You are golden!
Two MT routers can be used to provide a single wireguard VPN tunnel providing as much subnet connectivity you desire.
Through the use of allowed IP settings at both ends, one delineates what can enter and exit tunnels at the local device,
add to that more granularity via firewall rules for allowing to enter or exit tunnels.
Further, as admin, you can use the same tunnel to remotely access both routers for either config purposes or to access LAN subnets.
Typically with multiple subnets at play vlans are a commonly used vehicle.
Mikrotik has different ways of identifying users/devices
a. IP address
b. subnet
c. vlan
d. firewall address list ( typically list of users, that may or may not include subnets )
e. interface list ( groups of subnets with common need/purpose )
The term LAN is specifically used on MT to describe one or more subnets or vlans etc… from an interface perspective.
So when talking about one subnet we dont really reference it as the LAN unless the device only has ONE subnet…
In terms of failover,
There are many options…
If the wireguard is connected to the Primary WAN, the wireguard protocol will switch to the secondary WAN within a minute…
If you want more instantaneous conversion that can be done with some work on the config.
If the wireguard is connected to the secondary WAN, that takes more work.
Overall failover is not an issue, aka very doable..
Mikrotik also uses the concept of bridge, where the bridge is given dhcp and all the ports are attached to the bridge ( single subnet LAN scenario ), however once you go beyond one subnet as in your case most people would state you can:
a. use the bridge to describe one subnet which is applied to lets say ports 2-4 ( ether1 for wan ) and take port 5 off the bridge and assign it the subnet directly.
b. create two vlans, assign them to the bridge and then using bridge settings assign the vlans to the ports as required ( max flexibility).
c. some with less experience attempt to do two bridges and this is certainly viable but for specific cases…
+++++++++++++++++++
As an aside I came to MT from being a zyxel reseller and have never looked back, its more work to learn, but very rewarding. Suggest getting a small hex to play with first while learning as experimenting on others is no fun!
it’s a very complete guide and a really good start-up for me.
I’ll practice with GNS3 and a couple of RB4011iGS+RM.
I’m pretty sure I’ll be “ready” in a couple of days of practicing (and gaming ) with the emulator/routers.
When you have made some progress and need some assistance, post both configs
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Finally, I really recommend, as a first step, take one port OFF the bridge and give it its own IP address
such as 192.168.55.1/30 and ensure its part of the LAN interface list to start.
After that just plug in your laptop to etherX and change ipv4 settings on the laptop to 192.168.55.2 you will be in and have a safe place to configure the router.
Its ornery when using bridges and vlans for the uninitiated.
) with the emulator/routers.