WireGuard VPN -Webserver Access

Eduardo25 · October 25, 2022, 5:05am

How can I achieve this? forwarding and Ip routes?
I want my WG client can access the web server, but it seems won’t work after experimenting with the firewall rules

My current Config:

# oct/25/2022 12:37:47 by RouterOS 7.6
/interface bridge
add admin-mac=08:55:31:40:3D:0C auto-mac=no comment="defconf Converge" name=\
    88bridge
add comment="defconf New Lan" name=172bridge
add comment=":defconf PLDT" name=178bridge
add comment="defconf Server Network" name=sapnetwork_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ConvergeBiz
set [ find default-name=ether2 ] arp=disabled
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
    ether2 keepalive-timeout=30 name=PLDTEnterprise user=IMAX
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=WIFI name=WIFI
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add add-arp=yes interface=88bridge lease-time=52w1d name=defconfHOME
add add-arp=yes interface=178bridge lease-time=52w1d name=defconENT
add add-arp=yes interface=sapnetwork_bridge lease-time=52w1d name=defonserver
/ip firewall layer7-protocol
add name=block_facebook regexp="^..+\\.(facebook.com|facebook.net|fbcdn.com|fb\
    sbx.com|fbcdn.net|fb.com|tfbnw.net|video.fcgy1-1.fna.fbcdn.net).*\$"
add name=block_youtube regexp="^..+\\.(ytstatic.l.google.com|youtube-ui.l.goog\
    le.com|youtubei.googleapis.com|youtube.googleapis.com|youtube.com|www.yout\
    ube.com|m.youtube.|.m.youtube.|ytimg.com|s.ytimg.com|ytimg.l.google.com|yo\
    utube.l.google.com|i.google.com|googlevideo.com|youtu.be|youtube-nocookie.\
    com).*\$"
add name=block_twitter regexp="^.+(twitter.com).*\$"
add name=block_shopee regexp="^.+(shopee.ph).*\$"
add name=block_tiktok regexp="^.+(tiktok.com).*\$"
add name=block_lazada regexp="^.+(lazada.com.ph).*\$"
add name=block_netflix regexp="^.+(netflix.com).*\$"
/ip pool
add name=newlan ranges=172.16.0.20-172.16.1.254
/ip dhcp-server
add add-arp=yes address-pool=newlan disabled=yes interface=172bridge \
    lease-time=52w1d name=defconNewlan
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=yes name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=88_Subnet
add fib name=178_Subnet
add fib name=172_Subnet
add fib name=LAN1_TO_WAN1
add fib name=LAN2_TO_WAN2
add disabled=no fib name=use-WG
add disabled=no fib name=wg-iterf
/interface bridge port
add bridge=88bridge comment=defconf88 ingress-filtering=no interface=ether4
add bridge=sapnetwork_bridge comment="defconf Server Network" \
    ingress-filtering=no interface=ether10
add bridge=88bridge ingress-filtering=no interface=ether5
add bridge=178bridge comment=defconf178 ingress-filtering=no interface=ether6
add bridge=178bridge ingress-filtering=no interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=88bridge list=LAN
add comment=defconf interface=ether1-ConvergeBiz list=WAN
add interface=ether2 list=WAN
add interface=178bridge list=LAN
add interface=PLDTEnterprise list=WAN
add interface=172bridge list=LAN
add interface=sapnetwork_bridge list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32,192.168.178.122/32 interface=wireguard1 \
    public-key="4t2wBqUKys2Bpn9ozMqzQ88yRIrSdmoa8zGS02JVgUs="
add allowed-address=192.168.100.3/32,192.168.178.122/32 interface=wireguard1 \
    public-key="6mS9oB0ngtPQgg+QwLcu1EXlHWdP4VTzAhbipNazxWA="
/ip address
add address=192.168.88.1/24 comment=defconf interface=88bridge network=\
    192.168.88.0
add address=192.168.178.1/24 interface=178bridge network=192.168.178.0
add address=192.168.0.1/24 comment=defconf interface=sapnetwork_bridge \
    network=192.168.0.0
add address=172.16.0.1/23 interface=172bridge network=172.16.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no comment=defconf interface=ether1-ConvergeBiz \
    use-peer-dns=no
/ip dhcp-server network
add address=172.16.0.0/23 dns-server=172.16.0.1 gateway=172.16.0.1
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.1 \
    netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.178.0/24 dns-server=192.168.178.1 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" in-interface=\
    wireguard1 src-address=192.168.100.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    log-prefix=accepted_wg_con protocol=udp
add action=accept chain=forward in-interface=wireguard1 out-interface-list=\
    LAN
add action=accept chain=forward in-interface=wireguard1 out-interface=\
    PLDTEnterprise
add action=reject chain=forward comment="blck facebook" disabled=yes \
    layer7-protocol=block_facebook log-prefix=Block protocol=tcp reject-with=\
    tcp-reset src-address-list=!fb_aclist
add action=accept chain=forward comment="ALLOW PORT FORWARDING WEBSERVER" \
    connection-nat-state=dstnat disabled=yes dst-address=192.168.178.122 \
    dst-port=9991 in-interface=PLDTEnterprise protocol=tcp
add action=drop chain=virus comment="VIRUS FILTER STARTS HERE Blaster Worm" \
    dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 \
    protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
    tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 \
    protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 \
    protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
    virus
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=NotLAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=\
    "defconf:FastTrack accept established,related Priority Sites" \
    connection-mark=priority-conn connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=88bridge log-prefix=!public_from_LAN \
    out-interface=!88bridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=178bridge log-prefix=!public_from_LAN \
    out-interface=!178bridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=sapnetwork_bridge log-prefix=\
    !public_from_LAN out-interface=!sapnetwork_bridge
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    protocol=tcp tcp-flags=syn,ack
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "browsing-con for Priority websites " connection-bytes=0-1000000 \
    dst-address-list=Priority dst-port=80,443 new-connection-mark=\
    priority-conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Priority TCP Pckt" \
    connection-mark=priority-conn new-packet-mark=priority_pckt passthrough=\
    no
add action=mark-connection chain=prerouting comment="ZOOM TCP" \
    dst-address-list=zoom_ip dst-port=80,443,8801,8802,5091 \
    new-connection-mark=tcp_zoom passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="ZoomTCP Pckt" \
    connection-mark=tcp_zoom new-packet-mark=zoom_pckt passthrough=no
add action=mark-connection chain=prerouting comment="ZOOM UDP" \
    dst-address-list=zoom_ip dst-port=3478,3479,8801-8810,20000-64000 \
    new-connection-mark=udp_zoom passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="ZoomUDP Pckt" \
    connection-mark=udp_zoom new-packet-mark=zoom_pckt passthrough=no
/ip firewall nat
add action=accept chain=srcnat comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="defconf: All masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
    LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4 log-prefix=badipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=\
    192.168.178.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting comment="Defconf: dropping ddos attacker" \
    dst-address-list=ddos-target src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment=CONVERGE disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.254 pref-src="" routing-table=88_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="PLDT ENTERPRISE" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=PLDTEnterprise pref-src="" routing-table=178_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="REROUTE 88" disabled=yes distance=1 dst-address=0.0.0.0/0 \
    gateway=PLDTEnterprise pref-src="" routing-table=88_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="NEW LAN NETWORK" disabled=yes dst-address=0.0.0.0/0 gateway=\
    PLDTEnterprise routing-table=172_Subnet
add comment="REROUTE 178" disabled=yes distance=1 dst-address=0.0.0.0/0 \
    gateway=192.168.1.254 pref-src="" routing-table=178_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=USE-WG disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PLDTEnterprise pref-src="" routing-table=use-WG scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="IP ROUTES FOR DEVICE" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=PLDTEnterprise pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=89
set ssh disabled=yes
set www-ssl disabled=no port=449
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=5m interfaces=88bridge
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table comment=88_Subnet disabled=no src-address=\
    192.168.88.0/24 table=88_Subnet
add action=lookup-only-in-table comment=178_Subnet disabled=no src-address=\
    192.168.178.0/24 table=178_Subnet
add action=lookup-only-in-table disabled=no src-address=172.16.0.0/23 table=\
    172_Subnet
add action=lookup-only-in-table disabled=no src-address=192.168.100.2/32 \
    table=use-WG
add action=lookup-only-in-table disabled=no src-address=192.168.100.3/32 \
    table=use-WG
add action=lookup-only-in-table disabled=no src-address=192.168.100.0/24 \
    table=wg-iterf
/system clock
set time-zone-name=Asia/Manila
/system clock manual
set dst-delta=+08:00 dst-end="jan/01/2029 00:00:00" dst-start=\
    "jan/01/2022 00:00:00" time-zone=+08:00
/system identity
set name=Graphic
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add name=Reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/10/2022 start-time=08:00:00
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.88.0/24 interface=88bridge store-on-disk=no
add allow-address=192.168.178.0/24 interface=178bridge store-on-disk=no
add interface=PLDTEnterprise store-on-disk=no
add interface=ether1-ConvergeBiz store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thanks
Ill really appreciate your help

