Some really weird things going on in your config for sure.
(1) For VLAN separation at Layer3, firewall rules apply. Easiest is to drop all at the end of the forward chain.
(2) I am not a proponent of using any vlan settings in wifi if not necessary. Keep wifi settings for wifi.
Thus its very confusing for me to see datapath for vlan50 in the wifi config but also a datapath for bridge.
I dont recall making any of those specific settings on my wifi settings. Basically AP bridge mode was it.
So perhaps the datapath bridge is default and if so get rid of datapath vlan50 if you actually manually added it ???
(3) It appears you defined a wifi3? But dont see it on bridge ports? Okay I see it tagged on vlan50. That is unusual! What is wifi3 from the ax3 connecting to here ???
(4) ETher5 makes no sense to me, looking at your diagram not updated for all vlans you had vlan1 and vlan50 going to macos computer, now you only show vlan50 untagged????
(5) ERROR ERROR you have ether 4 being untagged for two vlans.... An access port can only have one port untagged!!!!
In summary you need to redraw your diagram so its accurate!!! and config appropriately.
(5) Yes wg is not correct, I suspect all traffic is going out one WG interface and not at all on the other but will work through your config.......
Okay, so you have two separate endpoints so thats good!!
You have both peer addresses with allowed IPs of 0.0.0.0/0 and is why having a separate wg interface is necessary. Otherwise, if same interface the router would always choose the first peer in the order and the second peer would never be used. So that is good!
I would extend keep alives to in the 30-45 sec range........
Addresses: Although tis possible to assign multiple addresses to the same interface, not so sure using the same address for two different interfaces is a good idea. In fact it makes little sense to me. Going back they stated to you a /10 address remember........ So not sure where this new one is coming from - ur flipping wg addresses without explanation is RUDE!
BASED ON PREVIOUS INFORMATION
Thus for wg50 use:
/ip address
address=10.75.178.228/24 interface=wireguard50 network=10.75.178.0
Thus for wg51 use:
address=10.159.64.244/24 interface=wireguard51 network=10.159.64.0
FOR DNS, only here........ as stated previously.........
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
10.64.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.51.1
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
USING THE LATEST INFORMATION----- Assuming they gave you only one address=
10.140.35.150/10 who can keep up with you changing the truth???
Thus for wg50 use:
/ip address
address=10.140.35.150/24 comment="wireguard50 interface address" interface=\
wireguard50 network=10.140.35.0
Thus for wg51 use:
address=10.140.35.151/24 interface=wireguard51 network=10.140.35.0
FOR DNS, only here........ as stated previously.........
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.51.1
(6) what is this??
/ip dns
set allow-remote-requests=yes use-doh-server=
https://1.1.1.1/dns-query \
verify-doh-cert=yes
You need to allow the router or whatever server you are using to find the DOH site so perhaps this......
/ip dns
set allow-remote-requests=yes
servers=9.9.9.9 use-doh-server=
https://1.1.1.1/dns-query \
verify-doh-cert=yes
Finally get rid of your IP static settings.
(7) Firewall rules were fine except for the default dstnat rule which is replaced with a a proper rule to allow dstnat. Fixed on the config below.
(8) Assuming your ether1 has default route selected in IP DHCP client as no route visible in config (expected). All looks good!
