WireGuard and VLAN with RB5009

Hi All,

Long story short: after a few years with hAP ac2 I deicided to dive deeper into networking and bought an RB5009 to expand my network to 2.5G, learn VLANs and use pihole now in the router not in a separate machine.

I successfully set up the router and the AP for VLAN (using the examples provided by the forum) but I cannot get the Wireguard working. To be specific, I can connect to the wireguard endpoint and I can see traffic goes from the wireguarded ip but it never gets answer even for a simple DNS query to 1.1.1.1.

I was using wireguard with my hAP ac2 until I got the “bigger” router and implemented the same firewall rules (and more) in the RB5009 but something is still missing or misconfigured. I suspect the problem near the bridge and the lack of DHCP on the bridge (eg a 2.5G unifi device is not getting any IP but marks and flows the traffic just fine and this applies to the hAP ac2 too).

Could someone help me where could be the problem or what concept should I research to understand the issue?

FYI: I know I possibly went over and beyond with the current VLAN config but it is only the first iteration. My original design sounded better in my head then seeing it in “production” now.

Example firewall log

 2025-06-02 21:56:19 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55222->108.141.16.127:443, len 64
 2025-06-02 21:56:19 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55221->13.107.246.44:443, len 64
 2025-06-02 21:56:19 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55223->142.250.201.194:443, len 64
 2025-06-02 21:56:19 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55225->69.173.144.138:443, len 64
 2025-06-02 21:56:19 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55224->69.173.144.139:443, len 64
 2025-06-02 21:56:20 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55227->142.251.208.162:443, len 64
 2025-06-02 21:56:20 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55226->142.250.180.196:443, len 64
 2025-06-02 21:56:20 firewall,info forward: in:wireguard-main out:ether2, connection-state:new proto TCP (SYN), 192.168.30.101:55228->69.173.144.165:443, len 64

Sanitised config:

