WireGuard in VLAN Environment

Hi,

I have two VLANS on my network SOHO (vlan=10) and GUEST (vlan=20).

I configured WinGuard with two endpoints:

• Windows Computer
  
  
  
• Android Phone(/list]

Both establish a connection to the Mikrotik (I can see traffic on the Peer) but I am not able to access local resources.

On the Windows Computer I have Block untunnel traffic (kill-switch) unchecked. i am able to surf the internet
On the Android phone I have Exclude private IPS unchecked.

1. I would like WireGuard to operate on vlan=10. How can I do that?
2. In WireGuard, (following a non Mikrotik video), I set the DNS to 8.8.8.8. When I set it to 192.168.66.1 (WireGuard address), it fails.

Thanks

# 2024-11-17 17:01:38 by RouterOS 7.16.1
# software id = YYB5-JQXK
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=D4:01:C3:9E:zz:ff auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Unifi AP"
set [ find default-name=ether3 ] comment="Connected to fff"
set [ find default-name=ether4 ] comment="Connected to fff"
set [ find default-name=ether5 ] comment="Connected to fff"
/interface wireguard
add listen-port=13231 mtu=1420 name=HOMENET-WireGuard
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI_SOHO
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI-GUEST
/interface wifi configuration
add country=Malta disabled=no mode=ap name=GUEST-Configuration security=\
    WIFI-GUEST ssid=GUESTS-AP
add country=Malta disabled=no mode=ap name=SOHO-Configuration security=\
    WIFI_SOHO ssid=AP-HOMENET
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration=SOHO-Configuration \
    configuration.mode=ap disabled=no name=wlan-SOHO-2G \
    security.authentication-types="" .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration=SOHO-Configuration \
    configuration.mode=ap disabled=no name=wlan-SOHO-5G security=WIFI_SOHO \
    security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz \
    configuration=GUEST-Configuration configuration.mode=ap disabled=no \
    mac-address=D4:01:C3:9E:58:83 master-interface=wlan-SOHO-2G name=\
    wlan-GUEST-2G security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz \
    configuration=GUEST-Configuration configuration.country=Malta .mode=ap \
    disabled=no mac-address=D4:01:C3:9E:58:84 master-interface=wlan-SOHO-5G \
    name=wlan-GUEST-5G security.authentication-types="" .ft=yes .ft-over-ds=\
    yes
/ip pool
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
/ip dhcp-server
add address-pool=SOHO_POOL interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/disk settings
set auto-media-interface=BR1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-SOHO-5G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-SOHO-2G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-GUEST-5G pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-GUEST-2G pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2 untagged=\
    ether3,ether4,ether5,wlan-SOHO-5G,wlan-SOHO-2G vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,wlan-GUEST-2G \
    vlan-ids=20
/interface list member
add comment=defconf interface=BR1 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE
add interface=HOMENET-WireGuard list=VLAN
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=HOMENET-WireGuard name=\
    ACB-Laptop public-key="w8LznG02jCqC5wT1ZluQOV0OsBCc9a0scHKc//jAOzw="
add allowed-address=192.168.66.3/32 interface=HOMENET-WireGuard name=\
    ACB-OnePlus public-key="t/AdlTX6N7CDunILMQPbpJHnT7/SiQIV0IEYOjzBxkk="
/ip address
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=192.168.66.1/24 comment="Wireguard interface" interface=\
    HOMENET-WireGuard network=192.168.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=*1 interface=BR1 name=defconf
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=forward comment="Drop SMTP traffic" dst-port=25 log=yes \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=input comment=Drop
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" ipsec-policy=\
    out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="HTTP (VM-onN)" dst-address=\
    77.aa.bb.cc dst-port=80 protocol=tcp to-addresses=192.168.16.11
add action=dst-nat chain=dstnat comment="HTTPS (VM-onN)" dst-address=\
    77.aa.bb.cc dst-port=443 protocol=tcp to-addresses=192.168.16.11
add action=dst-nat chain=dstnat comment="SFTP (VM-BITV)" dst-address=\
    77.aa.bb.cc dst-port=5552 protocol=tcp to-addresses=192.168.16.12 \
    to-ports=22
add action=dst-nat chain=dstnat comment="Plex (SRV-PLEX)" dst-address=\
    77.aa.bb.cc dst-port=52400 protocol=tcp to-addresses=192.168.16.8 \
    to-ports=32400
add action=dst-nat chain=dstnat comment="Synology WebDAV" dst-address=\
    77.aa.bb.cc dst-port=5006 protocol=tcp to-addresses=192.168.16.253 \
    to-ports=5006
add action=dst-nat chain=dstnat comment=uBT dst-address=77.aa.bb.cc \
    dst-port=53501 protocol=tcp to-addresses=192.168.16.9 to-ports=53501
add action=masquerade chain=srcnat comment="WireGuard NAT rule" src-address=\
    192.168.66.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Malta
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Wireguard is a service which runs on “all” interfaces. You can’t “bind” it to a specific VLAN.
You have to filter it via the Firewall/Filter/INPUT-chain and allow Wireguard only on your desired VLAN(s).

