1. Wouldnt call my Bridge "LAN" as LAN is already used on the router for standard nomenclature. Personal choice but at least make it
bridge-LAN etc.
2. Why do you have two IP pools but only one subnet ( aka the one you attach to the bridge-LAN )?
3. Highly recommend you set this to NONE< as it creates weird issues...
/interface detect-internet
set detect-interface-list=all
4. Set this to
LAN_list
/ip neighbor discovery-settings
set discover-interface-list=
none
5. Not sure why your allowed IPs come filled with all the noise of whats on the peer device??
Normally would look like or at least I would pair it down to the essentials.......
/interface wireguard peers
add allowed-address=10.200.0.3/32 interface=WireGuard_VPN name=Tom_WIN11 public-key="+++++"
add allowed-address=10.200.0.4/32 interface=WireGuard_VPN name=Tom_iPAD public-key="*****"
add allowed-address=10.200.0.5/32 interface=WireGuard_VPN name=Tom_iPHONE public-key="^^^^^^"
In any case shouldnt be preventing anything, so suspect I will find something in firewall rules.
6. Firewall rules are much better done, if organized so that input chain is together and forward chain is together for quick reading and understanding.............
/ip firewall filter
{input chain default rules to keep}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
{admin rules}
add action=accept chain=input comment="WireGuard handshake" dst-port=33333 protocol=udp
add action=accept chain=input comment="allow internal LAN only" in-interface-list=LAN_list
add action=drop chain=input comment="drop all else" { insert this last so you dont lock yourself out }
++++++++++++
{default rules to keep}
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{admin rules}
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN_list out-interface-list=WAN_list
add action=accept chain=forward comment="Remote users to LAN" in-interface=WireGuard_VPN dst-address=10.0.0.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
7. You have your source nat rule disabled ??
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN_list
Should be:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=no \
ipsec-policy=out,none out-interface-list=WAN_list
EDIT Okay I saw your last rule at the end LOL......... I hate it when people leave messy useless noise in their config!!
8. Forget the honeypot 3389 stuff, the idea is NOT to attract attention to your router and and 3389 does.
The other dst nat rules will not be visible on scans as you have source address lists entered which should also limit access for the most part.
but with that later...
