WireGuard VPN / Firewall Rules

Good day all.

Off the bat, I’m not a Mikrotik, nor network guru. I know very basic network lingo and with that. I want to present the following scenario.

I’ve recently installed the RB5009UG+S+ and configured it with my limited knowledge as well as watching a ton of Youtube videos, forums and wiki’s. I didn’t want to export the config of the router that was replaced, but rather wanted to setup this router from scratch. I was very nervous to tackle the Firewall Rules, as I couldn’t really figure how some of these rules would work and ended up creating a few of the default rules. (Should anyone see anything wrong or not needed in my rules, please do “educate” me on this

I’ve got 4 end-users that needs to connect to the Company via VPN, to " obtain" the company IP, in order to connect to a SQL Server Managerment Studio database. I was able to create the Wireguard Interface and created 2 peers thus far. I hope these were correctly created. I can connect via the Wireguard tunnel and the IP address received when checking whatismyip.com, reveals that my IP is that of the company. However, when trying to connect to this database when working remotely and connected via the Wireguard tunnel, we are unable to connect to this database. I thought that maybe my Firewall rules are to blame? As I’m no expert on Firewall rules and would appreciate any assistance.

Side Note: With the previous router, they use to connect via an IPSec Tunnel. I figured that since wireguard seems to better in all aspects. I could try it out

Router Config:

# 2024-09-19 13:54:35 by RouterOS 7.15.3
# software id = 7UAI-U0HI
#
# model = RB5009UG+S+
# serial number = HFE09FXFHK6
/interface bridge
add arp=proxy-arp name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name="ether3-Admin AP"
set [ find default-name=ether4 ] name="ether4-Hallway AP"
set [ find default-name=ether5 ] name="ether5-Blue AP"
set [ find default-name=ether6 ] name="ether6-Green_Orange AP"
set [ find default-name=ether8 ] name="ether8 - LTE Fail Over"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=\
    "Internet In-Web Africa" use-peer-dns=yes user=*********
/interface wireguard
add listen-port=13231 mtu=1400 name=Pepla_WG
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=DHCP-LAN ranges=192.168.0.11-192.168.0.239
/ip dhcp-server
add address-pool=DHCP-LAN interface=Bridge-LAN lease-time=2d name=DHCP
/routing table
add comment="Table for WireGuard - JPB" disabled=no fib name=WG-Pepla
/interface bridge port
add bridge=Bridge-LAN interface="ether3-Admin AP"
add bridge=Bridge-LAN interface="ether4-Hallway AP"
add bridge=Bridge-LAN interface="ether5-Blue AP"
add bridge=Bridge-LAN interface="ether6-Green_Orange AP"
add bridge=Bridge-LAN interface=ether2-LAN
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface list member
add interface=Bridge-LAN list=LAN
add interface="Internet In-Web Africa" list=WAN
/interface wireguard peers
add allowed-address=192.168.89.3/32 client-dns=192.168.0.1 interface=Pepla_WG \
    name="peer1" persistent-keepalive=30s private-key=\
    "******************" public-key=\
    ""
add allowed-address=192.168.89.2/32 client-dns=8.8.8.8 interface=Pepla_WG \
    name="Peer2" persistent-keepalive=30s private-key=\
    "****************************" public-key=\
    ""
/ip address
add address=192.168.0.1/24 interface=Bridge-LAN network=192.168.0.0
add address=41.132.65.127 disabled=yes interface="Internet In-Web Africa" \
    network=168.210.4.66
add address=192.168.89.1/24 interface=Pepla_WG network=192.168.89.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
    ntp-server=154.73.32.1,154.73.32.2
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip firewall address-list
add address=154.73.32.0/22 disabled=yes list=iewc-ip4s
add address=165.16.200.0/21 disabled=yes list=iewc-ip4s
add address=192.168.0.0/24 disabled=yes list=MGMT-RANGES
add address=192.168.88.0/24 disabled=yes list=MGMT-RANGES
add address=192.168.0.0/24 disabled=yes list=LAN-RANGE
/ip firewall filter
add action=accept chain=input comment=\
    "\"defconf: accept established,related,untracked\"" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=forward in-interface=Pepla_WG
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    192.168.89.0/24
add action=accept chain=input comment="Old Router Rules" disabled=yes \
    dst-port=443 protocol=tcp
add action=accept chain=input disabled=yes dst-port=22,2000,8291 protocol=tcp \
    src-address-list=iewc-ip4s
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input disabled=yes dst-port=53,123 in-interface=\
    Bridge-LAN protocol=udp
add action=accept chain=input disabled=yes dst-port=22,8291 in-interface=\
    Bridge-LAN protocol=tcp
add action=accept chain=forward disabled=yes dst-port=19001 protocol=tcp
add action=drop chain=input comment=\
    "\"defconf: drop all not coming from Bridge-LAN\"" in-interface=\
    !Bridge-LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="WireGuard NAT" out-interface=\
    Pepla_WG src-address=192.168.89.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=no
set h323 disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha512
/ip service
set ftp disabled=yes
/ppp secret
add disabled=yes name=vpn profile=*2
add disabled=yes name=JP profile=*2
/routing rule
add action=lookup disabled=no src-address=192.168.89.0/24 table=WG-Pepla
add action=lookup disabled=yes src-address=192.168.89.2/32 table=WG-Pepla
add action=lookup disabled=yes src-address=192.168.89.3/32 table=WG-Pepla
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="Core Router"
/system note
set show-at-login=no

