Wireguard VPN behind NAT router

I’ve got a basic hAP lite router running inside my local network, on 192.168.1.28/24. I’ve got 13231 UDP traffic forwarded from my gateway router to that 192.168.1.28 address. I’d like to have the Wireguard server running on that router route traffic from that laptop to the internet when it’s connected. My Windows laptop running Wireguard can connect to the Wireguard server from outside the network but can only talk to the Wireguard server - ping both ways (192.168.100.1-2) and DNS lookups work. Trying to talk to anything else doesn’t.
When setting the router up as the gateway router (as an experiment, I can’t do that permanently) everything works just fine. I’ve tried adding a src-nat masquerade rule, changing firewall rules, and even just resetting the router and reconfiguring, to no avail. I’m sure I’m missing something very basic here, can anyone tell me what it is?

Other notes:
Ether2 is the port used to connect the hAP lite to the network.
I can see the laptop talking to the router by torching the wireguard interface, and the firewall counters incrementing for the relevant firewall filter rules. The NAT counters stay at 0.
Pings to/from the MT and the laptop work on the wireguard link, as do DNS lookups by the laptop, and Winbox.

Config on router:

# 2024-08-05 12:59:30 by RouterOS 7.15.3
# software id = asdasdasdasdasd
#
# model = RB941-2nD
# serial number = asdasdasdasdasd
/interface bridge add admin-mac=2C:C8:1B:85:54:38 auto-mac=no comment=defconf name
=bridge
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=
20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssi
d=MikroTik-asdasdasdasdasd wireless-protocol=802.11
/interface wireguard add listen-port=13231 mtu=1420 name=wireguard1
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless security-profiles set [ find default=yes ] authentication-type
s=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=pwr-line1
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface wireguard peers add allowed-address=0.0.0.0/0 client-keepalive=25s interface=wireguard1 name=peer1 persistent-keepalive=25s public-key="asdasdasdasdasd"
/ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip address add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client add comment=defconf interface=bridge
/ip dhcp-server add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns set allow-remote-requests=yes
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="Allow Wireguard Traffic" src-address=192.168.100.0/24
/ip firewall filter add action=accept chain=forward comment="Allow Wireguard Traffic" out-interface-list=WAN src-address=192.168.100.0/24
/ip firewall filter add action=accept chain=forward in-interface=wireguard1 out-interface=bridge
/ip firewall filter add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input comment="Allow Winbox" dst-port=8291 in-interface-list=WAN protocol=tcp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat out-interface=bridge src-address-list=192.168.100.0/24
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=Africa/Johannesburg
/system note set show-at-login=no
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Wireguard setup on laptop:

[Interface]
PrivateKey = asdasdasdasdasd
Address = 192.168.100.2/24
DNS = 192.168.100.1

[Peer]
PublicKey = asdasdasdasdasd
AllowedIPs = 0.0.0.0/0
Endpoint = asdasdasdasdasd.sn.mynetname.net:13231

1. Add to List
   /interface list member add comment=defconf interface=bridge list=LAN
   /interface list member add comment=defconf interface**=wireguard1** list=LAN
   /interface list member add comment=defconf interface=ether1 list=WAN

2. Peers settings wrong: Corrected:
   /interface wireguard peers add allowed-address=192.168.100.2/32 interface=wireguard1 name=peer1 public-key=“-=------------”
   comment="

3. Order of rules, and keep chains together… This UNSAFE rule remove. Only access winbox from inside the LAN or after VPN into the router, never direct!!
   /ip firewall filter add action=accept chain=input comment=“Allow Winbox” dst-port=8291 in-interface-list=WAN protocol=tcp

/ip firewall address-list { using static DHCP leases where applicable }
add address=192.168.88.X list=Authorized comment=“admin desktop”
add address=192.168.88.Y list=Authorized comment=“admin laptop”
add address=192.168.100.2 list=Authorized comment=“remote admin”

input chain
{ default rules to keep}
/ip firewall filter add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
/ip firewall filter add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
/ip firewall filter add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
{ admin rules }
/ip firewall filter add action=accept chain=input comment=“wireguard handshake” dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input comment=“Allow Admin Access” src-address-list=Authorized
/ip firewall filter add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
/ip firewall filter add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
/ip firewall filter add action=drop chain=input comment=“drop all else” { add this rule last }
forward chain
{ default rules to keep }
/ip firewall filter add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
{ admin rules }
/ip firewall filter add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment=“wg to local subnet” in-interface=wireguard1 dst-address=192.168.88.0/24
/ip firewall filter add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable or remove if not required }
/ip firewall filter add action=drop chain=forward comment=“drop all else”

4. Simply sourcenat ( only need one rule )
   /ip firewall nat add action=masquerade chain=srcnat comment=“defconf: masquerade” out-interface-list=WAN

5. Modify
/tool mac-server set allowed-interface-list=NONE
/tool mac-server mac-winbox set allowed-interface-list=LAN

6. If not using IPV6, copy the current firewall rules and address lists to a file for future use,
   Dis able IPV6 services and only two firewall rules
   add chain=input action=drop
   add chain=forward action=top

Thanks, but that’s still not working. I can connect to the Wireguard server, and ping and access DNS on the Wireguard gateway, but pings to the local gateway on the WG server side and the internet in general seem to be being dropped. For clarity, here’s a rough drawing of what I’m working with:

Edit: Image isn’t showing, try https://imgur.com/5lum7kc
When connected on the laptop, I can ping 192.168.100.1, and 192.168.1.31. Pings to 192.168.1.1 fail, as well as any outside IPs (like 8.8.8.8 ).

