Dynamic WireGuard endpoint traffic routed outbound to a specific interface.

RouterOS General
1

Small summary: I have a physical decentralized VPN device (on eth2-dvpn) between the router and the modem. It is “transparent,” and the IP on the interface is 10.10.10.3 with a gateway of 10.10.10.1.
On eth5-publicip, I have a direct link to my modem, with the IP 10.10.10.5 and gateway 10.10.10.1.
I also have a NordVPN tunnel on 10.5.0.0/24, which uses eth2-dvpn for its outbound connection.
Lastly, I use mangle rules to determine which packets should use which port.
Everything works well, but issues arise with another WireGuard tunnel. It works only if I add a static route to my smartphone’s IP, which uses eth2-dvpn. It does not work through the WireGuard NordVPN tunnel (which is the main routing table).
A strange thing happens: if I add the smartphone’s IP to the “list-dVPN-sites,” it does not work. Similarly, the NordVPN endpoint IP requires a static route, but this route never changes, while the smartphone’s IP does.
I have tried using connection marking on input and route marking (by marked connection) on output, but still no luck (refer to the first four disabled mangle rules for the attempts).

My question is how to route the outbound connection from wireguard-private (and also from wireguard-nordvpn, where the problem is less significant because the endpoint has a static IP) to eth2.
You can see both static routing rules in the main routing table, if i deactivate it, no handshake.

Here my config (Don’t worry about the firewall; I disable it during testing) and remember, i have 3 ip (public, dvpn, nordvpn), wireguard-private works if i connect to my public ip, and the router replies on the eth-2 or eth-5 (not via nordvpn)



