Not clear it sounds like only one subnet is going through wireguard??
Do you have control over the other end??
need config!!
One subnet is going over wireguard, 192.168.99.0/24 and it's the main one I am using for my home network.
I do have control over the other end, it's an rb4011.
Config:
# 2024-10-28 17:42:50 by RouterOS 7.16.1
# software id = Redacted
#
# model = RB5009UG+S+
# serial number = (SerNum)
/interface bridge
add disabled=yes name=br-EOIP
add disabled=yes name=br-OVPN
add name=br-VPN
add name=br_PBR port-cost-mode=short
add admin-mac=(MacAddress) auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-WG-LAN
set [ find default-name=ether4 ] name=ether4-VOIP
set [ find default-name=ether5 ] name="ether5-IPTV STB"
set [ find default-name=ether6 ] name=ether6-IPTV2
set [ find default-name=ether8 ] comment=WAN2
/interface l2tp-client
add connect-to=(VPN IP) disabled=no name=l2tp-out1 use-ipsec=\
yes user=l2tp
/interface eoip
add disabled=yes mac-address=(MacAddress) name=eoip-tunnel1 \
remote-address=192.168.50.1 tunnel-id=1
/interface wireguard
add disabled=yes listen-port=13232 mtu=1420 name=Name
add listen-port=13231 mtu=1412 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-DOMA-1f2e3a6c rrm=yes \
wnm=yes
/interface wifi configuration
add country="North Macedonia" disabled=no mode=ap name=cfg1 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp \
.ft=yes .ft-over-ds=yes ssid=DOMA steering=steering1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
add name=dhcp_pool2 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=br_PBR lease-time=10m name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add bridge=br-OVPN change-tcp-mss=yes name=OVPN use-ipv6=default
set *FFFFFFFE bridge=br-VPN use-encryption=default use-ipv6=default
/interface ovpn-client
add certificate=cert_export_client.crt_0 cipher=aes256-cbc connect-to=\
(VpnIP) disabled=yes mac-address=(MacAddress) mode=\
ethernet name=ovpn-out1 profile=OVPN user=ovpnclient
/queue simple
add max-limit=3M/30M name="Asus Router" target=192.168.99.155/32
/queue type
add kind=fq-codel name=fq_qodel-default
add cake-autorate-ingress=yes kind=cake name=cake
/queue tree
add bucket-size=0.01 disabled=yes max-limit=90M name=DOWN parent=br_PBR \
queue=default
add disabled=yes name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 \
queue=default
add disabled=yes name="2. MAXTV" packet-mark=MaxTV parent=br-VPN priority=2 \
queue=default
add disabled=yes name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=\
default
add disabled=yes name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=\
default
add disabled=yes name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=\
default
add disabled=yes name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 \
queue=default
add disabled=yes name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 \
queue=default
add disabled=yes name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN \
priority=6 queue=default
add disabled=yes name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 \
queue=default
add disabled=yes name="9. OTHER" packet-mark=OTHER parent=DOWN queue=default
add bucket-size=0.01 disabled=yes max-limit=15M name=UP parent=br_PBR queue=\
default
add disabled=yes name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=\
default
add disabled=yes name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=\
default
add disabled=yes name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=\
default
add disabled=yes name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=\
default
add disabled=yes name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=\
default
add disabled=yes name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=\
default
add disabled=yes name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=\
6 queue=default
add disabled=yes name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=\
default
add disabled=yes name="9. OTHER_" packet-mark=OTHER parent=UP queue=default
add disabled=yes max-limit=15M name=cake-queue-upload parent=wg1 queue=cake
add disabled=yes name=cake-queue-download parent=wg1 queue=cake
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=wg
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\
zt1 name=zerotier1 network=(NetworkID)
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-LAN \
internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=\
ether3-WG-LAN internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether4-VOIP \
internal-path-cost=10 path-cost=10
add bridge=br-VPN comment=defconf ingress-filtering=no interface=\
"ether5-IPTV STB" internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes ingress-filtering=no interface=ether1-WAN \
internal-path-cost=10 path-cost=10
