# Add default route for WireGuard
/ip route add dst-address=0.0.0.0/0 gateway=10.8.0.1 scope=30 comment="Route all traffic through WireGuard"

# Update NAT for WireGuard traffic
/ip firewall nat add chain=srcnat out-interface=wg1 action=masquerade comment="Masquerade WireGuard traffic"

# Block direct WAN traffic (optional)
/ip firewall filter add chain=forward out-interface=ether1 action=drop comment="Block direct WAN traffic"