Hi to all.
I'm a beginner and I'm asking for your help.
I have two LTE Mikrotik routers connected through Wireguard VPN.
At router R1, there is a PC connected to eth1 192.168.80.254 and another network to eth5. - 192.168.0.0/24 (192.168.0.15) to be more precise.
it looks like this :
# apr/22/2022 12:34:50 by RouterOS 7.2.1
# software id = AY67-J7WD
#
# model = D53G-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:B9:89:EF auto-mac=no comment=defconf name=bridge
add name=wien-netz
/interface lte
set [ find ] allow-roaming=no band="" name=lte1 nr-band=""
DISABLED
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 band=2ghz-b/g/n channel-width=\
20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-B989F4 wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=6 band=5ghz-a/n/ac \
channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-B989F5 \
wireless-protocol=802.11
/interface wireguard
add listen-port=51194 mtu=1420 name=WG-WIEN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=wien-netz interface=ether5
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no max-neighbor-entries=8192
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set keepalive-timeout=disabled
/interface wireguard peers
add allowed-address=172.16.5.0/24,192.168.85.0/24,192.168.80.0/24 comment=\
"Router Hollabrunn" interface=WG-WIEN public-key="xxxxxxxxx"
add allowed-address=172.16.5.10/32 comment="PC ARBEIT" interface=WG-WIEN \
public-key="xxxxxxxx"
add allowed-address=172.16.5.15/32 comment=Laptop interface=WG-WIEN \
public-key="xxxxxxxxxxxxxx"
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=192.168.80.0
add address=172.16.5.1/24 interface=WG-WIEN network=172.16.5.0
/ip cloud
set update-time=no
/ip dhcp-client
add add-default-route=no interface=wien-netz use-peer-dns=no
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.1,8.8.8.8 gateway=192.168.80.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.80.1 comment=defconf name=router.lan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet
add address=192.168.80.2-192.168.80.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=PPTP dst-port=1450 protocol=tcp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=Wireguard dst-port=51194 protocol=udp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward comment="Acces WIEN NETZ" in-interface=bridge out-interface=wien-netz
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state= established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat connection-state=new in-interface=lte1 log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=lte1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=wien-netz new-routing-mark=main passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Wireguard src-address=192.168.85.0/24
add action=masquerade chain=srcnat comment="Router WIEN" src-address=192.168.80.0/24
add action=masquerade chain=srcnat comment="WIREGUARD IPS" src-address=172.16.5.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route add disabled=no dst-address=192.168.85.0/24 gateway=WG-WIEN routing-table=main suppress-hw-offload=no
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
DAm 0.0.0.0/0 lte1 2
DAc 172.16.5.0/24 WG-WIEN 0
DAc 178.113.22.90/32 lte1 0
DAc 192.168.0.0/24 wien-netz 0
DAc 192.168.80.0/24 bridge 0
0 As 192.168.85.0/24 WG-WIEN 1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes
/system logging
add topics=wireguard
add disabled=yes topics=route
add disabled=yes topics=debug
/system ntp client
set enabled=yes
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=5m name=xxx on-event=" /system script run xxx" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=feb/23/2022 start-time=19:26:16
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add dont-require-permissions=no name=xxx owner=xxx policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global ddnsuser \"xxxxxxx\"\r\
\n:global ddnspass \"xxxxx\"\r\
\n:global theinterface \"lte1\"\r\
\n:global ddnshost \"xxxxxxxxx\"\r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinter\
face ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n:log info (\"dynu: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n:for i from=( [:len \$ipfresh] - 1) to=0 do={\r\
\n:if ( [:pick \$ipfresh \$i] = \"/\") do={\r\
\n:set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n}\r\
\n}\r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n:log info (\"dynu: IP-dynu = \$ipddns\")\r\
\n:log info (\"dynu: IP-Fresh = \$ipfresh\")\r\
\n:log info \"dynu: Update IP needed, Sending UPDATE...!\"\r\
\n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$ipfresh\"\r\
\n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuse\
r password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\r\
\n:delay 1\r\
\n:global str [/file find name=\"Dynu.\$ddnshost\"];\r\
\n/file remove \$str\r\
\n:global ipddns \$ipfresh\r\
\n:log info \"dynu: IP updated to \$ipfresh!\"\r\
\n} else={\r\
\n:log info \"dynu: dont need changes\";\r\
\n}\r\
\n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no