So maybe this is a Wireguard issue, I have no idea.
Scenario is that I have the Mikrotik sitting behind a cable router which does NAT for me, so everything on the Mikrotik is straight routing and no NAT.
I have the WAN interface set with 10.1.10.2/24 and the gateway is 10.1.10.1 and is, of course, in the "main" table by default.
I setup a Wireguard interface which has an IP of 100.64.101.6/30 and the other end is 100.64.101.5/30 for routing purposes as the provider routes a public /29 to me. Everything for the Wireguard interface is in the "main" table on initial setup and the Wireguard interface is up.
So I then add a new vrf and routing-table called "vrf_fr2", create a vlan on one of my internal ports, ether2, and put this vlan in a list which is then assigned to the vrf_fr2. I cannot get any traffic in or out of the /29 and have tried with and without a static route of 0.0.0.0 assigned to the vrf_fr2 table with a gateway of the 100.64.101.5 which is the provider side of the Wireguard tunnel.
I have also tried putting the Wirguard interface itself in the same vrf and table with no luck.
I have this same setup working in version 6, although with a ppp/l2tp tunnel, and it worked perfectly.
Here is what the relevant portion of my config look like right now:
add listen-port=41195 mtu=1420 name=wg01 private-key="*******"
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=22.214.171.124 endpoint-port=41195 interface=wg01 persistent-keepalive=1m public-key="******"
add interface=ether2 name=LAN1 vlan-id=100
add interface=ether2 name=VLAN_1002 vlan-id=1002
/interface list member
add interface=LAN1 list=LAN
add interface=ether1 list=WAN
add interface=VLAN_1002 list=Wireguard2
add list=all name=main
add list=Wireguard2 name=vrf_fr2
add disabled=no distance=1 dst-address=0.0.0.0 gateway=10.1.10.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0 gateway=100.64.101.5 pref-src="" routing-table=vrf_fr2 scope=30 suppress-hw-offload=no target-scope=10 <----- This has been setup in multiple ways trying GW as interface name and provider side IP
Flags: D - dynamic; X - disabled, I - invalid; U - used
0 D name="main" fib
1 D name="vrf_fr2" fib
Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, m - modem, y - copy; H - hw-offloaded; + - ecmp
0 As dst-address=0.0.0.0 routing-table=main pref-src="" gateway=10.1.10.1 immediate-gw=10.1.10.1%ether1 distance=1 scope=30 target-scope=10 suppress-hw-offload=no
DAc dst-address=10.1.10.0/24 routing-table=main gateway=ether1 immediate-gw=ether1 distance=0 scope=10 suppress-hw-offload=no local-address=10.1.10.2%ether1
DAc dst-address=126.96.36.199/29 routing-table=main gateway=VLAN_1002 immediate-gw=VLAN_1002 distance=0 scope=10 suppress-hw-offload=no local-address=188.8.131.52%VLAN_1002
DAc dst-address=100.64.101.4/30 routing-table=main gateway=wg01 immediate-gw=wg01 distance=0 scope=10 suppress-hw-offload=no local-address=100.64.101.6%wg01
DAc dst-address=192.168.1.0/24 routing-table=main gateway=LAN1 immediate-gw=LAN1 distance=0 scope=10 suppress-hw-offload=no local-address=192.168.1.2%LAN1
1 As dst-address=0.0.0.0 routing-table=vrf_fr2 pref-src=0.0.0.0 gateway=100.64.101.5 immediate-gw=100.64.101.5%wg01 distance=1 scope=30 target-scope=10 suppress-hw-offload=no
What I don't understand is that in version 6 in the webfig using the additional vrf, I see two default routes. One for the main and one for the vrf. In version 7 beta3, I am only seeing the default route of the main table.