Thank you for your replies!
Here's my configuration, I've just hid the public IP and key of my VPS server:
# jan/18/2022 17:49:50 by RouterOS 7.1.1
# software id = ZSTJ-AJBS
#
# model = RBD53G-5HacD2HnD
# serial number = C8CA0CD5C253
/interface bridge
add admin-mac=48:8F:5A:11:29:A5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] speed=10Mbps
set [ find default-name=ether2 ] speed=10Mbps
set [ find default-name=ether3 ] full-duplex=no speed=10Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country=italy disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=MikroTik-2.4G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eeeC country=italy disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=MikroTik-5G \
wireless-protocol=802.11
/interface wireguard
add listen-port=51820 mtu=1420 name=wg0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=myinternet.wind default-route-distance=1 ip-type=ipv4 name=WindTre \
use-network-apn=no use-peer-dns=no
/interface lte
set [ find ] allow-roaming=no apn-profiles=WindTre band=1,3 name=lte1 \
network-mode=lte
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/queue simple
add name="All Bandwith" priority=1/1 target="192.168.88.10/32,192.168.88.11/32\
,192.168.88.12/32,192.168.88.17/32,192.168.88.18/32,192.168.88.23/32"
add max-limit=128k/17M name=TV target=\
192.168.88.19/32,192.168.88.20/32,192.168.88.21/32,192.168.88.22/32
add max-limit=1M/10M name=Phones target=\
192.168.88.13/32,192.168.88.14/32,192.168.88.15/32,192.168.88.16/32
/routing table
add disabled=no fib name=wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
add interface=wg0 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=<VPS PUBLIC IP> endpoint-port=\
51820 interface=wg0 persistent-keepalive=20s public-key=\
"<VPS SERVER PUBLIC KEY>"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.6.0.2/24 interface=wg0 network=10.6.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.88.20 client-id=1:74:a7:ea:7e:8b:9f mac-address=\
74:A7:EA:7E:8B:9F server=defconf
add address=192.168.88.10 client-id=1:30:9c:23:84:63:ba mac-address=\
30:9C:23:84:63:BA server=defconf
add address=192.168.88.15 client-id=1:58:20:59:16:f:ab mac-address=\
58:20:59:16:0F:AB server=defconf
add address=192.168.88.22 mac-address=38:A6:CE:CB:7F:7C server=defconf
add address=192.168.88.21 mac-address=D0:58:FC:03:50:92 server=defconf
add address=192.168.88.13 client-id=1:7e:60:bb:7a:b0:42 mac-address=\
7E:60:BB:7A:B0:42 server=defconf
add address=192.168.88.19 client-id=1:54:bd:79:12:a6:6a mac-address=\
54:BD:79:12:A6:6A server=defconf
add address=192.168.88.14 client-id=1:a4:4b:d5:c8:c6:d8 mac-address=\
A4:4B:D5:C8:C6:D8 server=defconf
add address=192.168.88.17 client-id=1:0:e4:21:15:ce:ae mac-address=\
00:E4:21:15:CE:AE server=defconf
add address=192.168.88.11 client-id=1:d0:50:99:99:66:5a mac-address=\
D0:50:99:99:66:5A server=defconf
add address=192.168.88.12 client-id=1:e4:be:ed:20:cd:aa mac-address=\
E4:BE:ED:20:CD:AA server=defconf
add address=192.168.88.18 client-id=1:80:60:b7:b1:24:b mac-address=\
80:60:B7:B1:24:0B server=defconf
add address=192.168.88.16 client-id=1:e0:cc:f8:82:1c:36 mac-address=\
E0:CC:F8:82:1C:36 server=defconf
add address=192.168.88.23 client-id=1:0:24:d6:f6:aa:4 mac-address=\
00:24:D6:F6:AA:04 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg0 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.88.1/24 \
table=wg
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system scheduler
add interval=1d name="LTE Disable" on-event="interface disable lte1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/20/2021 start-time=03:59:55
add interval=1d name="LTE Enable" on-event="interface enable lte1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/20/2021 start-time=04:00:00
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1 receive-enabled=yes
Network diagram (hope it's clear enough):
192.168.88.0/24 (default subnet, all devices connected to the router) ----> Chateau LTE12 (Router, WAN is the lte1 interface) ---> Wireguard Tunnel ---> VPS Server
Regarding the Wireguard Tunnel:
- (Client) Router's IP: 10.6.0.2/24
- (Server) Server's IP: 10.6.0.1/24
- Tunnel: 10.6.0.0
I just tried to change the MTU on my router, default for Wireguard is 1420 while for lte1 is 1500. Now they're both at 1500 but it doesn't look like there's much of a difference so far... But I'll definetely give a proper look to your config own3r, thanks for sharing it!