Wireguard on multiples public IP, differents vlan and different dst-port

Hi,
I have a question regarding my settings below.
Of course I changed some data to hide the correct IPs!

I have multiple public IPs that access the internet through many different VLANs.
Wireguard VPN works sporadically for my clients, but not for all of them simultaneously.

In MikroTik it shows that no handshake has been established but we have traffic in the peers, and in the WireGuard client I can see that data is being transmitted but no data is being received.
In interface/wireguard/torch I do not see any traffic.

However - if we restart the router, the handshake starts to work with some of the peers.

Does somebody have any advice for us how to solve this WireGuard/MikroTik problem?
Thanks in advance!

 RouterOS 7.11
model = RB4011iGS+

/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge pvid=4044 vlan-filtering=yes
/interface wireguard
add listen-port=13235 mtu=1420 name=VLAN10_WireGuard
add listen-port=13236 mtu=1420 name=VLAN20_WireGuard
add listen-port=13237 mtu=1420 name=VLAN30_WireGuard
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="VLAN 10" name=Pool_VLAN10 ranges=10.10.10.10-10.10.10.15
add comment="VLAN 20" name=Pool_VLAN20 ranges=20.20.20.20-20.20.20.25
add comment="VLAN 30" name=Pool_VLAN30 ranges=30.30.30.30-30.30.30.35
/ip dhcp-server
add address-pool=Pool_VLAN10 interface=vlan10 name=VLAN10
add address-pool=Pool_VLAN20 interface=vlan20 name=VLAN20
add address-pool=Pool_VLAN30 interface=vlan30 name=VLAN30
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether5 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=ether6 pvid=30
add bridge=bridge comment=defconf interface=ether7 pvid=4044
add bridge=bridge comment=defconf interface=ether8 pvid=4044
add bridge=bridge comment=defconf interface=ether9 pvid=4044
add bridge=bridge comment=defconf interface=sfp-sfpplus1 pvid=4044
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=10
add bridge=bridge tagged=bridge,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether6 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment="WAY OUT VLAN20_30" interface=ether2 list=WAN
add comment=MAN interface=ether10 list=MAN
add comment="WAY OUT VLAN10" interface=ether3 list=WAN
/interface wireguard peers
add allowed-address=11.11.11.2/32 interface=VLAN10_WireGuard persistent-keepalive=10s public-key="MMj9r4z6jqS+bw2uU/ISHY78kjo4jSvitVsrOPrDn20="
add allowed-address=21.21.21.2/32 interface=VLAN20_WireGuard persistent-keepalive=10s public-key="MMj9r4z6jqS+bw2uU/ISHY78kjo4jSvitVsrOPrDn20="
add allowed-address=31.31.31.1/24 interface=VLAN30_WireGuard persistent-keepalive=10s public-key="MMj9r4z6jqS+bw2uU/ISHY78kjo4jSvitVsrOPrDn20="
/ip address
add address=10.10.10.1/24 comment=GW_VLAN10 interface=vlan10 network=10.10.10.0
add address=20.20.20.1/24 comment=GW_VLAN20 interface=vlan20 network=20.20.20.0
add address=30.30.30.1/24 comment=GW_VLAN30 interface=vlan30 network=30.30.30.0
add address=XX.LXX.96.9/27 comment=WAY_OUT_VLAN10 interface=ether3 network=XX.LXX.96.0
add address=XX.LXX.97.11/24 comment=WAY_OUT_VLAN20 interface=ether2 network=XX.LXX.97.0
add address=XX.LXX.97.105/24 comment=WAY_OUT_VLAN30 interface=ether2 network=XX.LXX.97.0
add address=11.11.11.1/24 interface=VLAN10_WireGuard network=11.11.11.0
add address=21.21.21.1/24 interface=VLAN20_WireGuard network=21.21.21.0
add address=31.31.31.1/24 interface=VLAN30_WireGuard network=31.31.31.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 comment="VLAN 10" dns-server=1.1.1.1 gateway=10.10.10.1
add address=20.20.20.0/24 comment="VLAN 20" dns-server=1.1.1.1 gateway=20.20.20.1
add address=30.30.30.0/24 comment="VLAN 30" dns-server=1.1.1.1 gateway=30.30.30.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment="VLAN 10 allow WireGuard" dst-address=XX.LXX.96.9 dst-port=13235 protocol=udp
add action=accept chain=input comment="VLAN 20 allow WireGuard" dst-address=XX.LXX.97.11 dst-port=13236 protocol=udp
add action=accept chain=input comment="VLAN 30 allow WireGuard" dst-address=XX.LXX.97.105 dst-port=13237 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment="VLAN 10" ipsec-policy=out,none log-prefix="VLAN 10" out-interface-list=WAN src-address=10.10.10.0/24 to-addresses=XX.LXX.96.9
add action=src-nat chain=srcnat comment="VLAN 20" ipsec-policy=out,none log-prefix="VLAN 20" out-interface-list=WAN src-address=20.20.20.0/24 to-addresses=XX.LXX.97.11
add action=src-nat chain=srcnat comment="VLAN 30" ipsec-policy=out,none log-prefix="VLAN 30" out-interface-list=WAN src-address=30.30.30.0/24 to-addresses=XX.LXX.97.105
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XX.LXX.97.1 routing-table=main suppress-hw-offload=no vrf-interface=ether2
add disabled=no dst-address=0.0.0.0/0 gateway=XX.LXX.96.1 routing-table=main suppress-hw-offload=no vrf-interface=ether3
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MAN

I am not sure, but since u have 2 ISP (possibly), I think u should control outbound (egress) traffic with route rules (lookup) or mark routing table (in firewall->mangle), for each ISP (by creating own route table for each one). There is a lot of info how lookup route rules works or firewall marks. Also “fasttrack-connection” (in Filter) disables some stuff, like Mangle, queues and etc.

You are experiencing sporadic WireGuard VPN connectivity issues on your MikroTik router with multiple public IPs. The handshake fails consistently, and data transmission is unreliable. To resolve this, ensure correct configuration, update router firmware, check system resources, and investigate logs for errors. Additionally, verify MTU settings and client configurations while monitoring client-side logs for insights.