So far dont see why.......
(1) Set this to
NONE as mac-server by itself is not a secure access method!
/tool mac-server
set allowed-interface-list=
listBridge
(2) I am not a bond expert so the bridge ports look fine, was just wondering if the non-slave port needs to be the one on the bridge and not the bond, but its only a theory with .05% of having validity.
(3) I prefer to include all possibilities or leave blank........... I typically use firewall rules to narrow down to finite IPs, so your approach is fundamentally good, but you are removing your wireguard connection from being able to configure router by not including it ??
set winbox address=10.160.100.0/24
Otherwise this rule is useless..........
a
dd action=accept chain=input comment="Allow Everything in Wireguard" \
in-interface=wireguard1
(4) As an exercise disable funky doh cloudflare stuff to see how that may or may not affect speed tests!
(5) Do local users access the plex server and if so is it strictly directy by LANIP address??
(6) Redundant rule............. Can you see why the first rule is NOT required.
(add action=drop chain=input comment="Block external DNS requests" dst-port=53 \
in-interface=WAN_Port log=yes log-prefix="External DNS Request" protocol=udp
add action=drop chain=input comment="block everything else"
(7) Improve your Input chain.
/interface list member
add interface=local list=listBridge
add interface=wireguard1 list=listBridge
add interface=Vodafone list=WAN
add interface=WAN_Port list=WAN
/ip firewall address
add address=admin-desktop_IP list=Authorized
add address=admin-laptop_IP list=Authorized
add address=admin-ipad/iphone_IP list=Authorized
add address=remote-admin_IP list=authorized comment="wireguard remote"
/ip firewall filter
add action=accept chain=input comment="accept established, related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="wg handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=listBridge src-address-list=Authorized
add action=accept chain=input comment="user services" in-interface=local dst-port=53,123 protocol=udp
add action=accept chain=input comment="user services" in-interface=local dst-port=53 protocol=tcp
add action=drop chain=input comment="block everything else"
(8)
You main issue --> PHUCKING TOO FANCY fastrack rule.............
remove this sheite frankenstein!!
add action=fasttrack-connection chain=forward comment="Fasttrack not IPSEC" \
connection-mark=!ipsec connection-state=established,related dst-limit=\
1,5,dst-address/1m40s hw-offload=yes limit=1,5:packet psd=21,3s,3,1 time=\
0s-1d,sun,mon,tue,wed,thu,fri,sat
WITH
/ip firewall filter
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=listBridge out-interface=Vodafone
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all Else"