anav · October 25, 2022, 8:54pm

Not showing client settings is not helpful!

Client
Assuming it has an interface address of 192.168.100.2/32
For Peer allowed IPs on the smartphone it should have
192.168.100.0/24,192.168.88.0/24

Router
Peer settings for smart phone are weird… What is the second address???
You do not understand the fundamental purpose of wireguard peer settings, they are designed to
a. identify remote addresses that local users will want to access ( authorize remote destination addresses for outbound local traffic entering the tunnel) OR
b. identify remote addresses that will be accessing local subnets. ( authorize source addresses for inbound remote traffic exiting the tunnel)
175. xxx is a local subnet identified on the local router in peer addresses WRONG!!

/interface wireguard peers
add allowed-address=192.168.100.2/32,192.168.178.122/32 interface=wireguard1
public-key=“4t2wBqUKys2Bpn9ozMqzQ88yRIrSdmoa8zGS02JVgUs=”

same goes for a second peer, in other words another client not shown on your diagram.

anav · October 25, 2022, 9:47pm

(1) Im assuming this rule is made so that you can access the router for config purposes remotely?
/ip firewall filter
add action=accept chain=input comment=“allow WireGuard traffic” in-interface=
wireguard1 src-address=192.168.100.0/24

(2) This rule tells me you are not accurate at the Client settings itself..
If you want to be able to go out the internet from the smartphone and specifically the PLZ wan interface… then this rule is good.
add action=accept chain=forward in-interface=wireguard1 out-interface=
PLDTEnterprise

BUt then at the client settings, on the smartphone the Allowed IPs should be 0.0.0.0/0
which includes all IPs, so has to be used for internet and also includes any wireguard Ip addresses or local subnets as well!!

(3) This rule is wrong in many ways, just glad its disabled.
add action=accept chain=forward comment=“ALLOW PORT FORWARDING WEBSERVER”
connection-nat-state=dstnat disabled=yes dst-address=192.168.178.122
dst-port=9991 in-interface=PLDTEnterprise protocol=tcp

(4) Your firewall rules are a youtube inspired bloated mess in chaotic order, which I would remove entirely and just use defaults and drop rules at the end of the chains…

(5) Dont understand your wg-iterf route rule entry, there is no corresponding route???