add bridge=br-OVPN disabled=yes interface=eoip-tunnel1
add bridge=br-VPN interface=ether6-IPTV2
add bridge=br-EOIP interface=eoip-tunnel1
/ip firewall connection tracking
set udp-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wg1 list=LAN
add comment=defconf interface=br_PBR list=LAN
add comment=defconf interface=ether8 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes package-path=/ require-peer-certificate=no upgrade-policy=\
none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1
/interface wireguard peers
add allowed-address="0.0.0.0/0,192.168.50.0/24,192.168.88.0/24,AllowedAddresses" endpoint-address=\
(VpnIP) endpoint-port=13231 interface=wg1 name=peer8 \
persistent-keepalive=25s public-key=\
"PublicKey"
add allowed-address=192.168.60.0/24 disabled=yes endpoint-address=\
(RedactedIP) endpoint-port=13232 interface=Name name=peer12 \
persistent-keepalive=1s private-key=\
"PublicKey" public-key=\
"PrivateKey"
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=\
192.168.98.0
add address=10.0.0.2/24 disabled=yes interface=ether1-WAN network=10.0.0.0
add address=192.168.50.2/24 interface=wg1 network=192.168.50.0
add address=192.168.99.1/24 interface=br_PBR network=192.168.99.0
add address=192.168.60.2/24 interface=Name network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-WAN use-peer-dns=no
add add-default-route=no interface=br-VPN
add add-default-route=no interface=ether8 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.7 client-id=(Mac) comment=\
"Grandstream HT801" mac-address=(Mac) server=dhcp2
add address=192.168.99.183 client-id=(Mac) comment=\
"Alienware PC" mac-address=(Mac) server=dhcp2
add address=192.168.99.151 client-id=(Mac) mac-address=\
(Mac) server=dhcp2
add address=192.168.99.155 client-id=(Mac) comment=\
"ASUS Router" mac-address=(Mac) server=dhcp2
add address=192.168.99.190 client-id=(Mac) comment=\
"AVM Fritz Powerline 1260" mac-address=(Mac) server=dhcp2
add address=192.168.99.91 client-id=(Mac) comment=PS5 \
mac-address=(Mac) server=dhcp2
add address=192.168.99.21 client-id=1(Mac) comment=\
MAXTV-Android-Box mac-address=(Mac) server=dhcp2
add address=192.168.99.14 client-id=(Mac) comment=SONY-TV-77 \
mac-address=(Mac) server=dhcp2
add address=192.168.99.169 mac-address=(Mac) server=dhcp2
add address=192.168.99.35 comment="Motorola Nettvplus" mac-address=\
(Mac) server=dhcp2
add address=192.168.99.23 client-id=(Mac) mac-address=\
(Mac) server=dhcp2
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=192.168.98.1 gateway=\
192.168.98.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=192.168.50.1
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan type=A
add address=192.168.50.1 name=mk.wg type=A
/ip firewall address-list
add address=192.168.98.0/24 list=local
add address=192.168.50.0/24 list=Trusted
add address=(VpnIP) list=Trusted
add address=192.168.60.0/24 list=Trusted
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=output comment="TEST WAN1 Failover to WAN2" disabled=\
yes dst-address=8.8.8.8
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
tcp src-address-list=Trusted
add action=accept chain=input src-address-list=Trusted
# zerotier1 not ready
# zerotier1 not ready
add action=accept chain=forward in-interface=zerotier1
# zerotier1 not ready
# zerotier1 not ready
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept IGMP" in-interface=br-VPN \
protocol=udp
add action=accept chain=forward comment="Forward IGMP" in-interface=br-VPN \
protocol=udp
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input dst-port=500 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=\
tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=\
wg1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-routing chain=prerouting disabled=yes in-interface=br-VPN \
log=yes new-routing-mark=wg passthrough=yes
add action=change-mss chain=forward comment="WG Required Rule (First One)" \
disabled=yes new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=\
syn
add action=change-mss chain=forward comment="WG Required Rule 1/2" new-mss=\
1372 out-interface=wg1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=\
1373-65535
add action=change-mss chain=forward comment="WG Required Rule 2/2" disabled=\
yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Change MSS on L2TP bridge" \
disabled=yes new-mss=clamp-to-pmtu out-interface=br-VPN passthrough=yes \
protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=mark-connection chain=prerouting comment=MaxTV disabled=yes \
in-interface=br-VPN new-connection-mark=MaxTV passthrough=yes
add action=mark-packet chain=prerouting connection-mark=MaxTV disabled=yes \
new-packet-mark=MaxTV passthrough=no
add action=mark-connection chain=prerouting comment=DNS connection-state=new \