# model = RB951Ui-2nD
#
/interface bridge
add name=bridge-trunk port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether2 ] name=ether2-dVPN
set [ find default-name=ether3 ] name=ether3-10gar
set [ find default-name=ether4 ] name=ether4-10gar
set [ find default-name=ether5 ] name=ether5-publicIP poe-out=off
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-nordVPN
add listen-port=51821 mtu=1420 name=wireguard-private
/interface vlan
add interface=bridge-trunk name=vlan10-gar vlan-id=10
add interface=bridge-trunk name=vlan50-iot vlan-id=50
/ip dhcp-server
add add-arp=yes interface=vlan50-iot lease-time=1d name=dhcp-iot
add address-pool=pool-gar interface=vlan10-gar lease-time=1d name=dhcp-gar
add address-pool=pool-trunk interface=bridge-trunk lease-time=1d name=\
    dhcp-trunk
/routing table
add disabled=no fib name=public
add disabled=no fib name=dVPN
/interface bridge port
add bridge=bridge-trunk interface=ether1-trunk internal-path-cost=10 \
    path-cost=10
add bridge=bridge-trunk interface=ether3-10gar internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge-trunk interface=ether4-10gar internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge-trunk interface=wlan10-gar internal-path-cost=10 path-cost=\
    10 pvid=10
add bridge=bridge-trunk interface=wlan20-dau internal-path-cost=10 path-cost=\
    10 pvid=20
add bridge=bridge-trunk interface=wlan66-666 internal-path-cost=10 path-cost=\
    10 pvid=66
add bridge=bridge-trunk interface=wlan90-guest internal-path-cost=10 \
    path-cost=10 pvid=90
add bridge=bridge-trunk interface=wlan50-iot internal-path-cost=10 path-cost=\
    10 pvid=50
add bridge=bridge-trunk interface=wlan30-cas internal-path-cost=10 path-cost=\
    10 pvid=30
/interface bridge vlan
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=\
    ether3-10gar,ether4-10gar,wlan10-gar vlan-ids=10
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=wlan20-dau \
    vlan-ids=20
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=wlan30-cas \
    vlan-ids=30
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=wlan50-iot \
    vlan-ids=50
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=\
    wlan90-guest vlan-ids=90
add bridge=bridge-trunk untagged=ether1-trunk,bridge-trunk vlan-ids=1
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=wlan66-666 \
    vlan-ids=66
/interface list member
add interface=ether2-dVPN list=list-wan&vpn
add interface=ether5-publicIP list=list-wan&vpn
add interface=wireguard-nordVPN list=list-wan&vpn
add interface=wireguard-private list=list-wan&vpn
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 client-address=10.2.2.2/32 interface=\
    wireguard-private name=peer-smartphone public-key=\
    "REDACTED"
add allowed-address=0.0.0.0/0,::/0 endpoint-address=85.190.232.140 \
    endpoint-port=51820 interface=wireguard-nordVPN name=peer-nordVPN \
    persistent-keepalive=25s public-key=\
    "REDACTED"
/ip address
add address=192.168.10.1/24 interface=vlan10-gar network=192.168.10.0
add address=192.168.50.1/24 interface=vlan50-iot network=192.168.50.0
add address=10.1.1.1/29 interface=bridge-trunk network=10.1.1.0
add address=10.5.0.2/24 interface=wireguard-nordVPN network=10.5.0.0
add address=10.2.2.1/24 comment=vpn-private interface=wireguard-private \
    network=10.2.2.0
/ip dhcp-client
add add-default-route=no interface=ether2-dVPN use-peer-dns=no
add add-default-route=no interface=ether5-publicIP use-peer-dns=no
/ip dhcp-server network
add address=10.1.1.0/29 comment=trunk gateway=10.1.1.1 netmask=29
add address=192.168.10.0/24 dns-server=10.1.1.1 gateway=192.168.10.1
add address=192.168.50.0/24 dns-server=10.1.1.1 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=103.86.96.100,103.86.99.100,1.1.1.1
/ip firewall address-list
add address=mypersonalip.com list=list-dVPN-sites
add address=www.snapchat.com list=list-blockedsites
add address=192.168.10.0/24 list=list-Internal-networks
add address=192.168.20.0/24 list=list-Internal-networks
add address=192.168.30.0/24 list=list-Internal-networks
add address=192.168.50.0/24 list=list-Internal-networks
add address=10.11.11.0/24 comment=guest list=list-Internal-networks
add address=192.168.66.0/24 list=list-Internal-networks
add address=10.1.1.0/29 comment=trunk list=list-Internal-networks
add address=api.ipify.org list=list-publicIPsites
add address=10.2.2.0/24 comment="vpn private" list=list-Internal-networks
add address=10.2.2.0/24 list=list-ioT-toWireguard&InterVlan
add address=192.168.10.0/24 list=list-ioT-toWireguard&InterVlan
add address=10.1.1.1 list=list-ioT-toWireguard&InterVlan
add address=beb-dvr.hass list=list-publicIPclients
add address=gar-dvr.hass list=list-publicIPclients
add address=gar-inverter.hass list=list-publicIPclients
add address=beb-inverter.hass list=list-publicIPclients
add address=homeassistant.hass list=list-publicIPclients
add address=34.34.34.34 list=list-dVPN-sites
add address=it270.nordvpn.com disabled=yes list=list-dVPN-sites
