Here is the masked router config:
# jun/01/2023 09:42:27 by RouterOS 7.9.1
# software id = TYAU-C7QY
#
# model = RB750Gr3
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=18:FD:74:xx:xx:xx auto-mac=no name="br07"
add admin-mac=18:FD:74:xx:xx:xx auto-mac=no name="br88"
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="eth1"
set [ find default-name=ether2 ] name="eth2"
set [ find default-name=ether3 ] name="eth3"
set [ find default-name=ether4 ] name="eth4"
set [ find default-name=ether5 ] name="eth5"
/interface pppoe-server
add name=pppoe-auxx service=pppoexx user=auxxudmp
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-xxxxxx-xx-xx-xxx private-key=\
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add listen-port=13232 mtu=1420 name=wg-rfa private-key=\
"yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=pool88 ranges=192.168.88.10-192.168.88.254
add name=pool07 ranges=192.168.7.10-192.168.7.254
add name=pool00 ranges=129.129.129.129
/ip dhcp-server
add address-pool=pool88 interface="br88" name=dhcp88
add address-pool=pool07 interface="br07" name=dhcp07
/ipv6 dhcp-server
add address-pool="ABB IPv6" interface="br07" name=dhcpv6-07
add address-pool="ABB IPv6" interface="br88" name=dhcpv6-88
/port
set 0 name=serial0
/ppp profile
add dhcpv6-pd-pool="ABB IPv6" dns-server=1.1.1.1,8.8.8.8 \
local-address=10.0.33.4 name=pppoexx remote-address=129.129.129.129 \
remote-ipv6-prefix-pool="ABB IPv6" use-ipv6=default
add bridge="br07" dhcpv6-pd-pool="ABB IPv6" local-address=10.0.7.7 \
name=l2tp-rfa remote-address=pool07 remote-ipv6-prefix-pool="ABB IPv6"
/routing table
add disabled=no fib name=vpn-us-ca
/interface bridge port
add bridge="br88" interface="eth2"
add bridge="br07" fast-leave=yes interface="eth4"
add bridge="br88" interface="eth5"
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set default-profile=l2tp-rfa enabled=yes ipsec-secret=\
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz use-ipsec=required
/interface list member
add interface="br88" list=LAN
add interface="eth3" list=LAN
add interface="br07" list=LAN
add interface="eth1" list=WAN
add interface=pppoe-auxx list=LAN
add interface=wg-rfa list=LAN
/interface pppoe-server server
add authentication=pap default-profile=pppoexx disabled=no interface=\
"eth3" one-session-per-host=yes service-name=pppoexx
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=146.145.133.143 endpoint-port=\
51820 interface=wg-xxxxxx-xx-xx-xxx persistent-keepalive=25s public-key=\
"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq="
add allowed-address=10.7.0.2/32,2222:2222:2222:22::2/128 comment=aaaaa \
interface=wg-rfa public-key=\
"rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr="
add allowed-address=10.7.0.3/32,2222:2222:2222:22::3/128 comment="iPhone" \
interface=wg-rfa public-key=\
"ssssssssssssssssssssssssssssssssssssssssssss="
add allowed-address=10.7.0.4/32,2222:2222:2222:77::4/128 comment=\
"(Lucy)" interface=wg-rfa public-key=\
"tttttttttttttttttttttttttttttttttttttttttttt="
/ip address
add address=192.168.88.1/24 comment=Mikrotik interface="br88" \
network=192.168.88.0
add address=192.168.7.1/24 comment=RFA interface="br07=\
192.168.7.0
add address=10.2.0.2/30 interface=wg-xxxxxx-xx-xx-xxx network=10.2.0.0
add address=10.7.0.1/24 interface=wg-rfa network=10.7.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface="eth1"
/ip dhcp-server network
add address=192.168.7.0/24 comment=RFA dns-server=192.168.7.1 gateway=\
192.168.7.1
add address=192.168.88.0/24 comment=Mikrotik dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=104.49.59.2 list=Banned
add address=64.62.197.234 list=Banned
add address=94.102.61.29 list=Banned
add address=184.105.139.107 list=Banned
add address=146.88.240.4 list=Banned
/ip firewall filter
add action=drop chain=input comment="Drop banned hosts" src-address-list=\
Banned
add action=accept chain=input comment="allow Wireguard" dst-port=13232 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
in-interface="eth1" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,1701,4500/udp)" \
dst-port=500,1701,4500 in-interface="eth1 - WAN ABB" protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes routing-mark=main
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=SiriusXM \
new-routing-mark=vpn-us-ca passthrough=no
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=\
wg-xxxxxxx-xx-xx-xxx protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=!222.222.222.222
add action=masquerade chain=srcnat out-interface=wg-xxxxxx-xx-xx-xxx \
routing-mark=vpn-us-ca src-address-list=""
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
routing-table=vpn-xx-xx scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
"" routing-table=vpn-xx-xx scope=30 suppress-hw-offload=no
add disabled=no dst-address=146.145.133.143/32 gateway=203.203.203.203 \
routing-table=vpn-xx-xx suppress-hw-offload=no
/ipv6 route
add disabled=no distance=1 dst-address=2222:2222:2222:22::/64 gateway=\
pppoe-auxx routing-table=main scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24,192.168.33.0/24 port=2233
set www-ssl address=192.168.88.0/24,192.168.33.0/24 \
certificate=hex.xxxx.pem disabled=no tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.33.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=::7 from-pool="ABB IPv6" interface="br07" no-dad=yes
add address=::8 from-pool="ABB IPv6" interface="br88"
/ipv6 dhcp-client
add add-default-route=yes interface="eth1" pool-name="ABB IPv6" \
request=address,prefix use-interface-duid=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 firewall nat
add action=accept chain=srcnat src-address=fe80::8/128
add action=accept chain=srcnat src-address=fe80::aaaa:bbbb:dddd:eeee/128
/ipv6 nd
set [ find default=yes ] other-configuration=yes
/ppp secret
add local-address=10.0.33.4 name=xxxxxxxx password=xxxxxxxxxxxxx \
profile=pppoexx remote-address=222.222.22.222 service=pppoe
add name=rfa password=xxxxxxxxxxxxxxxxx profile=l2tp-rfa \
service=l2tp
/system clock
set time-zone-name=Australia/Sydney
/system leds
add interface="eth1" leds=user-led type=interface-activity
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.au.pool.ntp.org
add address=1.au.pool.ntp.org
add address=2.au.pool.ntp.org
add address=3.au.pool.ntp.org
add address=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=pppoe-auxx
and then on the client (peer) this is the config. The problematic one is with address 10.7.0.4/32... but the others 10.7.0.2/32 and 10.7.0.3/32 are fine.