An alternative to hair-pin nat and split-dns is to put your servers on a different ip scope from the clients.

On R2, disable this firewall rule: It will keep your Mangle rules from working correctly.

What Firewall Filter rules do you have? Have you allowed for a Forward from/to external interface?

50 meters is too close to get any exact alignment without the most minute changes. Looks like you have achieved maximum throughput as is.

MCS stands for Modulation Coding Scheme. Has to due with calculating maximum throughput using the number of spatial streams and channel widths, I believe.

More likely your DST-NAT rule is not working as you intended. Using in-interface or in-interface-list limits the rules to those interfaces which local users do not reach.

If the DNS server is in the same IP scope, it would be broken without the masquerade rule. This is the same issue as Hairpin NAT.

If you use an IP outside of your LAN IP scope, there is no need for the rule as the packets would return to the router already.

That Rule 4 would only be needed if you were redirecting to another device in your network such as a pi-hole or similar.

You can remove the last 2 rules as the default drop/dst-nat rule performs most of the same purpose.

Or narrow the scope of that last drop rule by adding src-address=192.168.88.0/24

Your last firewall filter is dropping all forwards including LAN to LAN. The previous rule is allowing LAN out WAN so your internet still works, but the loopback is LAN to LAN.

Outdoor CPE and indoor AP, there is little chance for interference. Two Wi-Fi cards on one device will interfere/cross-talk with one another unless you can find some crazy shielded cards.

It is an easy fix! In v7, routing-mark was replaced by routing tables. /routing table add disabled=no fib name="ONE" add disabled=no fib name="TWO" And change routing-mark to routing-table in routes. /ip route add check-gateway=ping distance=1 gateway="FTTC Line 1" rout...

This would only be true if all traffic of the server was routed out the WireGuard connection. But if you only want to allow access to some services on the server through the WireGuard connection, you will will need to mark that incoming traffic so that it will return out the WireGuard connection.

Could you not just assign the IPs to ether5 and use src-nat without having to script or even change the Notebook IP? /ip address add address=10.150.2.1/24 interface=ether5 network=10.150.2.0 add address=192.168.11.234/24 interface=ether5 network=192.168.11.0 /ip firewall nat add action=src-nat chain...

You need 2 firewall mangle rules. First, mark incoming connections from WireGuard interface and then route those connections out the WireGuard interface. Here is mine look like: /ip firewall mangle add action=mark-connection chain=prerouting comment="Mark Incoming WireGuard1 Connection" in...

Connect your device to your computer using an Ethernet cable directly (without any other devices in-between), plug the Ethernet cable into your device's Etherboot port. Most commonly, RouterBOARD devices are able to use Netinstall from their first port (Ether1), or from the port marked with "B...

That ability seems to have been depreciated! The built-in looks for a specific file in a specific file structure to know current version and also populate the change log.

You could script your own upgrade and automate that way.

Your LAN IP is set incorrectly: /ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0 This should be interface=bridge since ether2 is attached to the bridge. /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 Also, yo...

ZeroTier doesn't have to be on your HexS. I have mine running on 2 different hAP AC3 used as access-points, but can run on NAS, RPi or any other device.

The hAP ax lite might make a good/cheap standalone ZeroTier VPN devices.

I use both ZeroTier and WireGuard with SL without issue. ZeroTier is the easiest to configure for remote access, but I use WireGuard to a CHR on DigitalOcean to NAT it's Public IP. Infact, I have 2 ZeroTier one going out Starlink and another out my T-Mobile Home Internet. The WireGuard goes out a T-...

Is your device you are updating already on v7.12? From the Change Logs: 1. When upgrading by using "check-for-updates", all versions earlier than 7.12 will display 7.12 as the latest available version. Upgrade from v7.12 to v7.13 or later versions must be done through 7.12 in order to conv...

Don't put the router itself as DNS Server in /IP DNS, these should only be other Public/Private Servers like 8.8.8.8 or 1.1.1.1 or just use the provided Dynamic Servers. You should then have no issues when you set 192.168.88.1 as DNS in /DHCP-Server Network.