add address=ipinfo.io list=list-dVPN-sites
add address=10.10.10.1 comment=vodafone list=list-Internal-networks
add address=10.10.10.5 list=list-Internal-networks
add address=10.5.0.0/24 comment=nordVPN list=list-Internal-networks
add address=10.10.10.3 list=list-Internal-networks
add address=beb-pompa.hass list=list-ioT-tointernet
add address=10.5.0.1 list=list-ioT-toWireguard&InterVlan
add address=ifconfig.me list=list-publicIPsites
add address=93.150.221.0/24 comment="endpoint SMARTPHONE wireg vpn" list=\
    list-dVPN-sites
/ip firewall mangle
add action=mark-connection chain=input comment=\
    "ConnTrack wireguard-private peers to dVPN" disabled=yes dst-port=51821 \
    log-prefix=wireguardaccept new-connection-mark=mark-wireguard-private \
    passthrough=no protocol=udp src-address-list=!list-Internal-networks
add action=mark-connection chain=prerouting comment="mark connTrack" \
    disabled=yes dst-port=51821 log-prefix=packetmark new-connection-mark=\
    mark-wireguard-private passthrough=no protocol=udp
add action=mark-connection chain=output comment="mark connTrack" disabled=yes \
    log-prefix=packetmarkAAAAA new-connection-mark=mark-wireguard-private \
    out-interface=wireguard-private passthrough=yes
add action=mark-routing chain=output comment="mark connTrack" \
    connection-mark=mark-wireguard-private disabled=yes log-prefix=\
    packetmarkAAAAA new-routing-mark=public passthrough=no
add action=mark-routing chain=prerouting comment=\
    "VISIT WEBSITES with dVPN IP" dst-address-list=list-dVPN-sites \
    log-prefix="mark dvpn" new-routing-mark=dVPN passthrough=no \
    src-address-list=list-Internal-networks
add action=mark-routing chain=output comment=\
    "VISIT WEBSITES with dVPN IP (R1-GAR)" dst-address-list=list-dVPN-sites \
    log-prefix=publicWebsite new-routing-mark=dVPN out-interface-list=\
    list-wan&vpn passthrough=no
add action=mark-routing chain=prerouting comment=\
    "VISIT WEBSITES with publicIP" dst-address-list=list-publicIPsites \
    log-prefix=publicIPsite new-routing-mark=public passthrough=no \
    src-address-list=list-Internal-networks
add action=mark-routing chain=output comment=\
    "VISIT WEBSITES with publicIP (R1-GAR)" dst-address-list=\
    list-publicIPsites log-prefix=publicWebsite new-routing-mark=public \
    out-interface-list=list-wan&vpn passthrough=no
add action=mark-routing chain=prerouting comment=\
    "CLIENTS GO OUT with public IP" dst-address-list=!list-Internal-networks \
    log-prefix="mark homeAss Public IP when need go to net" new-routing-mark=\
    public passthrough=no src-address-list=list-publicIPclients
add action=mark-routing chain=prerouting comment=\
    "vlan666 (TOS26)  to public routing table " dscp=26 new-routing-mark=\
    public passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface-list=\
    list-wan&vpn
/ip route
add comment="dVPN Gateway" disabled=no distance=20 dst-address=0.0.0.0/0 \
    gateway=10.10.10.1%ether2-dVPN pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10 vrf-interface=ether2-dVPN
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.10.10.1%ether5-publicIP routing-table=public suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=ether5-publicIP \
    routing-table=public scope=10 suppress-hw-offload=no
add check-gateway=ping comment="nordVPN Gateway" disabled=no distance=10 \
    dst-address=0.0.0.0/0 gateway=10.5.0.1 routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="it nordvpn endpoint POOL route outside Tunnel" disabled=no distance=5 \
    dst-address=85.190.232.0/24 gateway=10.10.10.1%ether2-dVPN routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10
add comment="ALL PUBLIC" disabled=no distance=30 dst-address=0.0.0.0/0 \
    gateway=10.10.10.1%ether5-publicIP routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.10.0/24 gateway=ether2-dVPN \
    routing-table=dVPN scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.10.10.1%ether2-dVPN routing-table=dVPN scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=10.1.1.0/29 gateway=bridge-trunk \
    routing-table=dVPN scope=10 suppress-hw-offload=no
add disabled=no distance=10 dst-address=10.1.1.0/29 gateway=bridge-trunk \
    routing-table=public scope=10 suppress-hw-offload=no
add comment="SMARTPHONE wireg-private endpoint outside tunnel" disabled=no distance=5 dst-address=\
    93.150.221.0/24 gateway=10.10.10.1%ether2-dVPN routing-table=main scope=\
    30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.2.2.0/24 gateway=wireguard-private \
    routing-table=dVPN scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.5.0.0/24 gateway=wireguard-nordVPN \
    routing-table=dVPN scope=10 suppress-hw-offload=no target-scope=5
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=public table=public
add action=lookup-only-in-table disabled=no routing-mark=dVPN table=dVPN
add action=lookup-only-in-table disabled=no interface=bridge-trunk table=main
2

