No gues wifi for now.
Here's the hEX (everything is a work in progress, so go easy on me please).
I can cut out some sections so it's shorter and easier to read if that would help.
# jan/30/2023 16:43:02 by RouterOS 7.6
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = HxxxxQ
/interface bridge
add admin-mac=xxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface vlan
add interface=ether2 name=TEST-VLAN-10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
add
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=4w2d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx"
add allowed-address=10.10.100.2/32,192.168.88.0/24 comment="371 SITE B" \
endpoint-address=xxxxxx.dyndns.org endpoint-port=52820 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxxxx"
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment="255 Site D" \
disabled=yes endpoint-address=xxxxxxx.dyndns.org endpoint-port=54820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx="
add allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 comment=\
"355 Site C" endpoint-address=xxxxxx.dyndns.org endpoint-port=53820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxxx"
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
interface=212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxx="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment="629 SITE E" \
endpoint-address=xxxxxx.dyndns.org endpoint-port=51812 interface=\
212-Wireguard persistent-keepalive=40s public-key=\
"xxxxxxxo="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
add address=172.16.0.1/24 interface=TEST-VLAN-10 network=172.16.0.0
add address=192.168.1.111/24 interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.100 mac-address=xxxxx8 server=defconf
add address=192.168.2.102 mac-address=xxxxx4 server=defconf
add address=192.168.2.101 mac-address=xxxxxxF server=defconf
add address=192.168.2.103 mac-address=xxxxxx4B server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=10.0.0.2 gateway=\
192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=6w cache-size=65536KiB servers=\
10.0.0.2
/ip firewall address-list
add address=xxxxx.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin
/ip firewall filter
add action=accept chain=input disabled=yes log=yes src-address=192.168.1.1
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Loopback allow" dst-address=127.0.0.1
add action=accept chain=input comment="Allow incoming WG connections" \
dst-port=51820 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="BLOCK DHCP VIA WG" in-interface=\
212-Wireguard log=yes port=67-68 protocol=udp
add action=accept chain=input src-address-list=admin
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward dst-address=10.0.0.0/24
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment=\
"Allow local subnet traffic to WG peers" out-interface=212-Wireguard
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
"Mark connection for hairpin" dst-address-list=dynamic-WANIP \
new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
"Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
protocol=tcp to-addresses=192.168.2.176
/ip route
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment=255 disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=192.168.2.4 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
212-Wireguard pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name="212 Hex"
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system scheduler
add interval=1d name=Daily on-event=dyndns policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=oct/18/2022 start-time=02:00:00
add disabled=yes interval=10m name=Route355255371 on-event=\
"355 255 371 route status" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=nov/24/2022 start-time=04:42:54
add interval=4d name=export-download on-event=export-download policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/14/2022 start-time=04:47:33
add interval=30m name="355 255 371 629 Route Status" on-event=\
"355 255 371 629 Route Status" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/23/2023 start-time=16:22:48
/system script
add dont-require-permissions=no name=DynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
\_Set needed variables\r\
\n\t:local username \"xxxxx\"\r\
\n\t:local clientkey \"xxx8bc3\"\r\
\n\t:local hostname \"xxxxxx.dyndns.org\"\r\