Apologies for any confusion of terminologies above, but I hope that I kinda made sense?

Again, thank you to anyone willing to assist me with this.

Hello,
Please delete sensitive information (passwords, etc.) and you can also adjust the firewall a bit. Usually we put everything related to INPUT in the Input section, and everything related to passing traffic in the Forward section. It will be more correct.
INPUT CHAIN → To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN → Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN → From the Router. Directional flow is Router to WAN.

/interface list member
add comment=defconf interface=bridge list=LAN
add interface=wireguard1 list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall address-list
add address=192.168.88.0/24 list=Local-LAN
add address=10.1.1.0/24 list=WG
/ip address
add address=10.1.1.1/24 comment=WG interface=wireguard1 network=10.1.1.0

== and the WG client on PC add - 10.1.1.2/24 (In the client configuration, we also specify the subnets we want to access)

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1 (remove if not needed)
add action=accept chain=input comment="WG handshake" dst-port=13231 protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=LAN src-address-list=Local-LAN
add action=accept chain=input comment="users services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else" { ensure you put this rule in LAST }
+++++++++++++++++++++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related disabled=no hw-offload=yes connection-mark=no-mark
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="WG to LAN" in-interface=wireguard1 dst-address=192.168.88.0/24
add action=accept chain=forward disabled=yes dst-port=19001 protocol=tcp
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable or remove as required }
add action=drop chain=forward comment="drop all else" { ensure you put this rule in LAST }

Hi there johnson73 and thank you so much for the detailed reply received. This really helps me to implement some kind of solution on the Router

If I may ask, how does the rule for the admin access work?

I’ve implemented all the rules and disabled the rule not required, however, I’m now unable to access the Mikrotik Router remotely via Winbox. I’ve opted to enable the rule to allow connection on Port 8291 via Src. Address 192.168.89.0/24

I’ve also noted that with the last drop rule you gave. The internet would drop. I went through all the rules again but couldn’t find a reason why this would happen. The drop rule is at the very of all the rules. Just to be clear with regards to the Drop rules, do I need to put the rules as per the order you showed? For instance, that the drop rule for Input needs to be at the end for the Input rules and the forward drop, needs to be at the end of the forwarding rules? At I’ve noticed you also had a drop rule on the 2nd rule for input.

Again, thank you so much for your reply. I really do appreciate!

Yes, the order of the rules is important because the rules are executed from top to bottom. There are two “drop” rules, one in the “last rule input section” and the other in the end of the “forward section”.

‘’ If I may ask, how does the rule for the admin access work?‘’=
add action=accept chain=input comment=\ “Allow access to router from known network” in-interface-list=LAN
__ changing In-interface-list to another, the router will be accessible only from the specified LAN. Or you can additionally specify the src-address-list address from which you can connect to the router.

