There are main office and branch office both are connected with IPSec site to site tunnel. From main office LAN I can access branch office devices without any problems but I also need to get access to branch office devices from random remote locations (road warriors). So I configured WireGuard VPN server on main office router and now I can ping these devices from WireGuard clients and also can ping google.com but can't access devices and internet from web browser. I have no clear idea what I have misconfigured... Something with firewall?
Main Office config
# mar/10/2023 08:53:39 by RouterOS 7.8
# software id = XXXX-XXXX
#
# model = RB3011UiAS
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=195.XX.XXX.108/32 name=Branch Office
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ipv6 settings
set disable-ipv6=yes
/interface wireguard peers
add allowed-address=10.10.100.2/32 comment="Samsung" interface=\
wireguard1 public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
add allowed-address=10.10.100.3/32 comment="Lenovo" interface=\
wireguard1 public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=62.XX.XXX.8/28 interface=ether1 network=62.XX.XXX.0
add address=10.10.10.1/24 interface=ether2 network=10.10.10.0
add address=10.10.100.1/24 interface=wireguard1 network=10.10.100.0
/ip dns
set allow-remote-requests=yes servers=91.198.156.20,194.8.2.2,8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp
add action=accept chain=input src-address=10.10.100.0/24
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.11.0/24 src-address=\
10.10.10.0/24
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat src-address=10.10.100.0/24
add action=dst-nat chain=dstnat log=yes src-address=10.10.100.0/24 \
to-addresses=10.10.10.1
/ip ipsec identity
add peer=Branch Office
/ip ipsec policy
add dst-address=10.10.11.0/24 peer=Branch Office src-address=10.10.10.0/24 tunnel=\
yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=62.XX.XXX.1 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="62.XX.XXX.6/32,62.XX.XXX.7/32,62.XX.XXX.1\
0/32,62.XX.XXX.13/32" port=8292
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="Main Office"
Branch Office config
# mar/10/2023 09:48:15 by RouterOS 6.48.6
# software id = XXXX-XXXX
#
# model = 2011UiAS-2HnD
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=62.XX.XXX.8/32 name=Main Office
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=195.13.199.108/29 interface=ether1 network=195.13.199.104
add address=10.10.11.1/24 interface=ether2 network=10.10.11.0
/ip dns
set allow-remote-requests=yes servers=91.198.156.20,194.8.2.2,8.8.8.8
/ip firewall filter
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.10.0/24 src-address=\
10.10.11.0/24
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=Main Office
/ip ipsec policy
add dst-address=10.10.10.0/24 peer=Main Office src-address=10.10.11.0/24 \
tunnel=yes
/ip route
add distance=1 gateway=195.13.199.105
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="62.XX.XXX.6/32,62.XX.XXX.7/32,62.XX.XXX.1\
0/32,62.XX.XXX.13/32" port=8292
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="Branch Office"
WireGuard client config