Detailed diagram please.

3

thanks for the reply.
Basically i need a method to filter the connections to the wireguards endpoints, because i use static routes to exit outside of nordvpn tunnel in the main table.
The mangle rules to redirect hosts & websites requests to various routing tables works well, but not with the wireguard endpoints (curiosity..),
Also the first mangle rules made for the wireguard tunnel (private), does not redirect to eth2
map.jpg

4

So on this HAP device,
a. you have a public WANIP ??
and
b. you have nordguard vpn… WHY
you can access your router as admin or guests or another router via Wireguard without nordvpn.

c. Perhaps you want users to go out a different internet public IP then your own and that is the reason?

d. If so, then instead of paying nordguard why not get a chr license and rent a vultur cloud server for like $7 a month and host your own server anywhere you want.

e. Think your pushing your luck with too many WLANS,performance has got to take a hit…

f. Dont understand your setup at all.. What is the purpose of the trunk to another device?? What is the connection here.

g. Why do you have vlans but still using bridge?? If you are using vlans make bridge subnet another vlan and bridge does nothing bridge.
/ip dhcp-server
add address-pool=pool-gar interface=vlan10-gar lease-time=1d name=dhcp-gar
add address-pool=pool-trunk interface=bridge-trunk lease-time=1d name=
dhcp-trunk

Andy why does vlan 50 NOT have a dhcp server ??? Edit, found it later in a different spot on the config.,

h. Finally you do not define vlan20 but here it is on your bridge.
add bridge=bridge-trunk interface=wlan20-dau internal-path-cost=10 path-cost=
10 pvid=20

++++++++++++++++++++++++++++++++++++++++
Ahh OKAY, some of these vlans are coming in on the trunk…

  1. I see the main issue confusing me,… you have some bridge settings that need to be removed as in reality you hAVE NO need for bridge address.
    YOu have two vlans, and the bridge subnet is not used at all on any ports…bye bye to the following REMOVE THEM

/ip pool
add name=pool-gar ranges=192.168.10.2-192.168.10.254
add name=pool-iot ranges=192.168.50.2-192.168.50.254
add name=pool-trunk ranges=10.1.1.2-10.1.1.6

/ip dhcp-server
add address-pool=pool-gar interface=vlan10-gar lease-time=1d name=dhcp-gar
add address-pool=pool-trunk interface=bridge-trunk lease-time=1d name=
dhcp-trunk

/ip address
add address=192.168.10.1/24 interface=vlan10-gar network=192.168.10.0
add address=192.168.50.1/24 interface=vlan50-iot network=192.168.50.0
add address=10.1.1.1/29 interface=bridge-trunk network=10.1.1.0
add address=10.5.0.2/24 interface=wireguard-nordVPN network=10.5.0.0
add address=10.2.2.1/24 comment=vpn-private interface=wireguard-private
network=10.2.2.0
/ip dhcp-server network
add address=10.1.1.0/29 comment=trunk gateway=10.1.1.1 netmask=29
add address=192.168.10.0/24 dns-server=10.1.1.1 gateway=192.168.10.1
add address=192.168.50.0/24 dns-server=10.1.1.1 gateway=192.168.50.1

AND the bogus entry on /interface bridge vlans
add bridge=bridge-trunk untagged=ether1-trunk,bridge-trunk vlan-ids=1

  1. Fix up bridge ports/vlans I dont believe you need the bridge tagged for vlans that are NOT local to the router, simply in ether1 out wlan etc…
    /interface bridge port
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1-trunk
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3-10gar pvid=10
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4-10gar pvid=10
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan10-gar pvid=10
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan20-dau pvid=20
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan66-666 pvid=66
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan90-guest pvid=90
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan50-iot pvid=50
    add bridge=bridge-trunk ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wlan30-cas pvid=30