Have you configured the return-routes on the endpoints? Your Wondows/Android machines need to know which IPs have to go over the tunnel. Otherwise the packets go out (beside the Wireguard tunnel) the default gateway.

Do you allow DNS - TCP/DNS, destination-port 53 - in the Firewall/Filter/INPUT-chain?

Can you please share sample rules for the points you are mentioning?


For example, for the point related to the Firewall/Filter/INPUT-chain and allow Wireguard only on your desired VLAN(s), the the following correct?

1. Adjust /interface bridge port to
   /interface bridge port
   add bridge=BR1 interface=ether2 pvid=10 comment=“hybrid port - UNIFI”
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wlan-SOHO-5G pvid=10
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wlan-SOHO-2G pvid=10
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wlan-GUEST-5G pvid=20
   add bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wlan-GUEST-2G pvid=20

2. This leads us to the next discussion, since you dont have a separate management vlan, vlan10 must go to the UNIFI as untagged ( how unifi default works ) and thus you only should be sending vlan20 as tagged and thus need to adjust your /bridge vlan interface because you show it TAGGED to vlan 10, which contradicts your bridge port settings!!!
   /interface bridge vlan
   add bridge=BR1 tagged=BR1,ether2 untagged=ether3,ether4,ether5,wlan-SOHO-5G,wlan-SOHO-2G vlan-ids=10
   add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,wlan-GUEST-2G vlan-ids=20
   should be:

/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,ether5,wlan-SOHO-5G,wlan-SOHO-2G vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,wlan-GUEST-2G vlan-ids=20

3. REMOVE Bridge from LAN interface List Members
   /interface list memberadd comment=defconf interface=BR1 list=LAN

4. BIG ERROR ------------> Bridge does not do dhcp, the vlans need all the things… MISSING for VLANS ==>. ip address, ip pool, dhcp-server, and dhcp-server network. REMOVE bridge from dhcp-server and add the vlans etc. !!

/ip dhcp-server
add address-pool=*1 interface=BR1 name=defconf

5. Remove static IP DNS setting. Not required.
   /ip dns static
   add address=192.168.88.1 comment=defconf name=router.lan type=A

6. Firewall chain be organized and in proper order and for ease of reading and fixing, within chains…

/ip firewall address-list { DO THIS FIRST and use static dhcp leases where applicable }
add address=192.168.16.X list=AUTHORIZED comment=“local admin desktop soho wired”
add address=192.168.16.Y list=AUTHORIZED comment=“local admin laptop soho wired”
add address=192.168.16.Z list=AUTHORIZED comment=“local admin laptop soho WIFI”
add address=192.168.66.2. list=AUTHORIZED comment=“remote admin laptop wg”
add address=192.168.66.3 list=AUTHORIZED comment=“remote admin smartphone wg”

/ip firewall filter
{default rules to keep}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add chain=input comment=“Allow all ICMP” protocol=icmp
(admin rules)
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=“admin access” src-address-list=AUTHORIZED
add action=accept chain=input comment-=“users to services” in-interface-list=VLAN dst-port=53,123 protocol=udp
add action=accept chain=input comment-=“users to services” in-interface-list=VLAN dst-port=53 protocol=tcp
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLAN { you can remove this line when the three above it are in place }
add action=accept chain=input comment=“drop all else”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment="VLAN Internet " in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“wg to soho” in-interface=HOMENET-WireGuard dst-address=192.168.16.0/24
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=Drop

I am not sure what you were doing with PPP and forward chain rules so left out for now and perhaps you can explain???
in any case disable for now until issue resolved.

7. Not sure what you are doing in dstnat rules…
   It would appear you are using dst-address=FIXED WANIP.
   If so then why are you using IP DHCP Client?? If its a static WANIp that does not change, simply use IP ADDRESS to assign to ether1 and disable IP DHCP client.
   If the IP is dynamic, then use the IP CLOUD dyndns name from the router to resolve WANIP, and instead of dst-address= USE dst-address-list=MyWanIP
   /ip firewall address-list
   add address ++++p===mynetname.net list=MyWanIP

8. Adding a sourcenat address to wireguard in this scenario is nonsensical and remove it.
   add action=masquerade chain=srcnat comment=“WireGuard NAT rule” src-address=
   192.168.66.0/24

9. If you have users in the same subnet as servers, then you need a hairpin sourcenat rule and put this as the first rule in sourcenat. ( assumes users may use dyndns or wanip to access servers )
   IF only use LANIPs to access, then you can disregard.
   /ip firewall nat
   add action=masquerade chain=srcnat comment=“Hairpin NAT” dst-address=192.168.16./24 src-address=192.168.16.0/214
   add action=masquerade chain=srcnat out-interface-list=WAN

Thanks. I’ll backup and implement your suggests towards the end of the week and report back.

