Mon Sep 26, 2022 9:56 am
During prerouting, the out-interface is not known yet. So your action=notrack rule in /ip firewall raw only matches on packets that came in via the WireGuard interface; packets in the opposite direction of the same actual connection are still handled by the connection tracking module. To prevent also these from being connection tracked, you have to use other rules in chain prerouting in raw, that match on src-address(-list), dst-address(-list), protocols, ports depending on how you select traffic for Wireguard; you cannot use connection-mark of course, but you cannot use even packet-mark or routing-mark because these are assigned after the packet passes through raw. And matching against an address-list is similarly "heavy" as matching against a connection list.
You haven't provided enough information, but it seems you want your Mikrotik to act as a Wireguard "server" providing the "client" access to internet; if so, adding a rule chain=prerouting in-interface=WAN dst-address=10.10.10.2 action=notrack to /ip firewall raw would allow any packet coming via WAN towards the address of the Wireguard "client" to get untracked, and as such be accepted in filter by the "accept untracked" rule. However, if my guess is right, it won't work anyway - you cannot disable connection tracking for this traffic, because you need to NAT the traffic, and NAT depends on connection tracking.
If the Mikrotik acts as a Wireguard "client" providing encrypted connection to the Internet for its LAN hosts via some remote "server", the allowed-address on the /interface wireguard peer row must be 0.0.0.0/0, not just the individual internal address of the "server". And it still won't work without a NAT, because in this scenario, you have to NAT the traffic from the LAN clients to 10.0.0.1.
So all in all - you can use notrack for a Wireguard tunnel, but only where no NAT is required, so typically for a site-to-site one.
Independent from all the above, the last two rules in your list above are useless because they are shadowed by the third one, which accepts any untracked packet, regardless the in-interface and out-interface(-list). The connection-state match condition matches on any of the connection states (which are mutually exclusive, as each packet has exactly one connection-state).