/interface bridge vlan ( I dont believe you need the bridge tagged for vlans that are NOT local to the router, simply in ether1 out wlan etc.. )
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=ether3-10gar,ether4-10gar,wlan10-gar vlan-ids=10
add bridge=bridge-trunk tagged=ether1-trunk untagged=wlan20-dau vlan-ids=20
add bridge=bridge-trunk tagged=ether1-trunk untagged=wlan30-cas vlan-ids=30
add bridge=bridge-trunk tagged=bridge-trunk,ether1-trunk untagged=wlan50-iot vlan-ids=50
add bridge=bridge-trunk tagged=ether1-trunk untagged=wlan90-guest vlan-ids=90
add bridge=bridge-trunk tagged=ether1-trunk untagged=wlan66-666 vlan-ids=66

  1. Dont understand why you have 0.0.0.0/0 on your wireguard private for allowed addresses.
    Is this not for incoming users… is this wireguard connected to anything at the other end??
    How many peers are coming in on this router.???

  2. Firewall rules are very disorganized and over the top complex for no reason - at least keep your chains together for easy reading and spotting errors.
    KEEP in mind, you cannot make any firewall rules for non local VPNs, so forget about 66,90,30, they are transparent to the router, coming in on ether1 and going out WLAN.

/ip firewall filter
{ default rule to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=dst-address=127.0.0.1
( admin rules )
add action=accept chain=input comment=“wireguard handshake” dst-port=51821
add action=accept chain=input comment=“admin access” src-address-list=TRUSTED { static admin lanips from vlan10, and any incoming admin wireguard IPs from private WG)
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment=“users to services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment=“drop all else” { Ensure you add this rule last, AFTER you have built your firewall address list!!! }
+++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec { remove if not doing ipsec }
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec { remove if not doing ipsec }
add action=fasttrack-connection chain=forward connection-state=established,related connection-mark=no-mark
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
( admin rules )
add action=accept chain=forward comment=“internet traffic” src-address=192.168.10.0/24 out-interface-list=WAN
add action=accept chain=forward comment=vlan50 allowed internet" src-address-list=list-ioT-tointernet in-interface=vlan50-iot out-interface-list=WAN
add action=accept chain=forward comment=“vlan10 access to vlan50” src-address=192.168.10.0/24 dst-address=192.168.50.0/24
add action=accept chain=forward comment=“private wg to subnets” in-interface=wireguard-private src-address=10.2.2.0/.24 out-interface-list=LAN
add action=accept chain=forward comment=“??vlan50 to vlan10??” src-address-list=list-ioT-tovlan10 dst-address=192.168.10.0/24 { remove if not required }??
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { disable if not required }
add action=drop chain=forward comment=“drop all else”

CLEAN UP address lists. WHY do you have IOT devices allowed to ORIGINATE traffic to vlan10**???**
If you give vlan10 or wireguard incoming the ability to reach vlan50, then return traffic is allowed automatically.
But there should be no reason for allowing vlan50 devices to contact vlan10 users NORMALLY.
Finally you already identified vlan50 members that should have wan access so we dont worry about to wireguard here either.
So just in cast they do I have moved off the vlan50 to vlan10 to its own address list which you can disable if I am right.
FROM:
add address=10.2.2.0/24 list=list-ioT-toWireguard&InterVlan
add address=192.168.10.0/24 list=list-ioT-toWireguard&InterVlan
add address=10.1.1.1 list=list-ioT-toWireguard&InterVlan { this subnet doesnt exist !!! }
add address=10.5.0.1 list=list-ioT-toWireguard&InterVlan
add address=gar-dvr.hass list=list-ioT-toWireguard&InterVlan
add address=homeassistant.hass list=list-ioT-toWireguard&InterVlan
add address=beb-dvr.hass list=list-ioT-toWireguard&InterVlan
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
TO:
add address=homeassistant.hass comment=Homeassistant list=list-ioT-tovlan10
add address=gar-dvr.hass comment=“Gar DVR” list=list-ioT-tovlan10
add address=beb-dvr.hass comment=beb-dvr list=list-ioT-tovlan10

5. Just to make sure lets review Interface list.
/interface list member
add interface=ether2-dVPN list=list-wan&vpn
add interface=ether5-publicIP list=list-wan&vpn
add interface=wireguard-nordVPN list=list-wan&vpn
add interface=wireguard-private list=list-wan&vpn
add interface=vlan10-gar list=LAN
add interface=vlan50-iot list=LAN
+++++++++++++++++++++++++++++++++++++++
Cant proceed on mangles and routes without a better understanding of WANs.

6. I dont understand dVPN, other than its another WAN source and is treated as such.
Do you mean to use dVPN source for regular traffic from vlan10 and allowed VLAN50 users as well as the other WAN connection??

And which WAN source will the nordvpn tunnel go over?
And which WAN source will the private wireguard traffic be coming in on??

5

I have a public WANIP on another modem, connected to the mikrotik via eth5 (public), and eth2 with an “hardware vpn” called dVPN (deeper network). the ip subnet from the modem to the mikrotik is 10.10.10.0/24 (.3 is on eth2-dvpn and .5 is on eth5-public). I have had it gifted, and added to the config, it act as transparent device who redirect you via a vpn tunnel to other ips.

I have too many vlans because there are 3 residential lans, plus iot, guests and a “public ip wlan”.
The wlans/vlans are shared accross all mikrotiks because in this way i have an excellent outdoor/indoor signal covering, and every group of users have their chromecasts or alexa everywhere. the cpu is still at 10-20% load, because the dhcp servers of other vlans, are on different routers, and comes from the bridge. The iot vlan is needed for common domotic.

1 and 2
Why i don’t need bridge addresses? with those address i reach other devices on the net. The setup is:

  • 10.1.1.1 (on the trunk) is the MAIN ROUTER, it has internet (2 interfaces), 5wlans/vlans, and is a dhcp server of 2vlan (50, 10) + trunk interface (vlan1 - subnet 10.1.1.0/29).
  • 10.1.1.2 (on the trunk) is the second router, it has 5wlans/vlans, dhcp server of vlan 20
  • 10.1.1.3 (always on the trunk) is the third router, always 5wlans/vlans, dhcp server of vlan 66
  • 10.1.1.4 (..trunk) 5wlans/vlans, dhcp server of vlan90
  • 10.1.1.5 (..trunk) 5 wlans/vlans

Every device has ethernet ports and virtual wifi interfaces assigned to the respective vlans ID, and if i connect to the wifi of the vlan10 from the last router, the main router gives me an address of that vlan.
If i remove dhcp or addresses (10.1.1.0/29) from the trunk, the routers do not negotiate anything.
So, the bridge ports HAS to be Tagged to make all the logic works (and it does).

3
Changed to 10.2.2.0/24

4
I need some traffic goes in vpn, other goes trough public ip. Traffic to websites or from clients.
Firewall rules for other vlans are on their respective routers, where is hosted the dhcp server. They use the main route table of the main router (gateway/dns 10.1.1.1), and exit by nordvpn tunnel, accross eth2-dvpn.
Agree with you maybe with disorganized firewall rules, i’m always a noob nerd, i will better study your words

WHY do you have IOT devices allowed to ORIGINATE traffic to vlan10
Because i can reach SOME iot devices from every vlan (a specific rule is into every router for each vlan), so i enabled communication from “devices allowed” to same devices (same list).


Maybe this clarify a bit my situation, look at the highlited static route in the main table (and also the one before it)… i wish a rule to make they use the dVPN table… the first is static so no problems, but the highlited is my smartphone ip… the wireguard-private peer endpoint :