Hi
I'm using my Hex S router to access the internet via PPoE and I also want it to connect to a remote site using Ubuntu Server with Wireguard.
The Wire guard client works, as from the RouterOS Terminal I can ping the remote hosts using Wireguard. (e.g 10.128.1.1)
However, from my PC (192.168.1.202) I can access the Internet as expected but cannot connect to the remote systems (10.128.1.1) using Wireguard.
Is anyone able to offer advice please?
Thanks
Here is my current config

# 2025-03-24 11:16:13 by RouterOS 7.18.2
# software id = LHJH-UTR9
#
# model = RB760iGS
/interface bridge
add admin-mac=F4:1E:57:AB:9A:AA auto-mac=no ingress-filtering=no name=bridge \
port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp1 ] advertise="10M-baseT-half,10M-baseT-full,100M-b\
aseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full"
/interface wireguard
add listen-port=1719 mtu=1420 name=WG_Interface
/interface vlan
add interface=bridge name=Guest_080 vlan-id=80
add interface=bridge name=IoT_020 vlan-id=20
add interface=bridge name=VOIP_050 vlan-id=50
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5 name=zen use-peer-dns=\
yes user=zen*****@zen
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.1.50-192.168.1.69
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool4 ranges=10.1.80.2-10.1.80.254
add name=dhcp_pool5 ranges=172.16.0.2-172.16.0.14
/ip dhcp-server
add address-pool=dhcp_pool2 interface=bridge lease-time=10m name=dhcp2
add address-pool=dhcp_pool3 interface=IoT_020 lease-time=10m name=dhcp3
add address-pool=dhcp_pool4 interface=Guest_080 lease-time=10m name=dhcp4
add address-pool=dhcp_pool5 interface=VOIP_050 lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add name=Draytek use-compression=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge ingress-filtering=no interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge ingress-filtering=no interface=sfp1 internal-path-cost=10 \
path-cost=10
add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 \
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=20
add bridge=bridge tagged=ether1,bridge vlan-ids=50
add bridge=bridge tagged=ether1,bridge vlan-ids=80
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=zen list=WAN
add interface=WG_Interface list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:5C:B1:FF:90:7F name=ovpn-server1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ZZ.ZZ.ZZ.ZZ endpoint-port=\
51820 interface=WG_Interface name=peer4 persistent-keepalive=30s \
public-key="ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.20.1/24 interface=IoT_020 network=192.168.20.0
add address=10.1.80.1/24 interface=Guest_080 network=10.1.80.0
add address=172.16.0.1/28 interface=VOIP_050 network=172.16.0.0
add address=10.8.0.4/24 interface=WG_Interface network=10.8.0.0
/ip dhcp-server network
add address=10.1.80.0/24 gateway=10.1.80.1
add address=172.16.0.0/28 gateway=172.16.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.1.80.0/24 list=Local-Networks
add address=176.16.0.0/28 list=Local-Networks
add address=192.168.1.0/24 list=Local-Networks
add address=192.168.20.0/24 list=Local-Networks
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop VLAN Routing" dst-address-list=\
Local-Networks src-address-list=Local-Networks
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Wireguard disabled=yes \
src-address=10.8.0.0/24
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m \
dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128,3des
/ip route
add disabled=no distance=1 dst-address=10.128.1.0/24 gateway=WG_Interface \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/London
/system logging
add topics=ipsec
add topics=pptp
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

My best guess would be adding a firewall filter rule on the forward chain allowing traffic from 192.168.1.0/24 to 10.128.1.0/24.

