/24
add action=accept chain=forward comment="LAN3 to LAN1" dst-address=\
192.168.3.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="WG RW" dst-address=192.168.3.0/24 \
in-interface=wg1
add action=accept chain=forward comment="WG RW" out-interface=wg1 \
src-address=192.168.3.0/24
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab & Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=no
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" disabled=no
/ip firewall mangle
add action=change-mss chain=forward dst-address=192.168.3.0/24 new-mss=1350 \
protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1350
add action=change-mss chain=forward dst-address=192.168.2.0/24 new-mss=1350 \
protocol=tcp src-address=192.168.1.0/24 tcp-flags=syn tcp-mss=!0-1350
add action=change-mss chain=forward new-mss=1440 out-interface=pppoe-out1 \
protocol=tcp tcp-flags=syn tcp-mss=!0-1440
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.1.0/24
add action=dst-nat chain=dstnat comment="Port forward openVPN port to srv01" \
dst-address= dst-address-type=local dst-port=1196 protocol=\
udp to-addresses=192.168.1.197 to-ports=1196
add action=dst-nat chain=dstnat comment="HTTPS port forward ns8" dst-address=\
dst-port=443 protocol=tcp to-addresses=192.168.1.199 \
to-ports=443
add action=dst-nat chain=dstnat comment="HTTP port forward srv01" \
dst-address= dst-port=80 protocol=tcp to-addresses=\
192.168.1.197 to-ports=80
add action=dst-nat chain=dstnat comment="SSH port forward srv01" dst-address=\
dst-port=7222 protocol=tcp to-addresses=192.168.1.197 \
to-ports=7222
add action=dst-nat chain=dstnat comment="Wireguard port" dst-address=\
dst-port=51820 protocol=udp to-addresses=192.168.1.199 \
to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer2
add peer=peer1
/ip ipsec policy
add disabled=yes dst-address=192.168.3.0/24 peer=peer1 proposal=diakont \
src-address=192.168.1.0/24 tunnel=yes
add disabled=yes dst-address=192.168.2.0/24 peer=peer2 proposal=diakont \
src-address=192.168.1.0/24 tunnel=yes
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=ether1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=pppoe-out1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.3.0/24 gateway=wg1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.2.0/24 gateway=wg1 routing-table=main \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www address=192.168.0.0/17 disabled=yes
set winbox address=192.168.0.0/17
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=cAP_Controller
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=84.2.46.19
add address=148.6.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The current configuration of the ax2.
/interface bridge
add name=bridge1 protocol-mode=none
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180-5885 \
.width=20/40/80mhz configuration.country=Hungary .installation=indoor \
.mode=ap .ssid=BLUE_5G disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .wps=disable
set [ find default-name=wifi2 ] channel.band=2ghz-ax .width=20/40mhz \
configuration.country=Hungary .installation=indoor .mode=ap .ssid=BLUE_2G \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
.ft-over-ds=yes .wps=disable
/interface wireguard
add listen-port=13231 mtu=1420 name=wg2
/interface list
add name=LAN
add name=WAN
/interface wifi channel
add band=2ghz-n disabled=no name=BLUE2GN width=20/40mhz
/interface wifi configuration
add channel=BLUE2GN country=Hungary disabled=no installation=indoor name=\
BLUE_2GN ssid=BLUE_2GN
/interface wifi
add configuration=BLUE_2GN configuration.mode=ap .ssid=GuestWiFi \
datapath.client-isolation=yes disabled=no mac-address= \
master-interface=wifi2 name=wifi2-virtual2 security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=Security_BLUE_2GN wps=\
disable
/interface wifi
add configuration=BLUE_2GN configuration.installation=indoor .mode=ap .ssid=\
BLUE_2GN mac-address= master-interface=wifi2 name=\
wifi2-virtual1 security=Security_BLUE_2GN security.authentication-types=\
wpa2-psk .ft=yes .ft-over-ds=yes .wps=disable
/ip ipsec peer
add address=XX.XX:XX:XX/32 name=peer2
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-interval=2m \
dpd-maximum-failures=5 enc-algorithm=aes-256 nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=name pfs-group=\
none
/ip pool
add name=dhcp-pool1 ranges=192.168.2.201-192.168.2.240
add name=dhcp-pool2 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp-pool1 interface=bridge1 name=dhcp-server1
# Interface not running
add address-pool=dhcp-pool2 interface=wifi2-virtual2 name=dhcp-server2
/ppp profile
add bridge=bridge1 dns-server=192.168.2.254 local-address=192.168.2.254 name=\
l2tp-bridge remote-address=dhcp-pool1 use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=wifi2-virtual1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=\
yes use-ipsec=yes
/interface list member
add interface=ether2 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether3 list=LAN
add interface=ether1 list=WAN
add interface=wifi1 list=LAN
add interface=wifi2 list=LAN
add interface=wg2 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.4/32 interface=wg2 name=peer-rd1 public-key=\
""
add allowed-address=192.168.3.0/24,192.168.100.3/32 endpoint-address=\
.sn.mynetname.net endpoint-port=13231 interface=wg2 name=\
peer-s2s3 persistent-keepalive=25s public-key=\
""
add allowed-address=192.168.1.0/24,192.168.100.1/32 endpoint-address=\
.sn.mynetname.net endpoint-port=13231 interface=wg2 name=\
peer-s2s1 persistent-keepalive=25s public-key=\
""
/ip address