# 2025-06-02 21:57:43 by RouterOS 7.19
# software id = D53G-786U
#
# model = RB5009UG+S+
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="2.5G Network Unifi"
set [ find default-name=ether2 ] comment=WAN
set [ find default-name=ether3 ] comment="Mikrotik hAp ac2"
set [ find default-name=ether4 ] comment=dev
set [ find default-name=ether5 ] comment=unused
set [ find default-name=ether6 ] comment=nvr
set [ find default-name=ether7 ] comment=unused
set [ find default-name=ether8 ] comment=unused
set [ find default-name=sfp-sfpplus1 ] comment=unused
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-main
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10
add interface=bridge name=vlan11-restricted-main vlan-id=11
add interface=bridge name=vlan20-phones vlan-id=20
add interface=bridge name=vlan30-wireguard vlan-id=30
add interface=bridge name=vlan40-dev vlan-id=40
add interface=bridge name=vlan50-server vlan-id=50
add interface=bridge name=vlan60-nvr vlan-id=60
add interface=bridge name=vlan70-cameras vlan-id=70
add interface=bridge name=vlan80-iot vlan-id=80
add interface=bridge name=vlan90-guest vlan-id=90
add interface=bridge name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=VLAN
add name=LAN
add name=MGMT
add name=PREVENT_LAN
add name=BASE
add name=WIREGUARD
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=main-pool ranges=192.168.10.10-192.168.10.100
add name=phones-pool ranges=192.168.20.10-192.168.20.100
add name=wg-pool ranges=192.168.30.10-192.168.30.100
add name=dev-pool ranges=192.168.40.10-192.168.40.100
add name=server-pool ranges=192.168.50.10-192.168.50.100
add name=nvr-pool ranges=192.168.60.10-192.168.60.100
add name=cameras-pool ranges=192.168.70.10-192.168.70.100
add name=iot-pool ranges=192.168.80.10-192.168.80.100
add name=guest-pool ranges=192.168.90.10-192.168.90.100
add name=mgmt-pool ranges=192.168.99.10-192.168.99.100
add name=restricted-main-pool ranges=192.168.11.10-192.168.11.100
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=main-pool interface=vlan10-main name=main-dhcp
add address-pool=phones-pool interface=vlan20-phones name=phones-dhcp
# No IP address on interface
add address-pool=wg-pool interface=vlan30-wireguard lease-time=12h name=wg-dhcp
add address-pool=dev-pool interface=vlan40-dev name=dev-dhcp
add address-pool=server-pool interface=vlan50-server name=servers-dhcp
add address-pool=nvr-pool interface=vlan60-nvr lease-time=12h name=nvr-dhcp
add address-pool=cameras-pool interface=vlan70-cameras lease-time=12h name=cameras-dhcp
add address-pool=iot-pool interface=vlan80-iot lease-time=12h name=iot-dhcp
add address-pool=guest-pool interface=vlan90-guest name=guest-dhcp
add address-pool=restricted-main-pool interface=vlan11-restricted-main lease-time=12h name=restricted-main-dhcp
add address-pool=mgmt-pool interface=vlan99-mgmt name=mgmt-dhcp
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="defconf: trunk or main vlan access port" interface=ether1 pvid=10
add bridge=bridge comment="defconf: trunk port" interface=ether3
add bridge=bridge comment="defconf: trunk or dev vlan access port" interface=ether4 pvid=40
add bridge=bridge comment="defconf: trunk port" frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge comment="defconf: trunk or nvr vlan access port" interface=ether6 pvid=60
add bridge=bridge comment="defconf: trunk port" frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge comment="defconf: management access port" interface=ether8 pvid=99
add bridge=bridge comment="defconf: trunk port" frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=11
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=30
add bridge=bridge tagged=bridge,ether1,ether3,ether5,ether6,ether7,ether8,sfp-sfpplus1 untagged=ether4 vlan-ids=40
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=50
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether7,ether8,sfp-sfpplus1 untagged=ether6 vlan-ids=60
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=70
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=80
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,ether8,sfp-sfpplus1 vlan-ids=90
add bridge=bridge tagged=bridge,ether1,ether3,ether4,ether5,ether6,ether7,sfp-sfpplus1 untagged=ether8 vlan-ids=99
/interface list member
add interface=ether2 list=WAN
add interface=vlan10-main list=VLAN
add interface=vlan11-restricted-main list=VLAN
add interface=vlan20-phones list=VLAN
add interface=vlan30-wireguard list=VLAN
add interface=vlan40-dev list=VLAN
add interface=vlan50-server list=VLAN
add interface=vlan60-nvr list=VLAN
add interface=vlan70-cameras list=VLAN
add interface=vlan80-iot list=VLAN
add interface=vlan90-guest list=VLAN
add interface=vlan99-mgmt list=VLAN
add interface=ether1 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=vlan10-main list=LAN
add interface=vlan11-restricted-main list=LAN
add interface=vlan20-phones list=LAN
add interface=vlan30-wireguard list=LAN
add interface=vlan40-dev list=LAN
add interface=vlan50-server list=LAN
add interface=vlan60-nvr list=LAN
add interface=vlan70-cameras list=LAN
add interface=vlan80-iot list=LAN
add interface=vlan90-guest list=LAN
add interface=vlan99-mgmt list=LAN
add interface=vlan10-main list=MGMT
add interface=vlan99-mgmt list=MGMT
add interface=vlan90-guest list=PREVENT_LAN
add interface=vlan70-cameras list=PREVENT_LAN
add interface=vlan80-iot list=PREVENT_LAN
add interface=vlan99-mgmt list=BASE
add interface=wireguard-main list=LAN
/interface wireguard peers
add allowed-address=192.168.30.101/32 interface=wireguard-main name=peer1 public-key="<valid key>"
/ip address
add address=192.168.99.1/24 interface=vlan99-mgmt network=192.168.99.0
add address=192.168.10.1/24 interface=vlan10-main network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-phones network=192.168.20.0
add address=192.168.30.1/24 disabled=yes interface=vlan30-wireguard network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-dev network=192.168.40.0
add address=192.168.50.1/24 interface=vlan50-server network=192.168.50.0
add address=192.168.60.1/24 interface=vlan60-nvr network=192.168.60.0
add address=192.168.70.1/24 interface=vlan70-cameras network=192.168.70.0
add address=192.168.80.1/24 interface=vlan80-iot network=192.168.80.0
add address=192.168.90.1/24 interface=vlan90-guest network=192.168.90.0
add address=192.168.11.1/24 interface=vlan11-restricted-main network=192.168.11.0
add address=192.168.99.0/24 interface=vlan99-mgmt network=192.168.99.0
add address=19.168.30.1/24 interface=wireguard-main network=19.168.30.0
add address=192.168.30.1/24 comment="WG gateway" interface=bridge network=192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether2
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.50.100 gateway=192.168.10.1 next-server=192.168.50.100
add address=192.168.11.0/24 dns-server=192.168.88.1 gateway=192.168.11.1
add address=192.168.20.0/24 dns-server=192.168.50.100 gateway=192.168.20.1 next-server=192.168.50.100
add address=192.168.30.0/24 dns-server=1.1.1.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.88.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.100 gateway=192.168.50.1 next-server=192.168.50.100
add address=192.168.60.0/24 dns-server=192.168.88.1 gateway=192.168.60.1
add address=192.168.70.0/24 dns-server=1.1.1.1 gateway=192.168.70.1
add address=192.168.80.0/24 dns-server=1.1.1.1 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.50.100 gateway=192.168.88.1 next-server=192.168.50.100
add address=192.168.90.0/24 dns-server=1.1.1.1 gateway=192.168.90.1
add address=192.168.99.0/24 dns-server=192.168.50.100 gateway=192.168.99.1 next-server=192.168.50.100
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="Wireguard pass" dst-port=51820 in-interface=ether2 log=yes protocol=udp
add action=accept chain=input src-address=192.168.30.0/24
add action=accept chain=input comment="Allow DNS requests from WireGuard" dst-port=53 protocol=udp src-address=192.168.30.0/24
add action=accept chain=input comment="Allow DNS requests from WireGuard" dst-port=53 protocol=tcp src-address=192.168.30.0/24
add action=log chain=input comment="defconf: log all not coming from LAN" disabled=yes in-interface-list=!LAN log=yes log-prefix=NOT-LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="defconf: allow Base_Vlan Full Access" in-interface-list=MGMT
add action=drop chain=input comment="defconf: drop"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="defconf: allow management VLAN to access all VLAN" in-interface-list=MGMT out-interface-list=VLAN
add action=accept chain=forward comment="defconf: allow management VLAN to access all LAN" in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward connection-state=established,related,new in-interface=wireguard-main log=yes out-interface-list=WAN src-address=\
    192.168.30.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop"
/ip firewall nat
add action=masquerade chain=srcnat in-interface=wireguard-main out-interface-list=WAN
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name="Router #1 [RB5009]"
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool romon
set enabled=yes