As you are working with VLAN's, I would like to suggest that you add a VLAN for HOME (or whathever you like to call it) and set IP to this VLAN interface (instead of the bridge). As described here: viewtopic.php?t=143620

Thanks.
I've added a forward rule and set logging for it. I can see a ping request being sent from a local PC to the remote Wireguard server without success.
forward: in:bridge out:WG_Interface, connection-state:new src-mac 20:7b:d2:95:b4:d0, proto ICMP (type 8, code 0), 192.168.1.61->10.128.1.83, len 60

The Routing Table is as follows:
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAv 0.0.0.0/0 zen 1
DAc 10.1.80.0/24 Guest_080 0
DAc 10.8.0.0/24 WG_Interface 0
0 As 10.128.1.0/24 WG_Interface 1
DAc 192.168.1.0/24 bridge 0
DAc 192.168.20.0/24 IoT_020 0
DAc 172.16.0.0/28 VOIP_050 0
DAc 51.148.77.128/32 zen 0
[admin@MikroTik] /ip/route>

I'm going round in circles trying to figure out what I'm missing.
Thanks

viewtopic.php?t=143620
Bridge should not normally do DHCP in a vlan setup......... simply create another vlan, amend any associated config lines.

It is not clear yet what subnet or user(s) are supposed to go out wireguard.
I do see an attempt so sourcneat wireguard traffic but the rule is flawed in to aspects,
a. trying to use if for routing, NOT its purpose, by putting in a source address
b. the src address is wrong, and should have been one of the subnets that needs to be sourcenatted........

However, the rule is best in the form like so.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Wireguard

In this way, at the UBUNTU all traffic coming through the tunnel will be seen as coming from 10.8.0.4
Which makes life simpler all the way round.

This old rule should be removed
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A

Modify not clear firewall rules in forward chain from:
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop VLAN Routing" dst-address-list=\
Local-Networks src-address-list=Local-Networks

TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg outgoing traffic" SOURCE??????? out-interface=WG_Interface
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"

If you need any intervlan traffic create an accept rule above the last rule.

Now I am assuming the ROUTE you have is for the subnet on ubuntu......... that seems fine and coupled with the peer settings,
both internet and subnet access should be possible at least from the MT side of the house, the rest is up to ubuntu settings which is your issue to deal with.

MISSING:
The main problem I have with the config, is that you do not tell the router, WHO should go into the tunnel. Therefore the firewall rule created is not complete.
Further, it WILL be necessary to detail routing information so that the router knows which users/subnet need to be captured/forced into the WG tunnel.

One has to be careful in that once we push a certain subnet or IP address into the tunnel, it will use that tunnel for internet as well unless the WG tunnel is not working.
So its up to you do identify the number of user that will be using the tunnel etc.........
If you have wifi its easy to do with SSID and vlan separation............. wired, probably best to do with static dhcp leases

Thanks. I'll give it a go.
I'll look at creating a VLAN for the 192.168.1.0 network.

The intention is for only the 192.168.1.0 network to have access to the wireguard link. The other VLANs will only be allowed Internet access through the zen PPoE network.

The 192.168.1.0 network will primarily be wired with occasional access via WiFi from my phone as required. There are only 2 PC's on the 192.168.1.0 network that need access to the wireguard network. Both of these can be setup to have static IP addresses.

Thanks

allright so to be clear its not the entire subnet but only two Ip addresses, this should work for you

/routing table
add fib name=useWG

/ip route
add dst-address=0.0.0.0/0 gateway=WG_Interface routing-table=useWG

/routing rules
add min-prefix=0 action=lookup-only-in-bridge table=main { permits any local traffic for the two users before being forced out the tunnel }
add src-address=192.168.1.X action=lookup table=useWG
add src-address=192.168.1.Y action=lookup table=useWG

A nuance, you have to hoist in, because we use the action (lookup) for the two users, if the wireguard connection were to be lost, then the router would be able to go to the main table and look for an available routing aka out the local WAN. Theoretically anyway. If you didnt want that option, then use action=lookup-only-in-table.

Now if you did want the flexibility, the router normally has no idea if the wireguard tunnel is up or down for the above action to take effect and thus we have to enter in another route, if required.
/ip route
add check-gateway=ping dst-address=add address=10.8.0.1 gateway=WG_Interface routing-table=main


Further to complete the post I made above with firewall rules
/ip firewall address-list
add address=192.168.1.X list=outWG
add address=192.168.1.Y list=outWG

........
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wg outgoing traffic" src-address-list=outWG out-interface=WG_Interface
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat { disable or remove if not required }
add action=drop chain=forward comment="drop all else"

Finally got it working!
Thanks for the help and pointing me in the right direction.