add address=192.168.2.254/24 interface=bridge1 network=192.168.2.0
add address=192.168.99.1/24 interface=wifi2-virtual2 network=192.168.99.0
add address=192.168.100.2/24 interface=wg2 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.2.209 mac-address= server=dhcp-server1
add address=192.168.2.205 client-id= mac-address=\
server=dhcp-server1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254,8.8.4.4,8.8.8.8 gateway=\
192.168.2.254 netmask=24 ntp-server=84.2.46.19,148.6.0.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="Wireguard traffic enable" src-address=\
192.168.100.0/24
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="Accept router mgmt remote network" \
in-interface=ether1 src-address=192.168.0.0/17
add action=accept chain=input comment="allow l2tp/ipsec IKE (500)" dst-port=\
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp (1701)" dst-port=1701 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp/ipsec NAT (4500)" dst-port=\
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp/ipsec vpn (ipsec-esp)" \
in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="drop all input from blacklist" \
src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist \
address-list-timeout=2h chain=input comment=\
"add IP address ssh request from WAN to blacklist" connection-state=new \
dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2d chain=input comment="add port scanners to list" \
connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all other input" in-interface-list=\
WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=drop chain=forward comment="Drop Guest WiFi" in-interface=\
wifi2-virtual2 out-interface=bridge1
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab, Related, & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
disabled=no
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" disabled=no
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS for IPSec" \
dst-address=192.168.1.0/24 new-mss=1350 protocol=tcp src-address=\
192.168.2.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
192.168.2.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer2
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg2 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.3.0/24 gateway=wg2 routing-table=main \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www address=192.168.0.0/17 disabled=yes
set winbox address=192.168.0.0/17
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=84.2.46.19
add address=148.6.0.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
The current configuration of the ac2.
/interface bridge
add name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=hungary disabled=no installation=indoor mode=ap-bridge ssid=\
BLUE_2Gi wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-Ceee country=hungary disabled=no frequency=auto installation=\
indoor mode=ap-bridge ssid=BLUE_5Gi wps-mode=disabled
/interface wireguard
add listen-port=13231 mtu=1420 name=wg3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip ipsec peer
add address=XX.XX.XX.XX/32 name=peer1
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
nat-traversal=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=name pfs-group=\
none
/ip pool
add name=dhcp_pool0 ranges=192.168.3.201-192.168.3.240
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/ppp profile
add bridge=bridge1 dns-server=192.168.3.254 local-address=192.168.3.254 name=\
l2tp-bridge remote-address=dhcp_pool0 use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=chap,mschap1,mschap2 default-profile=l2tp-bridge enabled=\
yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
add interface=wg3 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.7/32 interface=wg3 name=peer-rd1 public-key=\
""
add allowed-address=192.168.100.8/32 interface=wg3 name=peer-rd2 public-key=\
""
add allowed-address=192.168.1.0/24,192.168.100.1/32 endpoint-address=\
.sn.mynetname.net endpoint-port=13231 interface=wg3 name=\
peer-s2s1 persistent-keepalive=25s public-key=\
""
add allowed-address=192.168.2.0/24,192.168.100.2/32 endpoint-address=\
.sn.mynetname.net endpoint-port=13231 interface=wg3 name=\
peer-s2s2 persistent-keepalive=25s public-key=\
""
/ip address
add address=192.168.3.254/24 interface=bridge1 network=192.168.3.0
add address=192.168.100.3/24 interface=wg3 network=192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.3.0/24 gateway=192.168.3.254
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip firewall address-list
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=192.88.99.0/24 comment="Relay Anycast [RFC 3068]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" disabled=yes list=bogons
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
/ip firewall filter
add action=accept chain=input comment="Accept Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=forward comment="Wireguard traffic enable" disabled=\
yes in-interface=wg3
add action=accept chain=input comment="Accept Wireguard RW traffic" \
src-address=192.168.100.0/24
add action=accept chain=input comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="local loopback" dst-address=127.0.0.1
add action=accept chain=input comment="Accept router mgmt remote network" \
in-interface=ether1 src-address=192.168.0.0/17
add action=accept chain=input comment="Allow l2tp/ipsec IKE (500)" dst-port=\
500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp (1701)" dst-port=1701 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec NAT (4500)" dst-port=\
4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow l2tp/ipsec vpn (ipsec-esp)" \
