I have a 5 port mikrotik router (ros v7.6) where port 1 has WAN, ports 2..4 have various LAN (default 192.168.88.*) devices and port 5 has a connection to alternate internet connection.
port 5 is disconnected from bridge and has DHCP client running. It receives the CGNAT address I'd like to use and "set default route" is disabled (this is enabled on dhcp client on port 1)
Wireguard is configured to run on WAN port 12345, peers are configured and connect OK. Peers get 10.1.0.X/32 addresses and run with "AllowedIPs = 0.0.0.0/0"
What should I do to most easily allow the wireguard clients connecting from existing WAN with wireguard (10.1.0.X people) forward all traffix out through the dynamic CGNAT address on port 5, with additional NAT masquerade, while keeping all other existing rules and config unchanged (masquerade of all other bridge traffic via default route from dhcp client on port 1)