\n\r\
\n\t:global dyndnsForce\r\
\n\t:global previousIP\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n\t/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" ds\
t-path=\"/dyndns.checkip.html\"\r\
\n\t:delay 1\r\
\n\t:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n\t:local resultLen [:len \$result]\r\
\n\t:local startLoc [:find \$result \": \" -1]\r\
\n\t:set startLoc (\$startLoc + 2)\r\
\n\t:local endLoc [:find \$result \"</body>\" -1]\r\
\n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
\n\r\
\n# Remove the # on next line to force an update every single time - usefu\
l for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details https://help.dyn.com/remote-access\
-api/perform-update/\r\
\n\t:log info \"UpdateDynDNS: previousIP = \$previousIP\"\r\
\n\t:if (\$dyndnsForce = true) do={ :log warning \"UpdateDynDNS: Forced up\
date on\" }\r\
\n\r\
\n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
\n\t\t:set dyndnsForce false\r\
\n\t\t:set previousIP \$currentIP\r\
\n\r\
\n\t\t/tool fetch mode=https \\\r\
\n\t\turl=\"https://\$username:\$clientkey@members.dyndns.org/v3/update\?h\
ostname=\$hostname&myip=\$currentIP\" \\ \r\
\n\t\tdst-path=\"/dyndns.txt\"\r\
\n\r\
\n\t\t:delay 1\r\
\n\t\t:local result [/file get dyndns.txt contents]\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
\n\t\t:put (\"Dyndns Update Result: \".\$result)\r\
\n\t} else={\r\
\n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n\t}"
add dont-require-permissions=no name="355 255 371 629 Route Status" owner=\
admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
\r\
\n:global prevstatus355;\r\
\n:global updown355;\r\
\n:global status355 [:ip route get value-name=active [:ip route find comme\
nt=\"355\"]]\r\
\n\r\
\n:log info (\"status355 is \$status355\");\r\
\n:log info (\"prevstatus355 is \$prevstatus355\");\r\
\n\r\
\n:if ( \"\$status355\" = true ) do={:set updown355 UP} else= {:set updown\
355 DOWN}\r\
\n\r\
\n:log info (\"updown355 is \$updown355\");\r\
\n\r\
\n:if ( \"\$status355\" != \"\$prevstatus355\" ) do={ \r\
\n\r\
\n:log warn \"355 connectivity is now \\\"\$updown355\\\" \";\r\
\n:tool e-mail send to=xxxxxxx.com subject=\"355 Connectivity n\
ow \\\"\$updown355\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" 355 connectivity changed status from \\\"\$prev\
status355\\\" -> \\\"\$updown355\\\" \" )\r\
\n\r\
\n:set prevstatus355 \$status355\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n:global prevstatus371;\r\
\n:global updown371;\r\
\n:global status371 [:ip route get value-name=active [:ip route find comme\
nt=\"371\"]]\r\
\n\r\
\n:log info (\"status371 is \$status371\");\r\
\n:log info (\"prevstatus371 is \$prevstatus371\");\r\
\n\r\
\n:if ( \"\$status371\" = true ) do={:set updown371 UP} else= {:set updown\
371 DOWN}\r\
\n\r\
\n:log info (\"updown371 is \$updown371\");\r\
\n\r\
\n:if ( \"\$status371\" != \"\$prevstatus371\" ) do={ \r\
\n\r\
\n:log warn \"371 connectivity is now \\\"\$updown371\\\" \";\r\
\n:tool e-mail send to=xxxxx subject=\"371 Connectivity n\
ow \\\"\$updown371\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" 371 connectivity changed status from \\\"\$prev\
status371\\\" -> \\\"\$updown371\\\" \" )\r\
\n\r\
\n:set prevstatus371 \$status371\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n:global prevstatus255;\r\
\n:global updown255;\r\
\n:global status255 [:ip route get value-name=active [:ip route find comme\
nt=\"255\"]]\r\
\n\r\
\n:log info (\"status255 is \$status255\");\r\
\n:log info (\"prevstatus255 is \$prevstatus255\");\r\
\n\r\
\n:if ( \"\$status255\" = true ) do={:set updown255 UP} else= {:set updown\
255 DOWN}\r\
\n\r\
\n:log info (\"updown255 is \$updown255\");\r\
\n\r\
\n:if ( \"\$status255\" != \"\$prevstatus255\" ) do={ \r\
\n\r\
\n:log warn \"255 connectivity is now \\\"\$updown255\\\" \";\r\
\n:tool e-mail send to=xxxxxx.com subject=\"255 Connectivity n\
ow \\\"\$updown255\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" 255 connectivity changed status from \\\"\$prev\
status255\\\" -> \\\"\$updown255\\\" \" )\r\
\n\r\
\n:set prevstatus255 \$status255\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n\r\
\n:global prevstatus629;\r\
\n:global updown629;\r\
\n:global status629 [:ip route get value-name=active [:ip route find comme\
nt=\"629\"]]\r\
\n\r\
