I'm quite familiar with iptables and confguring firewalls like pfSense and OPNsense. I know my way around. Yet, this issue had me troubleshooting a few hours and while its solved, I would like to ask your advise on how solve it properly.

On this page:
https://help.mikrotik.com/docs/spaces/R ... d+Firewall

We add some rules, in particular: WAN and LAN are interface lists, WAN is just 1 (PPPoE) and LAN contains lan-bridge and some vlans. The Wireguard interface is not part of the LAN interface.

So that rule drops that, but I think only what comes out of it, traffic still gets routed in I think. At least that's what I saw in the packet sniffer and in the OPNsense on the other side of the tunnel. When I concluded traffic was exiting the tunnel and properly routed back in, I started looking into the return. When I saw the raw packet count going up, I disabled that rule and everything started working again.

So first question, why can traffic enter with that prerouting drop rule, but not exit (its stateful right)?

And second, I added the wg interface to the LAN interface list, is there a better way to fix this, or better said, how would decide what is the best way to solve this?

Thanks!

Instead of describing hypotheticals, and rules completely out of context,
please provide the use-cases, aka actual traffic requirements.

a. identify user(s)/groups of users including admin, external, internal
b. identify all the traffic they require to execute.
c. detail particulars about wan connections etc.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Network diagram is also helpful

I assumed the guide I linked provided the context with the rule I listed being the one that drops return traffic.

I understand you're trying to help and I appreciate that but I'm sorry I am not comfortable posting (anonimized) configs. If that means the questions can't be answered then its fine, I accept that.

Ironic, that you were comfortable applying advances pages but dont understand what they are doing, but less so, for experienced users that are willing to provide some practical advice.
There is nothing in an anonimized configuration that renders your network to any danger.

/export file=anynameyouwish ( minus router serial number, minus any public WANIP information, vpn keys and you can also remove an IP DHCP lease lists as well if it makes one more at ease )

Hi, I have opened up the firewall docs and added any rule I found there or maybe not and then I have this particular drop rules here and my question is: what is the bigger picture?

Sry, but so much unknown variables. Nobody can answer your vague questions.

I get it. It was silly to expect help without proper info.

I posted in haste without giving it too much thought. I'll prepare better next time I feel the need to ask something.

No worries, many parts of a config are interrelated and thus a snippet really never tells the whole story.