If in your case the Internet disappeared, then you may not have specified the correct address in the address-list section.
Example :LAN-192.168.88.0/24, WAN: 1.2.3.4… Wireguard: 10.1.1.0/24…and VPN: 192.168.90.0/24 (or any IP of your choice)
Then in the rules we specify that WAN is WAn, LAN->Wan…etc. as in my example and everything should work.
Let’s see what happens in the interface-interface-list section. Example:
WAN=ether1; LAN=Bridge1; LAN=WG ; LAN=VPN
You are missing something from this.

Thank you johnson73.

From your original response. I counted 4 drop rules that I created:

Input Rule #2 and #9 AND

Forward Rule #3 and #8.

Is that correct to create those rules?

Thanks again for you continued assistance. Let me have a look through your suggestions again and get back to you

Yes, it is correct. Each section input'' and forward’’ ends with a drop-all rule.

Thank you Johnson73

I was able to rectify my mistake. I had ether1 set as my Out. Interface, as this is the port that connects me to the internet/ISP. as per below rule:

add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN

I’ve connected via Wireguard, but when trying to access the SQL database, the connection is unsuccessful. I’m not sure what causes this.

If Wireguard has successfully connected to your LAN, then you should be able to access your Sql server. Question - do you get to the server itself? If you reach, for example, via telnet or RDP, then you need to see what happens with SQL database access rights.

Hi there johnson73

I need to mention that the SQL Server is not an on-premises server. This server is located at an external company. The server belongs to the external company and our company IP address have been whitelisted to be able to connect to this SQL Server. However, when connected to WireGuard, I’m unable to connect to the database via SQL Server Management Studio.

I also need to look at the rules again, because the last rule that blocks forwarding traffic, blocks my internet traffic when connected to WireGuard. I’m not able to get internet breakout. I’m not sure if a rule can be created that would only allow the SQL traffic through the WireGuard tunnel and have the rest of the traffic flow through the client’s internet/router?

Apologies for all the questions, still learning here

and thanks again for your continued responses. I really do appreciate them.

To be clear, users do not have direct access to this off site other company server.
Your Routers fixed WANIP is whitelisted so as to be able to reach that server.

First you need to establish local router access to this whitelisted server ( aka from your LAN ).
If you can do this, then remote wireguard users entering your router, should also be able to do the same.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )

Anything is possible, and having a view into your setup will provide the answers to fix it.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

If you think of the path… local users need to reach the remote server, therefore there needs to be a clear route to that address.
Thus all this traffic will go out your ISP, then through the www, then to the modem/router of the other companies ISP and network.

Do your local users go out local internet or only allowed to specific sites like the one for the server?
Should wireguard remote users coming in, be able to access the internet via your router or ONLY the site hosting the server???
Are the remote users coming in from singular devices ( laptop, ipad, smartphone etc…) or coming in from other MT routers??

@anav, thank you for your response. I was able to connect to the SQL Database via wireguard when I implemented the following Firewall Rule.

;;; Allow Local Subnet To Enter The WireGuard Interface
      chain=forward action=accept src-address=192.168.0.0/24 out-interface=Pepla_WG log=no log-prefix=""

I found this from the below post:

http://forum.mikrotik.com/t/wireguard-filter-rules-confusing-the-heck-out-of-me/161053/1

I guess it ties in with your suggestions as well. You are more than welcome to look at my config as well Maybe there are entries I created that is not required even. I know for instance the routing rules I would like to revisit.

Maybe there are rules that’s not supposed to be there, or that could be better configured. But for now, it all seems to be working quite well.

