NOT CLEAR WHY IT ISNT WORKING but do have some cleanup that might make the difference.
(1) Input chain rules......... all good here but I would make a few minor changes, order of rules etc....
...
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.2.0/24
add action=accept chain=input comment="Allow ALL LAN" in-interface-list=LAN
add action=drop chain=input comment="drop all else"
This rule seems a bit wide though? Why not be accurate
192.168.2.2
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.2.0/24
(2) Forward chain rules...... Mostly good need to change one of the default rules, for dropping dst-nat............... and replace with
three rules........
and two for wireguard!
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=forward in-interface=wireguard1 dst-address= 192.168.1.0/24 src-address=192.168..2.2
add action=accept chain=forward comment="allow dst-nat" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
(3) Assuming you need this rule because traffic is also going out the internet from your client laptop??
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.2.0/24
(4) This should be set to
NONE as plain mac is not secure.......
/tool mac-server
set allowed-interface-list=
LAN
(5) What is not clear is your IP routes section.
However the IP address you have for your Wireguard should create the necessary routing information as the client IP is within this network
and the router creates the following route dynamically:
<DAC> dst-address=192.168.2.0/24 gwy=wireguard1 table=main
This ensure return internet traffic and return traffic from the subnets goes back out through the tunnel to the remote computer client.
If the traffic was back to a client router to a subnet, then one would have to create the subnet return route manually.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I am assuming that on your windows wireguard client peer settings for the router, the allowed IPs is set to 0.0.0.0/0 which covers everything so nothing wrong there........
Often a windows firewall can get in the way.