\n:log info (\"status629 is \$status629\");\r\
\n:log info (\"prevstatus629 is \$prevstatus629\");\r\
\n\r\
\n:if ( \"\$status629\" = true ) do={:set updown629 UP} else= {:set updown\
629 DOWN}\r\
\n\r\
\n:log info (\"updown629 is \$updown629\");\r\
\n\r\
\n:if ( \"\$status629\" != \"\$prevstatus629\" ) do={ \r\
\n\r\
\n:log warn \"629 connectivity is now \\\"\$updown629\\\" \";\r\
\n:tool e-mail send to=xxxxxx subject=\"629 Connectivity n\
ow \\\"\$updown629\\\"\" body=( [ :system clock get date ] . \" \" . [ :sy\
stem clock get time ] . \" 629 connectivity changed status from \\\"\$prev\
status629\\\" -> \\\"\$updown629\\\" \" )\r\
\n\r\
\n:set prevstatus629 \$status629\r\
\n\r\
\n}\r\
\n\r\
\n\r\
\n}\r\
\n"
add dont-require-permissions=no name=GetIP owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
interface bridge host\r\
\n:foreach item in=[find] do={\r\
\n :local iface [get \$item interface]\r\
\n :local macadd [get \$item mac-address]\r\
\n :local idmac [/ip arp find where mac-address=\$macadd]\r\
\n :if ([:len \$idmac] = 1) do={\r\
\n :local ifip [/ip arp get \$idmac address]\r\
\n :put \"interface=\$iface mac=\$macadd ip=\$ifip\"\r\
\n }\r\
\n}"
add dont-require-permissions=no name="New route UP" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global prevstatus355\r\
\n{\r\
\n /ip route\r\
\n :local status355 [get [find where comment=\"355\"] active]\r\
\n :if (\$status355) do={:set status355 \"UP\"} else={:set status355 \"\
DOWN\"}\r\
\n :log info \"status355 is \$status355 and prevstatus355 is \$prevstat\
us355\"\r\
\n :if (\$status355 != \$prevstatus355) do={ \r\
\n :log warning \"355 connectivity is now \$status355\"\r\
\n /tool e-mail send to=xxxxx subject=\"355 Connec\
tivity is now \$status355\" \\\r\
\n body=\"\$[/system clock get date] \$[/system clock \
get time] 355 connectivity changed status \$prevstatus355 -> \$status355\"\
\r\
\n :set prevstatus355 \$status355\r\
\n }\r\
\n}\r\
\n"
add dont-require-permissions=no name="Upload config" owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="t\
ool fetch address=192.168.2.22 src-path=212hex-12-9-2022.rsc user=mikrotik\
\_mode=ftp passwo\r\
\nrd=mikrotik dst-path=212hex-12-9-92022.rsc port=21 host=\"\" upload=yes\
\r\
\n"
add dont-require-permissions=no name=export-download owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global nowdate do={\r\
\n /system clock\r\
\n :local vdate [get date]\r\
\n :local yyyy [:pick \$vdate 7 11]\r\
\n :local M ([:find \"xxanebarprayunulugepctovecANEBARPRAYUNULUGEPC\
TOVEC\" [:pick \$vdate 1 3] -1] / 2); :if (\$M>12) do={:set M (\$M - 12)}\
\r\
\n :local MM [:pick \"0\$M\" 1 3]\r\
\n :local dd [:pick \$vdate 4 6]\r\
\n :return \"\$yyyy-\$MM-\$dd\"\r\
\n}\r\
\n\r\
\n# for v6\r\
\n#/export file=\"212hex-\$[\$nowdate]\"\r\
\n\r\
\n# for v7\r\
\n/export show-sensitive file=\"212hex-\$[\$nowdate]\"\r\
\n\r\
\n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/212hex-\$[\$nowdate\
].rsc\" dst-path=\"/mikrotik-backups/212hex-\$[\$nowdate].rsc\" address=19\
2.168.2.22 port=21 user=mikrotik password=xxxxxxxx\r\
\n\r\
\n/file remove \"212hex-\$[\$nowdate]\"\r\
\n"
/tool bandwidth-server
set enabled=no
/tool e-mail
set address=smtp.gmail.com from=xxxxxxx port=587 tls=starttls \
user=xxxxxx
/tool graphing interface
add interface=bridge
add interface=bridge
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=212 disabled=no down-script="" host=10.10.100.1 http-codes="" \
test-script="" type=simple up-script=""
add comment=371 disabled=no down-script="" host=10.10.100.2 http-codes="" \
test-script="" type=simple up-script=""
add comment=355 disabled=no down-script="" host=10.10.100.3 http-codes="" \
test-script="" type=simple up-script=""
add comment=255 disabled=no down-script="" host=10.10.100.4 http-codes="" \
test-script="" type=simple up-script=""
add disabled=no down-script="" host=10.10.100.5 http-codes="" test-script="" \
type=simple up-script=""
add comment=LAPTOP disabled=no down-script="" host=10.10.100.8 http-codes="" \
test-script="" type=simple up-script=""
add comment=iPhone disabled=no down-script="" host=10.10.100.9 http-codes="" \
test-script="" type=simple up-script=""
/tool romon
set enabled=yes
/tool sniffer
set file-limit=10000KiB filter-ip-address=192.168.1.1/32 memory-limit=\
10000KiB
/tool traffic-monitor
add disabled=yes interface=ether1 name=tmon1