Dotaz: Wireguard? Mikrotik - Debian - NFTables

caute, nedari sa mi rozchodit WG pod debian 10 na RPI3 (cisty debian, nie raspbian), tipujem to na problem vo firewalle - bud v mikrotiku alebo v NFTables.
Na mikrotiku mam dve vlany - sukromnu a pre hosti. Na MT v ip addresses som pod sukromnu vlanu pridal dalsiu siet pre vpn peerov a pre wg0 (RPI3) pricom eth0 na RPI3 ma ip od povodnej sukromnej siete
Na MT som NATol WG port na ip eth0 v RPI a povolil som maskaradu pre vpn siet.

ip firewall filter vyzera takto:

 0    chain=input action=accept connection-state=established,related 

 1    chain=input action=accept in-interface=fix_vlan log=no log-prefix="" 

 2    chain=input action=drop connection-state=invalid 

 3    chain=input action=jump jump-target=WAN>INPUT in-interface-list=WAN log=no log-prefix="" 

 4    chain=input action=drop log=yes 

 5    chain=forward action=accept connection-state=established,related 

 6    chain=forward action=accept in-interface=fix_vlan out-interface-list=WAN log=no log-prefix="" 

 7    chain=forward action=accept in-interface=host_vlan out-interface-list=WAN log=no log-prefix="" 

 8    ;;; DSTNAT
 chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="" 

 9    chain=forward action=accept src-address-list=host_ip dst-address-list=tlac in-interface=host_vlan log=no log-prefix="" 

10    chain=forward action=accept src-address-list=vpn_ip in-interface=fix_vlan log=no log-prefix="" 

11    chain=forward action=drop connection-state=invalid 

12    chain=forward action=drop src-address-list=!fix_ip in-interface=fix_vlan log=no log-prefix="" 

13    chain=forward action=drop src-address-list=!host_ip in-interface=host_vlan log=no log-prefix="" 

14    chain=forward action=drop dst-address-list=bogon log=yes log-prefix="bogon" 

15    chain=forward action=drop in-interface=host_vlan out-interface=fix_vlan log=no log-prefix="" 

16    chain=forward action=drop log=yes log-prefix="" 

17    chain=WAN>INPUT action=drop log=no log-prefix="" 

define WAN_IFC = eth0
define VPN_IFC = wg0

table inet filter {
 chain input {
 type filter hook input priority 0; policy drop;

 # Allow traffic from established and related packets.
 ct state established,related accept;

 # Drop invalid packets.
 ct state invalid drop;

 # Allow loopback traffic.
 iifname lo accept;

 # Allow all ICMP and IGMP traffic, but enforce a rate limit
 # to help prevent some types of flood attacks.
 ip protocol icmp limit rate 4/second accept;
 ip protocol igmp limit rate 4/second accept;

 # Allow SSH specific IPs
 tcp dport 22 ip saddr $SAFE_IPS accept;

 # Allow WG
 udp dport WG port accept;

 # Deny WG
 udp dport WG port ip saddr $HOST_NET drop;

 # Allow DNS
 udp dport 53 accept;

 # Allow WWW specific IPs
 tcp dport { http, https } ip saddr $SAFE_IPS accept;
 udp dport { http, https } ip saddr $SAFE_IPS accept;

 }
 chain forward {
 type filter hook forward priority 0; policy drop;

 # forward WireGuard traffic, allowing it to access internet via WAN
 iifname $VPN_IFC oifname $WAN_IFC ct state new accept
 }
 chain output {
 type filter hook output priority 0; policy accept;
 }
}

table ip router {
 # both prerouting and postrouting must be specified

 chain prerouting {
 type nat hook prerouting priority 0;
 }

 chain postrouting {
 type nat hook postrouting priority 100;

 # masquerade wireguard traffic
 # make wireguard traffic look like it comes from the server itself
 oifname $WAN_IFC ip saddr $VPN_NET masquerade
 }
}

[Interface]
Address = lan.ip.adresa.servera z rozsahu vpn_net vytvorenej v MT/24
ListenPort = WG port
PrivateKey = ...

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0

[Interface]
PrivateKey = ...
Address = lan.ip.adresa.clienta z rozsahu vpn_net vytvorenej v MT/32
DNS = lan.ip.adresa.mt (je na nom povoleny DNS)

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = verejna.ip.adr.esa:WG port
PersistentKeepalive = 25