Latest Export:

/interface bridge
add admin-mac=FF:FF:1B:85:FF:FF auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-dfgdfg4 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=192.168.100.2/32 client-keepalive=25s interface=wireguard1 name=peer1 persistent-keepalive=25s public-key="jhsdgfkjsdhbfksdbfjlsd"
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=bridge
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.100.2 comment="Remote Laptop" list=Authorised
/ip firewall filter
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow Wireguard" src-address-list=Authorised
add action=accept chain=input comment="Users to DNS" dst-port=53 protocol=tcp
add action=accept chain=input comment="Users to DNS" dst-port=53 protocol=udp
add action=accept chain=input comment="Allow Wireguard Traffic" src-address=192.168.100.0/24
add action=accept chain=forward comment="Allow Wireguard Traffic" out-interface-list=WAN src-address=192.168.100.0/24
add action=accept chain=forward in-interface=wireguard1 out-interface=bridge
add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow Winbox" disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=bridge src-address-list=192.168.100.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Africa/Johannesburg
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Allowing Winbox from the outside was purely for testing purposes, not part of any planned rollout

I can’t work out how, but I am sure this is linked to NAT somehow. On a whim, I backed up the listed config and then removed Ether4 from Bridge, adding it to the LAN Interface List and setting up 192.168.240.1/24 on it, and setting up the DHCP server to run on that interface handing out addresses (and 192.168.240.1 as Gateway and DNS Server) in that range. Plugging the laptop directly into that port gave me an appropriate 192.168.240 address, and I could ping and do DNS queries on 192.168.240.1 and 192.168.1.31 - but nowhere else.
In other words, treating that router like a standard network router and bypassing Wireguard completely presents the same problem.
Experience has taught me that the solution is probably simpler than I think, but I can’t see it.

1. You state, on the first post, that ether2 is your “WAN PORT” connected to the upstream router.
   Thus you need to remove ether2 from the bridge, if that is the case, I suspect you meant ether1.??? In which case disregard.
   /interface bridge port
   add bridge=bridge comment=defconf interface=ether2
   add bridge=bridge comment=defconf interface=ether3
   add bridge=bridge comment=defconf interface=ether4
   add bridge=bridge comment=defconf interface=pwr-line1
   add bridge=bridge comment=defconf interface=wlan1

BUT the crux of your problems stems from mixing up bridge and WAN…

2. Allowed IPs, remove the persistent-keep alive, that is only used at the client peer side…
   /interface wireguard peers
   add allowed-address=192.168.100.2/32 client-keepalive=25s interface=wireguard1 name=peer1 persistent-keepalive=25s public-key=“jhsdgfkjsdhbfksdbfjlsd”

3. This is plain WRONG.
   /ip dhcp-client
   add comment=defconf interface=bridge

Should be
/ip dhcp-client
add comment=defconf interface**=ether1**

4. Why is this disabled???
   /ip dhcp-server
   add address-pool=default-dhcp disabled=yes interface=bridge name=defconf

5. For NAT only need
   /ip firewall nat
   add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

6. PUT YOUR RULES WITH CHAINS TOGETHER…

/ip firewall address-list
add address=192.168.100.2 list=Authorised comment=“Remote Laptop” list=Authorised
add address=192.168.88.X list=Authorised comment=“admin when on local subnet via static dhcp lease”
add address=192.168.88.Y list=Authorised comment=“admin when on local subnet wifi via static dhcp lease”
add address=192.168.1.YY list=Authorised comment=“admin when on main router subnet”
/ip firewall filter
{ input chain }
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“Allow Wireguard handshake” dst-port=13231 protocol=udp
add action=accept chain=input comment="Allow admin access" src-address-list=Authorised
add action=accept chain=input comment=“Users to DNS” dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input comment=“Users to DNS” dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
+++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wg to LAN” dst-address=192.168.88.0/24 in-interface=wireguard1
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

REMEMBER
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN

If you simply wanted the MT device not to be a router but an AP/switch, all is still doable.
In other words if you dont need the 88 subnet, then there is another option to consider.

…And I found it - I needed to tell my Gateway Router (192.168.1.1) to route 192.168.100.0/24 traffic to 192.168.1.31 - the MT running the Wireguard server.

Maybe not a NAT issue exactly, but a routing issue instead. Renaming topic in the hopes it’ll help others.

Thanks Anav - I replied before I saw your reply. The scenario for this MT is just to be a WG server, on the local network, allowing my remote laptop to connect to it, access that local network, and the internet through that same network (as though it were just plugged into the local network). My thinking was that some form of straight bridging would do the trick, but I got bogged down trying to grok the WG implementation. If you’ve got a way to handle it without complex extra routing I am all for it

As an aside what has 192.168.1.31 got to do with it, on the first post the IP address of the Mikrotik was 192.168.1.28 ???


Well, why would the gateway router care or even see 192.168.100?
That is wireguard traffic,
In your requirements you didnt explicitly state you wanted to reach main router subnet, and I thought you simply wanted to go out the internet.

So adding in the need to reach main router subnet devices is easily handled (if known).
there are two approaches
a. As you noted if one can on the main router create a static route for the unknown subnet to the IP address of the MT router
b. sourcenat the wireguard traffic out the router,
which is already in place with the rules I provided.

So if you had implemented the rules, it would have worked!
The difference between a and b, is that a. also covers the case of originating traffic traffic to wireguard users wheras b. only handles return traffic ( which you need )