Reading your first post.
Want anyone using ethernet 5, to go out proton wireguard for internet.
1. Wireguarg does not get an IP pool. It simply an interface with a subnet ( it carries traffic from other wireguard address, typically incoming or outgoing and also, router to router it carries subnets).
In this case you want the subnet on ether5 to go out wireguard to the proton server.
2. I dont subscribe to multiple bridge so will try to keep it to one bridge ( I will ignore all SSTP in this config )
3. You cannot have a pool and subnet for the bridge and then also put the ports on the bridge with their own subnets........... Probably illegal and very confusing.
Either go with subnets, for each port with NO bridge, or use vlans associated with bridge.
4. What is with bridge NAT?? dont need it.
5. Detect Internet should be set to NONE, causes issues otherwise.
6. FOR DHCP-server network settings DNS, for port 5, use the supplied DNS server given to you by proton, if not provided use 10.2.0.
1
(if you added netmask manually, remove, not required)
7. If not using IPV6 set to disable and remove all ipv6 address lists and firewall rules save 2.
add chain=input action=drop
add chain=forward action=drop
8.Remove static default IP DNS setting.
9. Leaving input chain for now ( except remove useless proton rule) , modified forward chain.
10. It would appear from your config that there is no traffic from one LAN port to the other??
Just in case, there is, and using ether2 as your trusted port, will in forward rules give access to other lan subnets as an example.
11. Mangling not required for moving ether5 out to proton, but will add mangle rule to help out any MTU issues that often arise using 3rd party providers.
Will use Routing Rules to move ether5 traffic to proton.
12. Added NAT rule to ensure port5 users are directed to proton for DNS>
13. Ip route for wireguard is not required to be manually inserted as one is created when making the IP address. However we will add one in case the proton supplied dns, if there is one is different from the subnet given.
ONE bridge, and vlans
........
/interface bridge
add admin-mac=EE:AE:49:DB:20:F0 auto-mac=no name=2-bridge
add admin-mac=3A:96:B4:1B:8A:0D auto-mac=no name=3-bridge
add admin-mac=48:A9:8A:AC:43:F5 auto-mac=no name=4-bridge
add admin-mac=E6:2C:F2:55:16:BA auto-mac=no name=5-bridge
add admin-mac=48:A9:8A:AC:43:F2 auto-mac=no comment=defconf name=bridge vlan-filtering=NO { change to yes as last step in config }
/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-LAN
set [ find default-name=ether3 ] name=3-LAN
set [ find default-name=ether4 ] name=4-LAN
set [ find default-name=ether5 ] name=5-LAN
/interface vlan
add interface=bridge name=vlanPORT2 vlan-id=20
add interface=bridge name=vlanPORT3 vlan-id=30
add interface=bridge name=vlanPORT4 vlan-id=40
add interface=bridge name=vlanPORT5 vlan-id=50
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=proton-DE-009
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=2-pool ranges=192.168.92.10-192.168.92.254
add name=3-pool ranges=192.168.93.10-192.168.93.254
add name=4-pool ranges=192.168.94.10-192.168.94.254
add name=5-pool ranges=192.168.95.10-192.168.95.254
/ip dhcp-server
add address-pool=2-pool interface=2-bridge name=2-dhcp
add address-pool=3-pool interface=3-bridge name=3-dhcp
add address-pool=4-pool interface=4-bridge name=4-dhcp
add address-pool=5-pool interface=5-bridge name=5-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WG
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged interface=2-LAN pvid=20
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged interface=3-LAN pvid=30
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged interface=4-LAN pvid=40
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-taggged-and-untagged interface=5-LAN pvid=50
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=2-LAN vlan-id=20
add bridge=bridge tagged=bridge untagged=3-LAN vlan-id=30
add bridge=bridge tagged=bridge untagged=4-LAN vlan-id=40
add bridge=bridge tagged=bridge untagged=5-LAN vlan-id=50
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=1-WAN list=WAN
add interface=proton-DE-009 list=WAN
add interface=vlanPORT2 list=LAN
add interface=vlanPORT3 list=LAN
add interface=vlanPORT4 list=LAN
add interface=vlanPORT5 list=LAN
add interface=vlanPORT2 list=TRUSTED { assuming this port is your local home port with trusted users }
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="proton DE 009" endpoint-address=\
[i]ppp.ppp.ppp.ppp[/i] endpoint-port=51280 interface=proton-DE-009 name=\
proton-DE-009 persistent-keepalive=25s public-key="xxxx"
/ip address
add address=192.168.92.1/24 interface=vlanPORT2 network=192.168.92.0
add address=192.168.93.1/24 interface=vlanPORT3 network=192.168.93.0
add address=192.168.94.1/24 interface=vlanPORT4 network=192.168.94.0
add address=192.168.95.1/24 interface=vlanPORT5 network=192.168.95.0
