So there is a second wireguard device behind the first router?
My question is why are you wireguarding from one connected router to another?
Why have another router with NAT is the first question,
Do you need wireguard on that second router.
Everything is going to be routed by the first router anyway.
We just have 2 office, one office with public dynamic IP which i want to use like VPN gateway for all company workers (who need access to local synology share disk ina office A 192.168.102.199 and Second disk is in office B with address 192.168.0.99). Right now when i have setup wireguard beetween 2 sites (one behind NAT) i'm able to access networks from opposite office 0.0/24 from office A and 102.0/24 from office B
NExt, user peers wow. 77 of them??
Are they all road warriors each with their own public key to put on the main router?
Yes i ant to use wireguard as office VPN, last time i Was using OpenVPN and everything works good, but when theres wireguard i consider it as better solution. Yes everyone have it's own config, own private/public key and preshared key
2. Your config seems overly complex, I would use all vlans and one bridge, and one pool per subnet, but thats my preference.
This is just some old config things which stayed on router, you can ignore it i will make some cleaning afterwards
3. why two pools for same LAN??
/ip pool
add name=pool-guest ranges=10.10.0.2-10.10.0.100
add name=pool-lan2 ranges=192.168.102.200-192.168.102.220
add name=pool-vpn1 ranges=10.1.0.10-10.1.0.50
add name=pool-vpn2 ranges=192.168.103.2/31
add name=pool-ovpn ranges=10.122.1.2-10.122.1.100
add name=pool-lan next-pool=pool-lan2 ranges=192.168.102.30-192.168.102.196
This i will fix too
4. This is wrong. For bridges, interfaces can be etherports or wlans............... A vlan is what is going through the interface, either tagged or untagged etc...........
You do have vlan1 (name vlan-id=10) going on top of ether2 which is already hosted by bridge-lan. As I stated overly complex and confusing, clearly demonstrated in that you made a hash of it.
This is just for guest network
add bridge=bridgeguest i
nterface=vlan1
/interface vlan
add interface=
ether2 name=vlan1 vlan-id=10
/interface bridge port
add bridge=
bridge-lan interface=ether2
add bridge=bridgeguest interface
=vlan1
Thus, What you seem to really want is this,,,,,,,
add interface=bridgeguest name=vlan1 vlan-id=10
add bridge=bridgeguest interface=ether2 ( pvid =10 BUT ONLY if this is an access port , aka going to a dumb device, otherwise dont include the pvid)
Personally Once i introduce vlans I dont mix apples and oranges and the bridge does no work for dhcp or anything else.
So I would have one bridge not two
BR1
add interface=BR1 name=vlan1 vlan-id=10
add interface=BR1 name MainVlan vlan-id=20
/interface bridge port
add bridge=bridge-lan interface=ether2 pvid=10
add bridge=bridge-lan interface=ether3 pvid=20
add bridge=bridge-lan interface=ether4 pvid=20
add bridge=bridge-lan interface=ether5 pvid=20
add bridge=bridge-lan interface=ether6 pvid=20
add bridge=bridge-lan interface=ether7 pvid=20
add bridge=bridge-lan interface=ether8 pvid=20
If any port is a trunk port remove the pvid etc.. But I digress
and that is not your style.
5. What you are missing is the matching /interface bridge vlan settings, probably something like
add bridge=bridgeguest tagged=bridgeguest untagged=ether2 vlan-ids=10
6. For the main router, the allowed IPs should be set at /32, not 24, for all the peers. The different case would be e peer router, where you add besides the IP address/32 of the peer but also any subnets that you may wish to access or peer subnets that may be wishing to access the main router.
7. Your firewall rules are not clear and not complete and uselessly complex in some bits, but I am tired of this config and wont comment further.
8. Source nat rules and destination nat rules same thing, what a dogs breakfast,,,,,,, no comments further.
This is stuff which i got from previous guy, now i'm cleaning everything up
And now i wanted to make thing simpler, to focus on wireguard as VPN soltuon, but got random timeouts or disconnections when i connect second client, enable, disable, so this is strange for me