Yeah anytime user requirements are explained using config speak, one gets a mess.
I have no clue what you are saying.
What is easy to understand.
X needs to initiate the connection because it has a private IP (and one cannot port forward from any existing edge router to Router X).
Y has a public IP and can be the receiver of vpn connections.
Traffic flow is mostly from Y to X.
Describe the traffic flow properly
Single User at Router Y (admin- you?) needs to access LAN device through the LAN IP of the device at ROUTER X.
There are multiple such devices?
So to be clear, Users on Router Y, need access to the LAN Subnet of Router X, and NOT the internet access of Router X??
Can we confirm that please!
( terminology of web interfaces leads me to believe that the users from Y, need to access the internet to access the iOT device). I really dont care if the IOT device talks to the internet or not is web facing or not, you want to connect to it on the LAN right?
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Easily accomplished all by simple wireguard tunnel. I dont see any requirement for special sourcenat or /30 networks etc..
Why not provide yourself direct access to the subnet on X and while your at it, secure config access to Router X as well?
I will break it down first with wireguard settings and then with appropriate rest of router settings.
WIREGUARD SETTINGS
Router Y (receiver)
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.1.0/24 interface=wireguard-home public-key="---"
/ip address
add address=192.168.50.1/24 interface=wireguard-home
/ip firewall filter { input chain }
add chain=input action=accept dst-port=15551 protocol=udp in-interface-list=WAN
comment="allow initial connection"
...
Router X (initiator)
/interface wireguard
listening port 15551 (not used) mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,192.168.88.0/24 endpoint-address=mynetnameRouterY endpoint-port=15551 interface=wireguard-client public-key="..." \
persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client
...
ROUTER SETTINGS
Router Y
/ip firewall filter { forward chain }
add action=accept chain=forward src-address=192.168.88.0/24 dst-address=192.168.1.0/24 out-interface=wireguard-home
comment=" allow local subnet to enter tunnel"
/ip route
add dst-address=192.168.1.0/24 gwy=wireguard-home table=main
comment="provide route into tunnel"
...
Router X
/ip firewall filter
{ input chain }
add action=accept chain=input in-interface=wireguard-client src-address=192.168.88.X *****
comment="Admin access"
{ forward chain }
add action=accept chain=forward in-interface=wireguard-client src-address=192.168.88.0/24 dst-address=192.168.1.0/24
comment="allow subnet access"
/ip route
add dst-address=192.168.88.0/24 gwy=wireguard-client table=main
comment="provide route back through tunnel"
...
***** If you have multiple Admin IPs, create a firewall address list called Admin for example
add address=192.168.88.x list=Admin ( desktop )
add address=192.168.88.y list=Admin ( laptop )
add address=192.168.88.z list=Admin ( ipad ) etc.....
add action=accept chain=input in-interface=wireguard-client src-address-list=Admin
++++++++++++++++++++
Now lets go one step further, lets say you have also added your smart phone, or laptop as a wireguard clients that can connect to Router Y, when away from home.
Lets say for the purposes of being able to configure Router Y remotely. Then we simply add the clients and we can also set it up so that you can access Router X to configure it as well.
wireguard ip address=192.168.50.3/32 smartphone
wireguard ip address=192.168.50.4/32 laptop
Router Y Additions:
....
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.1.0/24 interface=wireguard-home public-key="---" { router x }
add allowed-address=192.168.50.3 interface=wireguard-home public-key="vvvvv" { smartphone }
add allowed-address=192.168.50.4 interface=wireguard-home public-key="ddd" { laptop }
/ip firewall filter
{ input chain }
add action=accept chain=input in-interface=wireguard-home src-address-list=REMOTE
/firewall address list
add address=192.168.50.3 list=REMOTE
add address=192.168.50.4 list=REMOTE
{ forward chain }
add action=accept chain=forward in-interface=wireguard-home src-address=192.168.50.0/24
comment="allow remote users to exit the tunnel at router Y"
add action=accept chain=forward src-address=192.168.50.0/24 out-interface=wireguard=home
comment="allow remote user to enter the tunnel at router Y"
...
Note: The two forward address chain rule may appear to be confusing but since these are peer to peer links, the remote users first have to go from their remote location to the router via wireguard. They then are no longer in the tunnel but sitting parallel to the LAN. We then have to give them permission to re-enter the tunnel to get to their destination (router X).
Router X Additions:
...
/ip firewall filter { input chain }
add action=accept chain=input in-interface=wireguard-client src-address-list=Admin
/ip firewall address list
add address=192.168.88.x list=Admin ( desktop on router Y lan )
add address=192.168.88.y list=Admin ( laptop on router Y lan)
add address=192.168.88.z list=Admin ( ipad on router Y lan )
add address=192.168.50.3 list=Admin ( remote smartphone )
add address=192.168.50.4 list=Admin ( remote laptop )