add address=10.2.0.2/24 interface=proton-DE-009 network=10.2.0.0
/ip dhcp-client
add interface=1-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.92.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
gateway=192.168.92.1
add address=192.168.93.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
gateway=192.168.93.1
add address=192.168.94.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
gateway=192.168.94.1
add address=192.168.95.0/24 dns-server=10.2.0.1 { better is proton supplied DNS }
gateway=192.168.95.1
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="trusted to LAN" in-interface=vlanPORT2 src-address=192.168.192.0/24 out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=proton-DE-009 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add chain=dstnat action=dst-nat src-address=192.168.95.0/24 dst-port=53 protocol=udp dst-address=10.2.0.1 { better is proton supplied dns address }
add chain=dstnat action=dst-nat src-address=192.168.95.0/24 dst-port=53 protocol=tcp dst-address=10.2.0.1 { better is proton supplied dns address }
/ip hotspot profile
set [ find default=yes ] html-directory=hotspo
/ip route
add dst-address=proton-supplied-dns-address gateway=proton-DE-009 routing-table=main { if none provided, this rule is not required }
/routing rules
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.195.0/24 table=WG
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system identity
set name=xxxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
........
FOR S&G , no vlans, no bridge
........
/interface ethernet
set [ find default-name=ether1 ] name=1-WAN
set [ find default-name=ether2 ] name=2-LAN
set [ find default-name=ether3 ] name=3-LAN
set [ find default-name=ether4 ] name=4-LAN
set [ find default-name=ether5 ] name=5-LAN
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=proton-DE-009
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=2-pool ranges=192.168.92.10-192.168.92.254
add name=3-pool ranges=192.168.93.10-192.168.93.254
add name=4-pool ranges=192.168.94.10-192.168.94.254
add name=5-pool ranges=192.168.95.10-192.168.95.254
/ip dhcp-server
add address-pool=2-pool interface=2-bridge name=2-dhcp
add address-pool=3-pool interface=3-bridge name=3-dhcp
add address-pool=4-pool interface=4-bridge name=4-dhcp
add address-pool=5-pool interface=5-bridge name=5-dhcp
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing table
add disabled=no fib name=WG
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface detect-internet
set detect-interface-list=NONE
/interface list member
add interface=1-WAN list=WAN
add interface=proton-DE-009 list=WAN
add interface=2-LAN list=LAN
add interface=3-LAN list=LAN
add interface=4-LAN list=LAN
add interface=5-LAN list=LAN
add interface=2-LAN list=TRUSTED { assuming this port is your local home port with trusted users }
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="proton DE 009" endpoint-address=\
[i]ppp.ppp.ppp.ppp[/i] endpoint-port=51280 interface=proton-DE-009 name=\
proton-DE-009 persistent-keepalive=25s public-key="xxxx"
/ip address
add address=192.168.92.1/24 interface=2-LAN network=192.168.92.0
add address=192.168.93.1/24 interface=3-LAN network=192.168.93.0
add address=192.168.94.1/24 interface=4-LAN network=192.168.94.0
add address=192.168.95.1/24 interface=5-LAN network=192.168.95.0
add address=10.2.0.2/24 interface=proton-DE-009 network=10.2.0.0
/ip dhcp-client
add interface=1-WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.92.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
gateway=192.168.92.1
add address=192.168.93.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
gateway=192.168.93.1
add address=192.168.94.0/24 dns-server=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 \
gateway=192.168.94.1
add address=192.168.95.0/24 dns-server=10.2.0.1 { better is proton supplied DNS }
gateway=192.168.95.1
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="trusted to LAN" in-interface=2-LAN src-address=192.168.192.0/24 out-interface-list=LAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=proton-DE-009 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add chain=dstnat action=dst-nat src-address=192.168.95.0/24 dst-port=53 protocol=udp dst-address=10.2.0.1 { better is proton supplied dns address }
add chain=dstnat action=dst-nat src-address=192.168.95.0/24 dst-port=53 protocol=tcp dst-address=10.2.0.1 { better is proton supplied dns address }
/ip hotspot profile
set [ find default=yes ] html-directory=hotspo
/ip route
add dst-address=proton-supplied-dns-address gateway=proton-DE-009 routing-table=main { if none provided, this rule is not required }
/routing rules
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.195.0/24 table=WG
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/system identity
set name=xxxxxxx
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED