One VLAN/SSID over Wireguard

Hi everyone,

I know this has been asked before, but somehow I am missing something:

I have several VLANs which each have their own WiFi SSID. All of this works fine as does the rest of the setup, so no questions there.

I would now like that all traffic via WiFi TestNet-YT (VLAN ID 40) runs through wireguard from a VPN provider. VLAN ID 40 shall not communicate with other VLANS and if wireguard is down, VLAN ID 40 shall not route via ISP.

My entire setup before adding the wireguard config in question was as follows:

# 2025-06-22 13:16:45 by RouterOS 7.19.2
# software id = KSYB-YVIV
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge-LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
/interface vlan
add interface=Bridge-LAN name=VLAN-Home vlan-id=10
add interface=Bridge-LAN name=VLAN-Work vlan-id=20
add interface=Bridge-LAN name=VLAN-Printer-IOT vlan-id=30
add interface=Bridge-LAN name=VLAN-YT vlan-id=40
/interface list
add name=WAN
add name=VLAN
add name=VLAN-Admin
/interface wifi configuration
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet tx-power=16
add channel.band=5ghz-ax .width=20/40mhz country=Germany disabled=no mode=\
    ap name="5ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \
    ssid=TestNet5G tx-power=18
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Work" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-W
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Printer-IOT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-P
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-YT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-YT
/interface wifi
set [ find default-name=wifi1 ] configuration="5ghz Config" \
    configuration.mode=ap name=Wifi1-5ghz
set [ find default-name=wifi2 ] configuration="2.4ghz Config" \
    configuration.mode=ap disabled=no name=Wifi2-2.4ghz
add configuration="2.4ghz Config-Printer-IOT" configuration.mode=ap disabled=\
    no mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Printer-IOT
add configuration="2.4ghz Config-Work" configuration.mode=ap mac-address=\
    XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=Wifi2-2.4ghz-Work
add configuration="2.4ghz Config-YT" configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-YT
/ip pool
add name=VLAN-Home-Pool ranges=192.168.10.20-192.168.10.254
add name=VLAN-Work-Pool ranges=192.168.20.20-192.168.20.254
add name=VLAN-Printer-IOT-Pool ranges=192.168.30.20-192.168.30.254
add name=VLAN-YT-Pool ranges=192.168.40.20-192.168.40.254
/ip dhcp-server
add address-pool=VLAN-Home-Pool interface=VLAN-Home name=VLAN-Home-DHCP
add address-pool=VLAN-Work-Pool interface=VLAN-Work name=VLAN-Work-DHCP
add address-pool=VLAN-Printer-IOT-Pool interface=VLAN-Printer-IOT name=\
    VLAN-Printer-IOT-DHCP
add address-pool=VLAN-YT-Pool interface=VLAN-YT name=VLAN-YT-DHCP
/interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi1-5ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Work pvid=20
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Printer-IOT pvid=30
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-YT pvid=40
/ip neighbor discovery-settings
set discover-interface-list=VLAN-Admin
/ip settings
set rp-filter=loose
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Work vlan-ids=\
    20
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=\
    ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz \
    vlan-ids=10
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Printer-IOT \
    vlan-ids=30
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-YT vlan-ids=40
/interface list member
add interface=ether1-WAN list=WAN
add interface=VLAN-Home list=VLAN
add interface=VLAN-Work list=VLAN
add interface=VLAN-Home list=VLAN-Admin
add interface=VLAN-Printer-IOT list=VLAN
add interface=VLAN-YT list=VLAN
/ip address
add address=192.168.10.1/24 interface=VLAN-Home network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-Work network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN-Printer-IOT network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN-YT network=192.168.40.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.15 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.10.16 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.30.6 comment=Switch mac-address=XX:XX:XX:XX:XX:XX server=\
    VLAN-Printer-IOT-DHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.10.15 list=Authorized
add address=192.168.10.16 list=Authorized
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=\
    VLAN-Admin src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack chain=forward comment="fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    VLAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "Access Printer on Printing Network from Home Network" disabled=yes \
    dst-address=192.168.30.8 in-interface=VLAN-Home out-interface=\
    VLAN-Printer-IOT
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes port=2421
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="Drop all other IPv6 traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Berlin/Germany
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=1w name="1.1 MO Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=07:00:00
add interval=1w name="1.2 MO Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=20:00:00
add interval=1w name="2.1 TU Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=07:00:00
add interval=1w name="2.2 TU Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=20:00:00
add interval=1w name="3.1 WE Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=07:00:00
add interval=1w name="3.2 WE Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=20:00:00
add interval=1w name="4.1 TH Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=07:00:00
add interval=1w name="4.2 TH Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=20:00:00
add interval=1w name="5.1 FR Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=07:00:00
add interval=1w name="5.2 FR Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=20:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=VLAN-Admin
/tool mac-server ping
set enabled=no

I then added the following for wireguard (all marked as disabled currently until I know what I am missing):

/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=WG-ALB1
/interface wireguard peers
add allowed-address=0.0.0.0/0 disabled=yes endpoint-address=31.171.153.66 \
    endpoint-port=49121 interface=WG-ALB1 name=Peer-WG-ALB1 public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=10.10.123.105 disabled=yes interface=WG-ALB1 network=10.10.123.0

So far I presume this is correct, however I am having troubles connecting the wireguard to VLAN ID 40 so all devices on WiFi SSID TestNet-YT (and only these) get routed via wireguard. What I did additionally is the following:

/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=WG-ALB1 \
    routing-table=VPN-YT scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.40.0/24 \
    table=VPN-YT
/routing table
add disabled=no fib name=VPN-YT
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=WG-ALB1
/ip firewall filter
add action=accept chain=forward disabled=yes in-interface=VLAN-YT \
    out-interface=WG-ALB1

I have two questions:

1. DNS: According to what I read is that the VPN provider´s DNS should be added under /ip dns in the server field. But would this not make all other VLANS use the VPN providers DNS as well if I add it there? The goal is obviously that VLAN ID 40 uses the VPN provider´s DNS and all other VLANs use my ISPs DNS. So where do I add the VPN´s provider DNS in this case that it will only be used for VLAN ID 40?
2. With last settings (IP router, routing rules, routing table, firewall nat and firewall filter; see above) the WiFi net VPN-YT has no internet access. Without this it does, however I am also not seeing any Tx or Rx with my current wireguard configuration. What am I missing, how can I tie VLAN ID 40 to route via wiregaurd?

Any help is greatly appreciated.

I’d suggest changing the listen port of the WG interface to the same as the endpoint and adding a permissive rule in the firewall before the drop all else for it:

/interface wireguard
set 0 listen-port=49121

/ip firewall filter
add action=accept chain=input dst-port=49121 protocol=udp src-address=31.171.153.66

Also, shouldn’t the WG address have a netmask?

Actually, your config seems to make sense. This doesn’t happen that often on this forum

First:

• add a persistent-keepalive to you wg peer - 25s seems to work well
• check via the peer last-handshake value that your tunnel actually comes up - if ok, this should vary between 0 and 150-180s

If the tunnel isn’t available, of course routing through it won’t either.

Second, you need functioning dns for this to be useful:

• check if you can ping something by ip from the given vlan - if no, this has to be fixed before dns
• your config actually doesn’t allow the vlan to use the router’s dns - this is not a problem
• the simplest is to hand out the intended dns to vlan40 via dhcp - simply replace your router’s address as the dns server in the dhcp network settings (only for that network!)

EDIT: Basically what I’m saying is that what you set up seems fine. If you’re lucky, only the dns-related change will be necessary.

EDIT2: Also, it would be better to change your msquerade rule to src-nat with to-addresses=10.10.123.105

Your setup look correct to me, if all rules are not with disabled=yes (so enabling route, routing rule, nat, etc). I have a similar setup using Mulvad and runs just fine. Answering your questions:

1. Do not do it in IP > DNS, this is router’s own dns. Do it in DNS field inside IP > DHCP Server > Network for this particular VLAN. If the DNS is reachable via VPN, this should work just fine.
2. Without seen your whole final config, it is difficult to say. I would say ensure IP > DNS has a public DNS resolver, such as the router can establish connection with any domain you put on your WG peers (however I see an endpoint IP, so probably it not the error). Also review your forward rules, I see you specifically added one for accepting traffic from VLAN → WG. That rule is not really need it if you come from default configuration, but can indicate your have a generalist “drop all” rule at the end of you forward chain. If that is the case, make sure that rule you added is above that rule.

Regards.

Thanks a lot for all your detailed inputs, very helpful!

I will implement them and send you an update.

1. You have disabled all your ethernet ports, ensure they are ENABLED!!

Other than that seems fine.

In terms of wireguard, fix your address
from:

/ip address
add address=10.10.123.105 disabled=yes interface=WG-ALB1 network=10.10.123.0
TO:
/ip address*
add address=10.10.123.105/24  interface=WG-ALB1 network=10.10.123.0

Also what did your third party provider give you for a DNS server IP, anything??

I went through your comments and implemented your inputs, however I still cannot make wireguard work for (and only for) VLAN ID40 (the other VLANS still route without any issues via ISP). There is no handshake and I now also tried it with a different VPN server, hence the IPs/port have changed (e.g. the listening port is now identic with the endpoint port).

@anav: Thank you also for your inputs, always appreciated! For once I am not entirely sure if I follow, why would ether2-5 need to be activated when it is not needed (there is nothing connected to ether2-5 and the setup relies entirely on WiFi)? As for your second question, the information I received from my VPN provider is as follows:

[Interface]
PrivateKey = XXXXXXXXXX
Address = 10.70.86.60/32
DNS = 10.64.0.1

[Peer]
PublicKey = YYYYYYYYYY
AllowedIPs = 0.0.0.0/0
Endpoint = 31.171.153.66:13231

Note that /32 gets removed automatically in IP addresses in routeros. My adapted config is now as follows, does anyone have any additional ideas what I am missing?

# 2025-06-26 12:25:52 by RouterOS 7.19.2
# software id = KSYB-YVIV
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge-LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-ALB1
/interface vlan
add interface=Bridge-LAN name=VLAN-Home vlan-id=10
add interface=Bridge-LAN name=VLAN-Work vlan-id=20
add interface=Bridge-LAN name=VLAN-Printer-IOT vlan-id=30
add interface=Bridge-LAN name=VLAN-YT vlan-id=40
/interface list
add name=WAN
add name=VLAN
add name=VLAN-Admin
/interface wifi configuration
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet tx-power=16
add channel.band=5ghz-ax .width=20/40mhz country=Germany disabled=no mode=\
    ap name="5ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \
    ssid=TestNet5G tx-power=18
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Work" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-W
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Printer-IOT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-P
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-YT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-YT
/interface wifi
set [ find default-name=wifi1 ] configuration="5ghz Config" \
    configuration.mode=ap name=Wifi1-5ghz
set [ find default-name=wifi2 ] configuration="2.4ghz Config" \
    configuration.mode=ap disabled=no name=Wifi2-2.4ghz
add configuration="2.4ghz Config-Printer-IOT" configuration.mode=ap disabled=\
    no mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Printer-IOT
add configuration="2.4ghz Config-Work" configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Work
add configuration="2.4ghz Config-YT" configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-YT
/ip pool
add name=VLAN-Home-Pool ranges=192.168.10.20-192.168.10.254
add name=VLAN-Work-Pool ranges=192.168.20.20-192.168.20.254
add name=VLAN-Printer-IOT-Pool ranges=192.168.30.20-192.168.30.254
add name=VLAN-YT-Pool ranges=192.168.40.20-192.168.40.254
/ip dhcp-server
add address-pool=VLAN-Home-Pool interface=VLAN-Home name=VLAN-Home-DHCP
add address-pool=VLAN-Work-Pool interface=VLAN-Work name=VLAN-Work-DHCP
add address-pool=VLAN-Printer-IOT-Pool interface=VLAN-Printer-IOT name=\
    VLAN-Printer-IOT-DHCP
add address-pool=VLAN-YT-Pool interface=VLAN-YT name=VLAN-YT-DHCP
/routing table
add disabled=no fib name=VPN-YT
/interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi1-5ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Work pvid=20
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Printer-IOT pvid=30
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-YT pvid=40
/ip neighbor discovery-settings
set discover-interface-list=VLAN-Admin
/ip settings
set rp-filter=loose
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Work vlan-ids=\
    20
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=\
    ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz \
    vlan-ids=10
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Printer-IOT \
    vlan-ids=30
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-YT vlan-ids=40
/interface list member
add interface=ether1-WAN list=WAN
add interface=VLAN-Home list=VLAN
add interface=VLAN-Work list=VLAN
add interface=VLAN-Home list=VLAN-Admin
add interface=VLAN-Printer-IOT list=VLAN
add interface=VLAN-YT list=VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-keepalive=25s endpoint-address=\
    31.171.153.66 endpoint-port=13231 interface=WG-ALB1 name=Peer-WG-ALB1 \
    public-key="YYYYYYYYYY"
/ip address
add address=192.168.10.1/24 interface=VLAN-Home network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-Work network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN-Printer-IOT network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN-YT network=192.168.40.0
add address=10.70.86.60 interface=WG-ALB1 network=10.70.86.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.15 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.10.16 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.30.6 comment=Switch mac-address=XX:XX:XX:XX:XX:XX server=\
    VLAN-Printer-IOT-DHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=10.64.0.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.10.15 list=Authorized
add address=192.168.10.16 list=Authorized
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=\
    VLAN-Admin src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
    protocol=udp src-address=31.171.153.66
add action=drop chain=input comment="drop all else"
add action=fasttrack chain=forward comment="fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow wireguard" in-interface=\
    VLAN-YT out-interface=WG-ALB1
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward comment=\
    "Access Printer on Printing Network from Home Network" disabled=yes \
    dst-address=192.168.30.8 in-interface=VLAN-Home out-interface=\
    VLAN-Printer-IOT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat dst-address=31.171.153.66
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-ALB1 \
    routing-table=VPN-YT scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes port=2421
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="Drop all other IPv6 traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.40.0/24 table=\
    VPN-YT
/system clock
set time-zone-name=Berlin/Germany
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=1w name="1.1 MO Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=07:00:00
add interval=1w name="1.2 MO Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=20:00:00
add interval=1w name="2.1 TU Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=07:00:00
add interval=1w name="2.2 TU Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=20:00:00
add interval=1w name="3.1 WE Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=07:00:00
add interval=1w name="3.2 WE Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=20:00:00
add interval=1w name="4.1 TH Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=07:00:00
add interval=1w name="4.2 TH Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=20:00:00
add interval=1w name="5.1 FR Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=07:00:00
add interval=1w name="5.2 FR Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=20:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=VLAN-Admin
/tool mac-server ping
set enabled=no

In case the visualised routes would help, see below:

routes586×390 32.1 KB

Can you try adding local route to the VPN-YT table?

/ip route
add disabled=no dst-address=192.168.40.0/24 gateway=VLAN-YT routing-table=VPN-YT

And don’t forget to enable the default route, which is currently disabled.

Also, try removing the network of the WG address and change the NAT masquerade to the WG interface and not the address. Otherwise, it doesn’t seem to be anything wrong with the config. Perhaps @anav may be able to shed some light on the situation since Wireguard and policy-based routing don’t seem to get along with one another

1. Why ether 2-5, because your config should portray a consistent story. If the ports are not used disabled, then why are they entered on the interface bridge port settings??

interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-LAN pvid=10
AND
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=\
    ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz \
    vlan-ids=10
??????????????????????????????????????

2.  CHANGE YOUR IP ADDRESS !  for WG, for the second time.
add address=10.70.86.60/24 interface=WG-ALB1 network=10.70.86.0
AKA  /24  not /32 !!!

(and why is wg address different from first post??)

3.  THis is now correct with the proper dns server but you will need to ensure the router needs to look for DNS not through the local router, but over wireguard.
add address=192.168.40.0/24 dns-server=10.64.0.1 gateway=192.168.40.1

Thus add new route.
/ip route
add address=10.64.0.1  gateway=WG-ALB1 routing-table=main

4.  Change this 
add action=masquerade chain=srcnat dst-address=31.171.153.66
WRONG!!!
That destination is simply for the handshake to establish tunnel and has nothing to do with the internal tunnel traffic which needs to get assigned the IP address given to you by the provider.

TO:
add action=masquerade chain=srcnat out-interface=WG-ALB1

5.   USELESS input chain rule for wireguard,  Its NOT required.  THere is no entity attempting to connect to the router for wireguard its the other way round.  REMOVE!!
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
    protocol=udp src-address=31.171.153.66

6.  Everything else seems okay, I personally would add tthe following dstnat rules to ensure DNS compliance by vlan40 users.

/ip firewall nat
add chain=dstnat action=dstnat  src-address=192.168.40.0/24  dst-port=53 protocol=udp to-address=10.64.0.1
add chain=dstnat action=dstnat  src-address=192.168.40.0/24  dst-port=53 protocol=tcp to-address=10.64.0.1

This new forum format SUCKS, all of my replies are cutoff/truncated

Agreed, the older format was clearer

@anav

1. Because I intend to use them at a later stage. Is there a harm in adding them to the interface bridge port settings and disabling them? Ether2-5 do not have VLAN-Admin access and hence cannot enable themselves.
2. I changed it now to /24, but could you please explain for my understanding why /24 is necessary when the VPN provider states 10.70.86.60/32 as shown in my post on 26 June above?
3. Also added, thank you for pointing this out
4. Initially I had both settings as you suggested and changed them due to inputs in this thread. I changed it now back to what you recommended.
5. See 4
6. Also added

I am a step further now as I sometimes manage to get a handshake. Current status:

1. If everything is applied there is no handshake, unless I reboot the router. Then there is a handshake and that was it. No internet access, pings fail.
2. If I reboot the router a second time, there will be no new handshake, even if I delete the lease. This occurs with the same device and unchanged settings.

What am I still missing?

Please post your latest config
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys).

Progress is good!!

We assign the address on the wireguard as it properly creates a dynamic routing for wireguard and the address could be /29 or anything also ensures therouter to assign the given ip address/32 to all traffic leaving the router ( as expected by the other end ) vice vlan40 Ips. I just know using other than/32 in the actual IP address on the MT works 100% of the time…

@anav I see, thanks for clarifying.

The latest config is as follows:

# 2025-07-02 11:08:29 by RouterOS 7.19.2
# software id = KSYB-YVIV
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=Bridge-LAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] disabled=yes name=ether2-LAN
set [ find default-name=ether3 ] disabled=yes name=ether3-LAN
set [ find default-name=ether4 ] disabled=yes name=ether4-LAN
set [ find default-name=ether5 ] disabled=yes name=ether5-LAN
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-ALB1
/interface vlan
add interface=Bridge-LAN name=VLAN-Home vlan-id=10
add interface=Bridge-LAN name=VLAN-Work vlan-id=20
add interface=Bridge-LAN name=VLAN-Printer-IOT vlan-id=30
add interface=Bridge-LAN name=VLAN-YT vlan-id=40
/interface list
add name=WAN
add name=VLAN
add name=VLAN-Admin
/interface wifi configuration
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet tx-power=16
add channel.band=5ghz-ax .width=20/40mhz country=Germany disabled=no mode=\
    ap name="5ghz Config" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .wps=disable \
    ssid=TestNet5G tx-power=18
add channel.band=2ghz-ax .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Work" security.authentication-types=wpa3-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-W
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-Printer-IOT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-P
add channel.band=2ghz-n .width=20mhz country=Germany disabled=no mode=ap \
    name="2.4ghz Config-YT" security.authentication-types=wpa2-psk \
    .disable-pmkid=yes .encryption=ccmp .wps=disable ssid=TestNet-YT
/interface wifi
set [ find default-name=wifi1 ] configuration="5ghz Config" \
    configuration.mode=ap name=Wifi1-5ghz
set [ find default-name=wifi2 ] configuration="2.4ghz Config" \
    configuration.mode=ap disabled=no name=Wifi2-2.4ghz
add configuration="2.4ghz Config-Printer-IOT" configuration.mode=ap disabled=\
    no mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Printer-IOT
add configuration="2.4ghz Config-Work" configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-Work
add configuration="2.4ghz Config-YT" configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=Wifi2-2.4ghz name=\
    Wifi2-2.4ghz-YT
/ip pool
add name=VLAN-Home-Pool ranges=192.168.10.20-192.168.10.254
add name=VLAN-Work-Pool ranges=192.168.20.20-192.168.20.254
add name=VLAN-Printer-IOT-Pool ranges=192.168.30.20-192.168.30.254
add name=VLAN-YT-Pool ranges=192.168.40.20-192.168.40.254
/ip dhcp-server
add address-pool=VLAN-Home-Pool interface=VLAN-Home name=VLAN-Home-DHCP
add address-pool=VLAN-Work-Pool interface=VLAN-Work name=VLAN-Work-DHCP
add address-pool=VLAN-Printer-IOT-Pool interface=VLAN-Printer-IOT name=\
    VLAN-Printer-IOT-DHCP
add address-pool=VLAN-YT-Pool interface=VLAN-YT name=VLAN-YT-DHCP
/routing table
add disabled=no fib name=VPN-YT
/interface bridge port
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-LAN pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi1-5ghz pvid=10
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Work pvid=20
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-Printer-IOT pvid=30
add bridge=Bridge-LAN frame-types=admit-only-untagged-and-priority-tagged \
    interface=Wifi2-2.4ghz-YT pvid=40
/ip neighbor discovery-settings
set discover-interface-list=VLAN-Admin
/ip settings
set rp-filter=loose
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface bridge vlan
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Work vlan-ids=\
    20
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=\
    ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz \
    vlan-ids=10
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-Printer-IOT \
    vlan-ids=30
add bridge=Bridge-LAN tagged=Bridge-LAN untagged=Wifi2-2.4ghz-YT vlan-ids=40
/interface list member
add interface=ether1-WAN list=WAN
add interface=VLAN-Home list=VLAN
add interface=VLAN-Work list=VLAN
add interface=VLAN-Home list=VLAN-Admin
add interface=VLAN-Printer-IOT list=VLAN
add interface=VLAN-YT list=VLAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-keepalive=25s endpoint-address=\
    31.171.153.66 endpoint-port=13231 interface=WG-ALB1 name=Peer-WG-ALB1 \
    public-key="YYYYYYYYYY"
/ip address
add address=192.168.10.1/24 interface=VLAN-Home network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-Work network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN-Printer-IOT network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN-YT network=192.168.40.0
add address=10.70.86.60/24 interface=WG-ALB1 network=10.70.86.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.15 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.10.16 client-id=1:XX:XX:XX:XX:XX:XX mac-address=\
    XX:XX:XX:XX:XX:XX server=VLAN-Home-DHCP
add address=192.168.30.6 comment=Switch mac-address=XX:XX:XX:XX:XX:XX server=\
    VLAN-Printer-IOT-DHCP
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=10.64.0.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.10.15 list=Authorized
add address=192.168.10.16 list=Authorized
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="admin access" in-interface-list=\
    VLAN-Admin src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack chain=forward comment="fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow wireguard" in-interface=\
    VLAN-YT out-interface=WG-ALB1
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward comment=\
    "Access Printer on Printing Network from Home Network" disabled=yes \
    dst-address=192.168.30.8 in-interface=VLAN-Home out-interface=\
    VLAN-Printer-IOT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat out-interface=WG-ALB1
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.40.0/24 to-addresses=10.64.0.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.40.0/24 to-addresses=10.64.0.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WG-ALB1 \
    routing-table=VPN-YT scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.64.0.1/32 gateway=WG-ALB1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh disabled=yes port=2421
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall filter
add action=drop chain=input comment="Drop all other IPv6 traffic"
add action=drop chain=forward comment="Drop all IPv6 forward traffic"
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.40.0/24 table=\
    VPN-YT
/system clock
set time-zone-name=Berlin/Germany
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system scheduler
add interval=1w name="1.1 MO Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=07:00:00
add interval=1w name="1.2 MO Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-30 start-time=20:00:00
add interval=1w name="2.1 TU Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=07:00:00
add interval=1w name="2.2 TU Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2024-12-31 start-time=20:00:00
add interval=1w name="3.1 WE Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=07:00:00
add interval=1w name="3.2 WE Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-01 start-time=20:00:00
add interval=1w name="4.1 TH Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=07:00:00
add interval=1w name="4.2 TH Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-02 start-time=20:00:00
add interval=1w name="5.1 FR Wifi-Work enable" on-event=\
    "/interface wifi enable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=07:00:00
add interval=1w name="5.2 FR Wifi-Work disable" on-event=\
    "/interface wifi disable Wifi2-2.4ghz-Work" policy=write start-date=\
    2025-01-03 start-time=20:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=VLAN-Admin
/tool mac-server ping
set enabled=no

The latest config works, no need to look any further into it.

@TheCat12, @lurker888, @jhbarrantes, @mszru & @anav, thank you once again for your help, really appreciate it. I hope this thread will help others with the same issue.

One final question though:

@anav I followed your approach for the firewall set up. With the new implementation of VLAN ID 40, wireguard and all its related settings (routing, nat rules, VPN DNS for VLAN ID40, etc.), I presume that my current firewall rules are still best practice and do not require any adjustments or do you suggest any changes for the new setup?

Yup you do not allow any intervlan traffic, so all is good.

Great, thanks anav!