Have to make some assumptions based on lack of detailed requirements
Ether1 needs to be a hybrid port to a UNIFI device, thus management VLAN99 untagged and all data vlans tagged.
There is no need for BASE, you already have a managment vlan and management interface!!
A trunk port to the hapac makes sense on ether3

You state sfp plus one is UNUSED so not sure why you have settings for this on bridge ports??
You also state ether5 and ether7 are unused but you have trunk ports setup, so again discrepancy in your config…
Eight is also stated as unused but you have settings for ether8,

There is no requirement for both a LAN and VLAN interface and since it really describes the local subnets LAN is more approprieate, and no ether ports required except perhaps for wan, once doing vlan filtering.
Why do you have both vlan10 and 99 as management interface and then only vlan99 as Base, your logic escapes me.

+++++++++++++++++
MAIN PROBLEM

Remove the bridge entry, nothing to do with wireguard!!
add address=19.168.30.1/24 interface=wireguard-main network=19.168.30.0
add address=192.168.30.1/24 comment=“WG gateway” interface=bridge network=192.168.30.0

Its clear now that you thought you needed a subnet for wireguard pool etc… Only the address is required.

Will get to the config later.

Why do you have both vlan10 and 99 as management interface and then only vlan99 as Base, your logic escapes me.

That is because I started with the forum provided example and mixed with my design plan. Now it is working and I am about the clear it up but I want to do that step by step so I can see trough clearly in the end (with limited time). The same applies for that unusued thing.

Remove the bridge entry, nothing to do with wireguard!!
add address=19.168.30.1/24 interface=wireguard-main network=19.168.30.0
add address=192.168.30.1/24 comment=“WG gateway” interface=bridge network=192.168.30.0

Seems as a very rookie mistake, did the trick for wireguard, thanks.


And for the managed devices on a trunk port to get an IP address is above me now: If I understand it correctly right now these devices marks traffic with VLAN id and flows them to the router. But if i want these managed devices to get an IP I have to add them to a VLAN (either the default 1 or other acceptable for that port) right? But in this case all the traffic will be marked with that specific VLAN id thus overwriting the VLAN ids used by the managed devices or I am overthinking it?

Overthinking, use this guide as a reference…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1