disabled=yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS disabled=yes \
new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new disabled=\
yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS disabled=yes \
new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP disabled=yes \
new-connection-mark=VOIP passthrough=yes port=5060-5062,8560,10000-10050 \
protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP disabled=yes \
new-packet-mark=VOIP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new \
disabled=yes new-connection-mark=QUIC passthrough=yes port=80,443 \
protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC disabled=yes \
new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-state=new \
disabled=yes new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP disabled=yes \
new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new \
disabled=yes new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP disabled=yes \
new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new disabled=\
yes new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP disabled=yes \
new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=postrouting comment=ACK disabled=yes \
new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp \
tcp-flags=ack
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=ACK \
packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
no-mark connection-state=new disabled=yes new-connection-mark=HTTP \
passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
connection-mark=HTTP connection-rate=2M-100M disabled=yes \
new-connection-mark=HTTP_BIG passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG disabled=yes \
new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP disabled=yes \
new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=\
new disabled=yes new-connection-mark=POP3 passthrough=yes port=\
995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 disabled=yes \
new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER disabled=yes \
new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=lo
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=br_PBR
add action=masquerade chain=srcnat disabled=yes out-interface=wg1
/ip firewall raw
add action=drop chain=output disabled=yes dst-address=8.8.4.4 src-address=\
192.168.120.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wg1 \
routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.5.5.241/32 gateway=192.168.1.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.188.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
192.5.5.241 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=32
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set enabled=yes
/mpls ldp
add disabled=no lsr-id=192.168.12.2 transport-addresses=192.168.12.2
/mpls ldp interface
add disabled=no interface="ether5-IPTV STB"
add disabled=no interface=lo
/ppp profile
add bridge=*E name=SITE-TO-SITE-L2VPN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets="(RedactedIPs)" disabled=yes \
interface=wg1 upstream=yes
add disabled=yes interface="ether5-IPTV STB"
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.99.101/32 \
table=main
add action=lookup comment="Alienware PC VPN Routing (Enable to bypass WG)" \
disabled=yes src-address=192.168.99.183/32 table=main
add action=lookup comment="ASUS Router" disabled=no src-address=\
192.168.99.155/32 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.99.0/24 \
src-address=192.168.99.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.99.0/24 \
table=wg
add action=lookup comment=\
"AVM Fritz Powerline 1260 - Enable to bypass WG VPN" disabled=yes \
src-address=192.168.99.190/32 table=main
add action=lookup comment="PS5 (Enable to bypass MK WG)" disabled=yes \
src-address=192.168.99.91/32 table=main
add action=lookup comment="NettvPlus Motorola (Enable to bypass MK WG)" \
disabled=yes src-address=192.168.99.35/32 table=main
add action=lookup comment="Macbook Pro" disabled=yes src-address=\
192.168.99.23/32 table=main
/system clock
set time-zone-autodetect=no time-zone-name=Redacted
/system identity
set name=RB5009
/system note
set show-at-login=no
/system script
add dont-require-permissions=yes name=UP owner=(Name) policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
tool fetch url=\"https://api.telegram.org/bot\text=WAN1 is UP\""
add dont-require-permissions=yes name=DOWN owner=(Name) policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
delay 20s;\r\
\n/tool fetch url=\"https://api.telegram.org/text=WAN1 is DOWN\""
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/system/script/run DOWN;" host=192.5.5.241 \
http-codes="" interval=1m packet-count=10 packet-interval=1s start-delay=\
3s startup-delay=2m test-script="" thr-avg=200ms timeout=3s type=icmp \
up-s