# 2024-09-25 08:28:16 by RouterOS 7.15.3
# software id = 7UAI-U0HI
#
# model = RB5009UG+S+
# serial number = 
/interface bridge
add arp=proxy-arp name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name="ether3-Admin AP"
set [ find default-name=ether4 ] name="ether4-Hallway AP"
set [ find default-name=ether5 ] name="ether5-Blue AP"
set [ find default-name=ether6 ] name="ether6-Green_Orange AP"
set [ find default-name=ether8 ] name="ether8 - LTE Fail Over"
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name=\
    "Internet In-Web Africa" use-peer-dns=yes user=test123
/interface wireguard
add listen-port=13231 mtu=1450 name=Pepla_WG
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512
/ip pool
add name=DHCP-LAN ranges=192.168.0.11-192.168.0.239
/ip dhcp-server
add address-pool=DHCP-LAN interface=Bridge-LAN lease-time=2d name=DHCP
/routing table
add comment="Table for WireGuard - JPB" disabled=no fib name=WG-Pepla
/interface bridge port
add bridge=Bridge-LAN interface="ether3-Admin AP"
add bridge=Bridge-LAN interface="ether4-Hallway AP"
add bridge=Bridge-LAN interface="ether5-Blue AP"
add bridge=Bridge-LAN interface="ether6-Green_Orange AP"
add bridge=Bridge-LAN interface=ether2-LAN
/ip firewall connection tracking
set enabled=yes udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=default use-ipsec=yes
/interface list member
add interface=Bridge-LAN list=LAN
add interface="Internet In-Web Africa" list=WAN
/interface wireguard peers
add allowed-address=192.168.89.3/32 client-dns=192.168.0.1 interface=Pepla_WG \
    name="User1 persistent-keepalive=30s private-key=\
    "************************" public-key=\
    "*******************************"
add allowed-address=192.168.89.2/32 client-dns=8.8.8.8 interface=Pepla_WG \
    name="User2" persistent-keepalive=30s private-key=\
    "*********************" public-key=\
    "******************"
add allowed-address=192.168.89.4/32 interface=Pepla_WG name="User3" \
    persistent-keepalive=30s private-key=\
    "*********************" public-key=\
    "***************************"
add allowed-address=192.168.89.5/32 interface=Pepla_WG name="User4" \
    persistent-keepalive=30s private-key=\
    "*********************" public-key=\
    "*******************************"
add allowed-address=192.168.0.6/32 interface=Pepla_WG name=\
    "User5" persistent-keepalive=30s private-key=\
    "**************************" public-key=\
    "*****************************"
/ip address
add address=192.168.0.1/24 interface=Bridge-LAN network=192.168.0.0
add address=41.132.65.127 disabled=yes interface="Internet In-Web Africa" \
    network=168.210.4.66
add address=192.168.89.1/24 comment=Pepla_WG interface=Pepla_WG network=\
    192.168.89.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
    ntp-server=154.73.32.1,154.73.32.2
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip firewall address-list
add address=154.73.32.0/22 disabled=yes list=iewc-ip4s
add address=165.16.200.0/21 disabled=yes list=iewc-ip4s
add address=192.168.0.0/24 disabled=yes list=MGMT-RANGES
add address=192.168.88.0/24 disabled=yes list=MGMT-RANGES
add address=192.168.0.0/24 list=Local-LAN
add address=192.168.89.0/24 list="WIRE GUARD"
/ip firewall filter
add action=accept chain=input comment=\
    "Allow: Established, Related, Untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="WireGuard Handshake" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Winbox Router Access" dst-port=8291 \
    protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input comment="admin access" in-interface=Bridge-LAN \
    src-address=192.168.0.0/24
add action=accept chain=input comment="users services" dst-port=53 \
    in-interface=Bridge-LAN protocol=udp
add action=accept chain=input comment="users services" dst-port=53 \
    in-interface=Bridge-LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=no-mark connection-state=established,related hw-offload=\
    yes
add action=accept chain=forward comment=\
    "Allow Established, Related, Untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=accept chain=forward comment="Internet Traffic" in-interface=\
    Bridge-LAN out-interface="Internet In-Web Africa"
add action=accept chain=forward comment="WireGuard to LAN" in-interface=\
    Pepla_WG out-interface="Internet In-Web Africa"
add action=accept chain=forward comment=\
    "Allow Local Subnet To Enter The WireGuard Interface" out-interface=\
    Pepla_WG src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes dst-port=19001 protocol=tcp
add action=accept chain=forward comment="Port Forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop all else" connection-state=""
/ip firewall mangle
add action=accept chain=prerouting disabled=yes dst-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="WireGuard NAT" out-interface=\
    Pepla_WG src-address=192.168.89.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=no
set h323 disabled=yes
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 \
    hash-algorithm=sha512
/ip service
set ftp disabled=yes
/ppp secret
add disabled=yes name=vpn profile=*2
add disabled=yes name=JP profile=*2
/routing rule
add action=lookup disabled=no src-address=192.168.89.0/24 table=WG-Pepla
add action=lookup disabled=yes src-address=192.168.89.2/32 table=WG-Pepla
add action=lookup disabled=yes src-address=192.168.89.3/32 table=WG-Pepla
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="Core Router"
/system note
set show-at-login=no

Good to hear!

