Firewall is weak.......or horrible or both........ /ip firewall address-list { use static dhcp leases } add address=adminIP1 list= Authorized comment="admin local desktop" add address=adminIP2 list=Authorized comment="admin local laptop" add address=adminIP3 list=Authorized comme...

1. You have these two entries in /interface bridge ports add bridge= BRIDGE_FAL_EOIP interface=VLAN_0050_FAL_EOIP_bridge add bridge= BRIDGE_FAL_EOIP interface=FAL_EOIP_50_TUNNEL But the bridge is never defined....... /interface bridge add admin-mac=C4:AD:34:F5:C8:F7 a uto-mac=no comment=defconf name...

RDP, not a chance........... not a secure protocol in 2023

(1) Not sure why you have a pool called VPN ranges?? Wireguard only gets an address in the MT installation, nothing else, there is no DHCP etc... OKAY, please look at this and you TELL ME what is wrong....... You will want to kick yourself!! ;-) /ip address add address= 192.168.88.1/24 comment=defco...

Need latest full config to apply your questions to please.

(1) You should be able to connect to the same wireguard Interface with two difference clients on two different WANs into the router. Can you confirm that is what you are attempting to do? You need to ensure that the handshake is returned out the same WAN it comes in on. I suspect that is your proble...

(1) Insecure and potentially dangerous to expose winbox port to the internet. Suggest access router via Wireguard. add action=accept chain=input comment="Remote access MEXUS" dst-port=8291 \ protocol=tcp src-address=X.X>X>X (2) You should only have four mangle rules. FIXED /ip firewall man...

The only vlan I see is the one for the pppoe connection? I do agree that using vlans and bridge vlan filtering can be a challenging ordeal. What I recommend is (besides generous use of SAFEMODE) is to take an unused port lets say 5 and take it OFF the bridge. Give it an IP address and basically done...

If you are a remote user and connecting to wireguard your options are: a. connect to Router to config it. b. connect to LAN devices/users c. use internet of Router. If you want to use local Internet of the remote device, dont turn on wireguard. In other words has nothing to do with Mikrotik it has e...

manual is probably the least complex path. Another option is buying three hex routers. hex1 - LAN output 192.168.11 gateway 192.168.1 hex2 - LAN output 192.168.12 gateway 192.168.1 hex3 - LAN output 192.168.13 gateway 192.168.1 RB5009 or another HEX as the glue. Ether1 WAN is 192.168.11.2 Ether2 WAN...

Will be able to comment later today but for now please post your latest config with the changes you have made.

The allowed IPs are not correct for your client devices.
Both should be:
allowed-ips=192.168.255.0/24,192.168.2.0/24

There may be issues with other parts of the config, but clearly unable to comment.