in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="drop all input from blacklist" \
src-address-list=ssh-blacklist
add action=add-src-to-address-list address-list=ssh-blacklist \
address-list-timeout=2h chain=input comment=\
"add IP address ssh request from WAN to blacklist" connection-state=new \
dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=5d chain=input comment="add port scanners to list" \
connection-state=new protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop all other input" in-interface-list=\
WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
add action=accept chain=forward comment="WG RW" in-interface=wg3 \
out-interface=wg3
add action=accept chain=forward comment="LAN1 to LAN3" dst-address=\
192.168.1.0/24 src-address=192.168.3.0/24
add action=accept chain=forward comment="LAN3 to LAN1" dst-address=\
192.168.3.0/24 src-address=192.168.1.0/24
add action=accept chain=forward comment="WG RW" dst-address=192.168.1.0/24 \
in-interface=wg3
add action=accept chain=forward comment="WG RW" out-interface=wg3 \
src-address=192.168.1.0/24
add action=accept chain=forward comment="Accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Estab, Related & Untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
disabled=no
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop everything else" disabled=no
/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS for IPSec" \
dst-address=192.168.1.0/24 new-mss=1350 protocol=tcp src-address=\
192.168.3.0/24 tcp-flags=syn tcp-mss=!0-1350
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=masquerade chain=srcnat dst-address=192.168.3.0/24 src-address=\
192.168.3.0/24
add action=dst-nat chain=dstnat comment="NS8 wireguard port forward" \
dst-port=51820 protocol=udp to-addresses=192.168.10.99 to-ports=51820
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=peer1
/ip ipsec policy
add disabled=yes dst-address=192.168.1.0/24 peer=peer1 proposal=diakont \
src-address=192.168.3.0/24 tunnel=yes
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=wg3 routing-table=main \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wg3 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh address=192.168.0.0/17
set telnet disabled=yes
set www address=192.168.0.0/17 disabled=yes
set winbox address=192.168.0.0/17
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=l2tp-bridge service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=router
/system ntp client
set enabled=yes
/system ntp client servers
add address=82.2.46.19
add address=148.6.0.1
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Please explain your suggestions so that I can learn from them.
Thank you for your help.
I dont understand, if all three should be able to originate a connection to the other router, then each router should have three wireguard interfaces. Your routers only have one each and all on the same IP structure/wireguard interface, this is incorrect. The reason to set it up what I am proposing is so that , if one router has lost internet, the other two will still be able to talk to each other what you have done is a halfway measure, but its not workign the way it is supposed to and the issues being experienced point to that.
As expected your remote laptop client type devices will get/are very confused.
As I discussed previously, if you want redundancy of any single router failure, each router as host will need TWO router peers as client and a dedicated remote admin laptop peer client
R1 will have R2,R2 client peers, +R1 remote peer ( all on interface wg1 ) and 1 input chain rule for port
R2 will have R1,R3 client peers, +R2 remote peer ( all on interface wg2 ) and 1 input chain rule for port
R3 will have R1,R2 client peers, +R3 remote peer ( all on interface wg3 ) and 1 input chain rule for port
The requirements articulated will necessitate:
a. any sourcenatting required
b. any extra routes required
c. any extra firewall rules required.
Personally I would use a firewall address list of
a. every local admin IP address ( wired and wifi on trusted subnets ) from all three routers
b. every admin remote device wireguard IP address
These go on every router so that the admin can access any router from any device.
This list is what goes in on input chain of each router.
All other users aka LAN interface get only access to dns etc.
+++++++++++++++++++++++++++++++++++++++++++++++++++
In your case I believe, that only the subnet on AX3 and AX3 need access to a subnet on AC2
+++++++++++++++++++++++++++++++++++++++++++++++++++
Now the goal other than the above, is that from any of the Road Warrior wireguard connections you want to be able to reach
a. any other router for config purposes, besides local
b. any other routers subnet, besides local
I always think my way through it.
I am coming into R1 from vpn-RW1.
Input chain rule allows me to access R1 config.
I have an accept forward chain relay
in-interface=wg1 out-interface=wg1
This allows me to go in on WG1, and go out to any of the peer client routers on WG1.
Thus the key is
a. the R2 or R2 peer settings include the subnet.
b. there is a route to the non-local subnet gateway=WG1 routing-table=main.
DONE. Now when that WG1 vpn client hits R2, or R3, its from a source IP already existing on those routers so no return routing is required. But one needs to ensure that WG to LAN traffic is permitted.
++++++++++++++++++++
THus using the HOST road warriors connection one can go out on that Hosts WG interface to reach the other two routers.
