I made a simple WG connection to my router.
Everything works and I can ping every device on my lan.
Now I want to connect more peers to the WG, but I just want the wg for that peer to be able to talk to 3 ip addresses for example 10.0.0.10-10.0.0.12 on my lan.

Can you post som examples here please

Firewall forward chain of the receiving router is a good spot to put such rules.
Assuming your rules look like this....

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not using port forwarding }
******* This is where you put additional allow rules *********
add action=drop chain=forward comment="drop all else"

Its up to you to figure all the users coming over wireguard and what they should have access to and thus the actual forward chain rules!
The nice thing about the set of rules above is the last rule. Any traffic you dont Allow will be dropped!!

Good luck!

@l2sverige - as suggestion create a new WireGuard interface, for example "WG-restricted", and place all connections (peers) that need to be restricted to 10.0.0.10-10.0.0.12 on that interface. Don't add "WG-restricted" to the LAN interface list, instead use: "/ip/firewall/filter add chain=forward action=accept in-interface=WG-restricted dst-address=10.0.0.10-10.0.0.12".

LARSA, you complicate life LOL.
You doth go too far.......
Simply solved by adding the appropriate firewall rules.............
No need to create ANOTHER INTERFACE

However, I can play your silly game and UPSELL you on a better approach
Simply create another IP Address associated to the interface.
Ensure the peer device is provided the IP address to the second address group.

/ip address
add address=192.168.33.1/24 interface=wireguard1 network=192.168.66.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0

Keep single existing input chain rule for the listenting port
ROUTER PEERS
allowed-IPs=192.168.33.2/32 interface=wireguard1 public key=xyxyxyxyx
allowed-IPs=192.168.33.3/32 interface=wireguard1 public key=78787878
allowed-IPs=192.168.33.2/32 interface=wireguard1 public key=xyxyxyxyx
allowed-IPs=192.168.33.3/32 interface=wireguard1 public key=78787878
allowed IPs=192.168.66.2/32 interface=wireguard public key=yiyiyiyiyi comment="restricted peer"

Now guess what................ kick in the teeth ( in your case two teeth ), one still has to now add the appropriate firewall rules.......any normal human realizes the irony!!
SAY WHAT, i have to add funky stuff and still muck about with firewall rules on top???

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable if not using port forwarding }
add action=accept chain=forward comment="wireguard out traffic" in-interface-list=LAN (or whatever subnet or address-list) out-interface=wireguard1
add action=accept chain=forward comment="restricted wireguard traffic in" in-interface=wireguard1 src-address=192.168.66.2/32 dst-address-list=LimitedDevices
add action=accept chain=forward comment="unlimited wireguard traffic in" in-interface=wiregard1 src-address=192.168.33.0/24 out-interface-list=LAN
add action=drop chain=forward comment="drop all else"

where firewall address-list
add address=10.0.0.10-10.0.0.12 list=LimitedDevices

Haha! Well, I think my solution is WAY better since it's just a single firewall rule which restricts any source to the destination. Remember KISS ;-D ;-D

@Larsa

made your config, but didn't work as expected doh.... filter rules with the addresses I want to have connection with gets no counting in the firewall rule ....hmm...

hahaha, obviously we need to have few beers together to discuss!!!
I promise to have an open mind and be patient as it may take awhile for you to see the better way........

@l2sverige, check for any traffic on the wg interface using Winbox Tools -> Packet Sniffer. If not, there might be a mismatch in the wg peer configuration, either with the keys or the allowed addresses.

Check for any traffic on the wg interface using Winbox Tools -> Packet Sniffer. If not, there might be a mismatch in the wg peer configuration, either with the keys or the allowed addresses.

........how could that be?? Oh right, you have introduced another private-pair key coupling into the mix............. yup KISS !! ( my a%$ )

Dont take on the fiery llama with rhetoric, I can only be swayed by logic and facts ( and free beer if in Germany, chocolate if in Belgium or Switzerland, Coffee and wine in Italy, Tortilla and wine in Spain).