Assuming that the persistent keep alive settings are only there to identify what is set on the peers themselves…

In terms of the router setup the only thing I would likely change is the access by admin.
You have two separate accesses setup, and I would merge into one.
There is no need for an entire subnet to be able to access the router etc… ONLY the admin needs access…
SO
/ip firewall address-list { using static set dhcp leases where applicable }
add address=192.168.89.X list=Authorized comment=“remote admin wireguard laptop”
add address=192.168.89.Y list=Authorized comment=“remote admin wireguard ipad/smartphone”
add address=192.168.0.A list=Authorized comment=“local admin wired”
add address=192.168.0.B list=Authorized comment=“local admin wifi”’

Then get rid of:
add action=accept chain=input comment=“Winbox Router Access” dst-port=8291
protocol=tcp src-address=192.168.89.0/24
add action=accept chain=input comment=“admin access” in-interface=Bridge-LAN
src-address=192.168.0.0/24

and replace with:
add action=accept chain=input src-address-list=Authorized

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\

I would also modify this
add action=accept chain=input comment=“users services” dst-port=53
in-interface=Bridge-LAN protocol=udp
add action=accept chain=input comment=“users services” dst-port=53
in-interface=Bridge-LAN protocol=tcp

TO THIS:
add action=accept chain=input comment=“users services” dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“users services” dst-port=53
in-interface-list=LAN protocol=tcp

And THis
/interface list member
add interface=Bridge-LAN list=LAN
add interface=“Internet In-Web Africa” list=WAN

TO:
/interface list member
add interface=Bridge-LAN list=LAN
add interface=Pepla_WG list=LAN
add interface=“Internet In-Web Africa” list=WAN

In terms of SOURCENAT, simplify ONLY require the following entry:
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

There is no need to masquerade the local subnet going out wireguard, as all your traffic is coming in from remote users.
I dont see a connection a third party VPN site, or another router that is not mikrotik etc…
Further, the sourcenat rule above will ensure that any traffic leaving the router for the SQL address will have the IP address of your router,all good.


In terms of other firewall rules… Unless you DONT want a remote wireguard user to be able to use your RB5009 internet to get to the WWW then change this:
add action=accept chain=forward comment=“Internet Traffic” in-interface=
Bridge-LAN out-interface=“Internet In-Web Africa”

TO:
add action=accept chain=forward comment=“Internet Traffic” in-interface-list=LAN out-interface-list=WAN

This is very common and if by strange circumstance you didnt want wireguard remote users to be able to use the RB5009 for anything else on the www, besides the SQL server, then it would look like.

add action=accept chain=forward comment=“wg to SQL traffic” in-interface=Pepla_WG out-interface-list=WAN dst-address=WANIP-SQL
add action=accept chain=forward comment=“Internet Traffic” in-interface=Bridge-LAN out-interface-list=WAN

OR:
add action=accept chain=forward comment=“wg to SQL traffic” in-interface=Pepla_WG out-interface-list=WAN dst-address=WANIP-SQL
add action=accept chain=forward comment=“Internet Traffic” in-interface-list=LAN out-interface-list=WAN src-address=!192.168.89.0/24

many ways to accomplish goal…

Now, this rule also begs the question what local users are going out wireguard???
Is there a router you are trying to connect to? if not, dont see the purpose.
add action=accept chain=forward comment=
"Allow Local Subnet To Enter The WireGuard Interface" out-interface=
Pepla_WG src-address=192.168.0.0/24

Now I am probably missing some requirement but if its just to access WANIP of SQL server then, following the path…
wireguard remote user comes in via the tunnel ( with its device allowed IPs set at 0.0.0.0/0 OR 192.168.89.0/24,41.132.65.127 )

Its allowed to enter the Router, follows the Route existing on the router, out the main WAN, sourcenatted to IP of WAN, firewall rules allow the traffic, done!