These no longer apply as they related to OpenVPN (the thread related to this topic is: http://forum.mikrotik.com/t/can-establish-vpn-connection-but-no-connectivity-to-local-lan-and-wan/146139/1

I am currently implementing your suggestions. A few I can reason after reading, many are simply above me esp in the Filter rules section.

Once I set it, I’ll leave a few days and test out and update this thread.

Thanks-a-million for your dedication.

As for the PPP and forward chain rules, these will no longer be applicable since they apply to OpenVPN and my intention is to move to WireGuard. The thread related to it is at http://forum.mikrotik.com/t/can-establish-vpn-connection-but-no-connectivity-to-local-lan-and-wan/146139/1

For the WAN IP that is probably from when I switched ISPs. With my original provider I entered the setting statically into the Mikrotik, with my current one, even though I have a fixed IP, I was told to acquire the address. I would prefer the former because that way if the ISP changed the settings at their end the entire system would have failed.

I should finish the changes today and will do some tests and enable WireGuard and will provide an update.

The Filter Rules section was not something I could have arrived at without your help. Reading some of them makes sense but many are beyond my comprehension.

Will update the thread in a few days time.

Everything is operating perfectly except the Unifi. There is no traffic going through to it the only traffic I see is udp from it (192.168.16.251) to 255.255.255.255:10001. I can’t ping it.