To make this tenable...........
We have to decide that traffic between routers has to be carefully managed otherwise, the router will easily get confused on which route for traffic to take.
The easy way to handle this is to sourcnat traffic going out the non native wireguard host wireguard.
hence R1 it its client mode for handshake looks like.
add action=masquerade chain=srcnat out-interface=wg2
add action=masquerade chain=srcnat out-interface=wg3
hence R2 it its client mode for handshake looks like.
add action=masquerade chain=srcnat out-interface=wg1
add action=masquerade chain=srcnat out-interface=wg3
hence R3 it its client mode for handshake looks like.
add action=masquerade chain=srcnat out-interface=wg1
add action=masquerade chain=srcnat out-interface=wg2
This ensures any traffic leaving the non HOST wg interface or non-native wg, has the wireguard address of the router and return traffic will not be conflicted with other traffic,
Therefore we keep ROUTED traffic ( aka any subnet traffic NOT sourcenatted) for only the hosted wirguard interface, thus avoiding conflicts.
Anything can be adjusted if the requirements are articulated clearly enough (in sufficient detail).
My offering was generic and can be modified.
What are the nagios? Do you mean users? and why are they attempting to reach R2 the AX2??
Also you stated that the only server was on AC2 Router 3, that users needed to access and the rest of the requirement was the admin reaching everything.
So its working fine for the requirements provided 
@anav thank you, but it seems to work, but there is a small problem.
If I enable the /ip firewall nat add action=masquerade chain=srcnat out=interface=wg1 rule, then the nagios behind the ax3 router cannot query the switch and server parameters behind the ax2 router with SNMP. The reason for this is clearly the masquerade rule because it performs address translation and does not connect with the source IP address.
This rule is needed so that the Wireguard road warrior client can access all router subnets through the router, but it causes problems with the operation of the Wireguard site to site VPN.
I dont know why my reply showed up above your post LOL........
But lets see,
R1 - wireguard1 interface allows one to originate traffic with source IP, to any of the peers.
so nagios to Ax3 over wireguard retains source address of 192.168.1.XX and it has destination of
192.168.2.YY
The Ax2 with allowed addresses of 0.0.0.0/0 on wg1 interface accepts the incoming, traffic goes to destination 192.168.2.yy.
The traffic will hit R2 and the response will be allowed back due to IP routes on R2
dst=192.,168.1.0/24 gateway=wg1 table=main
WIREGUARD1 should not be sourcenatted on Wireguard1, but should be on wg2 and wg3.
I thought thats what I had recommended???
I have confirmed that return traffic (not originated by R2) will not be sourcenatted on the return,
so R1 and the originator will see the correct destination packet and source packets on return traffic.
I think I messed something up. I misunderstood something or I don't understand what you suggested. Because, as you can see in the config, I only have one wireguard interface on each router and this serves the site to site and road warrior VPNs.
I guess I didn't understand correctly, but I created a masquerade rule in each router for a wireguard interface there.
I would leave it like this as I have no intention of creating multiple interfaces on a router if not necessary. What do you suggest to solve the problem?
Thank you for your help.
Well you cannot have it both ways.
Either
a. you have a single wireguard interface AX3 R1 as host and the other two routers connect to it as clients.
Then we can have a setup that works for the admin reaching all routers and subnets reaching subnets.
BUT R2 and R3 will not be able to talk if R1 is not available.
b. three full wireguard interfaces, where each router as wireguard interface as host, for remote clients and the other two routers such that it does not matter if R1 is not available R2 will be able to talk to R3.
Mesh type approach with all its complications.
c. Variation on a, that may be acceptable to you.
In the case that R1 is down, create
Second interface on R2, wireguard2, host solely for the purpose of connecting the admin to R2 remotely
Second interface on R3, wireguard3, host solely for the purpose of connecting the admin to R3 remotely.
Therefore there is no inter router traffic, but admin can reach R2, R3, regardless of status of R1.
d. Variation on plan C. Where
R2 gets a second interface (wg1 as client) wireguard2 as host for admin, but NOW also serves to host client R3)
This means R3 also gets three interfaces (wg1 as client the primary one) and (wg2 as client to R2) and wireguard3 ( host only for remote clients, in case R2 is also down).
In this plan we establish connectivity between R2 and R3, but we have to be careful of not overlapping subnets in routes which would confuse the R2 or R3 router.
Once we have your choice for the plan, then we need to know the truth, about user requirements, all the subnet traffic back and forth.... to modify the config
If I understand you correctly, use a separate interface for site to site and road warrior connections, and then you can select site to site and road warrior traffic separately with firewall rules.
Is that what you mean?
Doesn't this put a lot of load on ac2?
No not exactly but will respond here when I have time, to get you in the right frame of mind.