Thanks

# 2024-11-20 19:53:08 by RouterOS 7.16.1
# software id = YYB5-JQXK
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=D4:01:C3:9E:58:7F auto-mac=no comment=defconf name=BR1 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Unifi AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ] comment="Connected to SRV-TOR"
set [ find default-name=ether5 ] comment="Connected to one port of Proxmox"
/interface wireguard
add listen-port=13231 mtu=1420 name=HOMENET-WireGuard
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=20
add arp=proxy-arp interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI_SOHO
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=WIFI-GUEST
/interface wifi configuration
add country=Malta disabled=no mode=ap name=GUEST-Configuration security=\
    WIFI-GUEST ssid=GUESTS-AP
add country=Malta disabled=no mode=ap name=SOHO-Configuration security=\
    WIFI_SOHO ssid=AP-HOMENET
/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration=SOHO-Configuration \
    configuration.mode=ap disabled=no name=wlan-SOHO-2G \
    security.authentication-types="" .ft=yes .ft-over-ds=yes
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration=SOHO-Configuration \
    configuration.mode=ap disabled=no name=wlan-SOHO-5G security=WIFI_SOHO \
    security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz \
    configuration=GUEST-Configuration configuration.mode=ap disabled=no \
    mac-address=D4:01:C3:9E:58:83 master-interface=wlan-SOHO-2G name=\
    wlan-GUEST-2G security.authentication-types="" .ft=yes .ft-over-ds=yes
add channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz \
    configuration=GUEST-Configuration configuration.country=Malta .mode=ap \
    disabled=no mac-address=D4:01:C3:9E:58:84 master-interface=wlan-SOHO-5G \
    name=wlan-GUEST-5G security.authentication-types="" .ft=yes .ft-over-ds=\
    yes
/ip pool
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
/ip dhcp-server
add address-pool=SOHO_POOL interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/disk settings
set auto-media-interface=BR1 auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=BR1 comment="hybrid port - UNIFI" interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-SOHO-5G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-SOHO-2G pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-GUEST-5G pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    wlan-GUEST-2G pvid=20
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=\
    ether3,ether4,ether5,wlan-SOHO-5G,wlan-SOHO-2G,ether2 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan-GUEST-5G,wlan-GUEST-2G \
    vlan-ids=20
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=SOHO_VLAN list=BASE
add interface=HOMENET-WireGuard list=VLAN
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=HOMENET-WireGuard name=\
    ACB-Laptop public-key="w8LznG02jCqC5wT1ZluQOV0OsBCc9a0scHKc//jAOzw="
add allowed-address=192.168.66.3/32 interface=HOMENET-WireGuard name=\
    ACB-OnePlus public-key="t/AdlTX6N7CDunILMQPbpJHnT7/SiQIV0IEYOjzBxkk="
add allowed-address=192.168.66.4/32 interface=HOMENET-WireGuard name=\
    ACB-GalaxyTab public-key="IHYGG+K+7uyNU8fDrzQczb538Js1Ma4ux721zLoNdW8="
add allowed-address=192.168.66.5/32 interface=HOMENET-WireGuard name=\
    "Connie-Galaxy Tab 9FE" public-key=\
    "wRVsLakLB6A+VpvAJKGByuf4qwUd8E6Jp+JJycNCcl0="
add allowed-address=192.168.66.6/32 interface=HOMENET-WireGuard name=\
    "Connie-Galaxy S23" public-key=\
    "GlW5k0VmwH2pfO027CHBPkbBenIZp/I2c/KHgZjxEFU="
/ip address
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=192.168.66.1/24 comment="Wireguard interface" interface=\
    HOMENET-WireGuard network=192.168.66.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.16.157 comment="Huawei SUN2000-3KTL-L1" mac-address=\
    C8:C4:65:7E:34:4D server=SOHO_DHCP
add address=192.168.16.155 client-id=1:c0:48:e6:4d:bb:3c comment=\
    "Samsung TV - Kitchen" mac-address=C0:48:E6:4D:BB:3C server=SOHO_DHCP
add address=192.168.16.156 client-id=1:74:e6:b8:1:ca:fa comment="LG TV" \
    mac-address=74:E6:B8:01:CA:FA server=SOHO_DHCP
add address=192.168.16.154 client-id=1:0:1e:8f:9:a0:2a comment=\
    "Canon i-Sensys MF 4370dn" mac-address=00:1E:8F:09:A0:2A server=SOHO_DHCP
add address=192.168.16.108 client-id=1:74:15:75:42:c7:d comment="Xiami Redmi" \
    mac-address=74:15:75:42:C7:0D server=SOHO_DHCP
add address=192.168.16.109 client-id=1:a0:ff:c:c2:a:e9 comment=\
    "HikVision 2CD2387" mac-address=A0:FF:0C:C2:0A:E9 server=SOHO_DHCP
add address=192.168.16.152 client-id=1:56:14:be:29:16:6c comment="ACB Phone" \
    mac-address=56:14:BE:29:16:6C server=SOHO_DHCP
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=10.0.20.1 gateway=\
    10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.16.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9,8.8.4.4
/ip firewall address-list
add address=192.168.16.2 comment=ACB-DESKTOP list=AUTHORIZED
add address=192.168.16.152 comment=ACB-OnePlus list=AUTHORIZED
add address=192.168.66.2 comment="ACB-DESKTOP (WireGuard)\r\
    \n" list=AUTHORIZED
add address=192.168.66.5 comment="ACB-LAPTOP (WireGuard)" list=AUTHORIZED
add address=192.168.16.6 comment="ACB-LAPTOP (WiFi)" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment="Wireguard dst-port=13231" dst-port=\
    13231 protocol=udp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=accept chain=input comment="users to services" dst-port=53,123 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="{ default rules to keep\
    \_} (https://forum.mikrotik.com/viewtopic.php\?t=212669)" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="{ default rules to keep } (https://fo\
    rum.mikrotik.com/viewtopic.php\?t=212669)" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="{ default rules to keep } (https://foru\
    m.mikrotik.com/viewtopic.php\?t=212669)" connection-state=invalid
add action=accept chain=forward comment="VLAN Internet" in-interface-list=\
    VLAN out-interface-list=WAN
add action=accept chain=forward comment="wg to soho" dst-address=\
    192.168.16.0/24 in-interface=HOMENET-WireGuard
add action=accept chain=forward comment=\
    "(admin rules) https://forum.mikrotik.com/viewtopic.php\?t=212669" \
    connection-nat-state=dstnat
add action=drop chain=forward comment=\
    "Drop https://forum.mikrotik.com/viewtopic.php\?t=212669"
add action=drop chain=forward comment="Drop SMTP traffic" disabled=yes \
    dst-port=25 log=yes protocol=tcp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related disabled=yes
add action=accept chain=input comment="Allow VLAN" disabled=yes \
    in-interface-list=VLAN
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new disabled=yes in-interface-list=VLAN \
    out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    disabled=yes in-interface=all-ppp out-interface=SOHO_VLAN
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    disabled=yes in-interface=SOHO_VLAN out-interface=all-ppp
add action=drop chain=input comment=Drop disabled=yes
add action=drop chain=forward comment=Drop disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Hairpin NAT" ipsec-policy=\
    out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.16.0/24
set ssh address=192.168.16.0/24
set api disabled=yes
set winbox address=192.168.16.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Malta
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Well everything is setup properly it looks like in terms of treating the port as a hybrid port.
management vlan comes in untagged vlan10 and the other vlan guest goes in tagged.

Suggest review unifi setup to ensure its not setup for some other condition.

I will try to reset it and see how it goes.

Mea Culpa

In the pre-optimised ether2 (the one connected to the Unifi) was tagged on both VLANS. Now that VLAN10 is not tagged this caused the problem.

I reset the Unifi and only tagged VLAN20 keeping VLAN10 as Default.

It worked.

Thank you so much

Awesome!!!