(9) Config Review:
/interface bridge
add admin-mac=2F:2F:2F:2F:2F:2F auto-mac=no comment=defconf \
ingress-filtering=no name=bridge vlan-filtering=yes
/interface wifiwave2
set [ find default-name=
wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-779659 \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name
=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-24 \
security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add comment="WireGuard VPN interface #50" listen-port=13232 mtu=1420 name=\
wireguard50
add comment="WireGuard VPN interface #51" listen-port=13231 mtu=1420 name=\
wireguard51
/interface vlan
add comment="Home LAN 192.168.89.0/24" interface=bridge name=homeVLAN89 \
vlan-id=89
add comment="wireguard50 LAN 172.17.50.0/24" interface=bridge name=wgVLAN50 \
vlan-id=50
add comment="wireguard51 LAN 172.17.51.0/24" interface=bridge name=wgVLAN51 \
vlan-id=51
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 configuration
add channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz \
country=""
datapath.vlan-id=50 disabled=no mode=ap name=wifiVLAN50 \
security.authentication-types=wpa2-psk,wpa3-psk ssid=Test50
/interface wifiwave2
add configuration=wifiVLAN50 configuration.mode=ap
datapath.bridge=bridge \
.client-isolation=no .interface-list=LAN mac-address=55:55:55:55:55:55 \
master-interface=wifi1
name=wifi3 security.authentication-types=wpa2-psk
/ip pool
add comment="Home LAN VLAN89" name=default-dhcp ranges=\
192.168.89.10-192.168.89.254
add comment="wireguard50 LAN VLAN50" name=wgLAN50-pool ranges=\
172.17.50.10-172.17.50.250
add comment="wireguard51 LAN VLAN51" name=wgLAN51-pool ranges=\
172.17.51.10-172.17.51.250
/ip dhcp-server
add address-pool=default-dhcp interface=homeVLAN89 name=defconf
add address-pool=wgLAN50-pool comment="dhcp server for wgLAN50" interface=\
wgVLAN50 name=dhcp-wgLAN50
add address-pool=wgLAN51-pool comment="dhcp server for wgLAN51" interface=\
wgVLAN51 name=dhcp-wgLAN51
/port
set 0 name=serial0
/routing table
add comment="wgLAN50 route to wireguard50" disabled=no fib name=wg50route
add comment="wgLAN51 route to wireguard51" disabled=no fib name=wg51route
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether2 pvid=89
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=89
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=51
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi1 pvid=89
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi2 pvid=89
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=
wifi3,bridge
untagged=ether5 vlan-ids=50
add bridge=bridge tagged=bridge
untagged=ether2,ether3
,ether4 vlan-ids=89
add bridge=bridge tagged=bridge
untagged=
ether4 vlan-ids=51
/interface list member
add interface=homeVLAN89 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wgVLAN50 list=LAN
add interface=wgVLAN51 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="wg peer for wireguard50 interface" \
endpoint-address=180.150.115.50 endpoint-port=1637 interface=wireguard50 \
persistent-keepalive=
35s public-key=\
"blahpublickeyblah="
add allowed-address=0.0.0.0/0 comment="wg peer for wireguard51 interface" \
endpoint-address=205.110.155.55 endpoint-port=1637 interface=wireguard51 \
persistent-keepalive=
40s public-key=\
"blahpublickeyblah="
/ip address
add address=192.168.89.1/24 comment=defconf interface=homeVLAN89 network=\
192.168.89.0
add address=172.17.50.1/24 comment="VLAN50 - LAN of wireguard50" interface=\
wgVLAN50 network=172.17.50.0
add address=172.17.51.1/24 comment="VLAN51 - LAN of wireguard51" interface=\
wgVLAN51 network=172.17.51.0
See above discussion on WG addresess. this section is SUSPECT.
add address=10.140.35.150 comment="wireguard50 interface address" interface=\
wireguard50 network=10.128.0.0
# network is 10.128.0.0 because DNS on wireguard side is 10.128.0.1 WRONG
add address=10.140.35.150 comment="wireguard51 interface address" interface=\
wireguard51 network=10.128.0.0
# network is 10.128.0.0 because DNS on wireguard side is 10.128.0.1 WRONG
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=172.17.50.0/24 comment="wgLAN50 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.50.1
add address=172.17.51.0/24 comment="wgLAN51 network with wg DNS" dns-server=\
10.128.0.1 gateway=172.17.51.1
add address=192.168.89.0/24 comment=defconf dns-server=192.168.89.1 gateway=\
192.168.89.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9 use-doh-server=
https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip dns static (REMOVE ALL)
add address=192.168.89.1 comment=defconf name=router.lan
add address=104.16.249.249 name=cloudflare-dns.com
add address=104.16.248.249 name=cloudflare-dns.com
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow all from Home LAN to WAN" \
in-interface=homeVLAN89 out-interface-list=WAN
add action=accept chain=forward comment=\
"Forward wgLAN50 traffic to wireguard50 interface gateway" in-interface=\
wgVLAN50 out-interface=wireguard50
add action=accept chain=forward comment=\
"Forward wgLAN51 traffic to wireguard51 interface gateway" in-interface=\
wgVLAN51 out-interface=wireguard51
add action=accept chain=forward comment=connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq traffic from wgLAN50 to wireg\
uard50 gateway, as IP of wireguard50 peer" out-interface=wireguard50
add action=masquerade chain=srcnat comment="masq traffic from wgLAN51 to wireg\
uard51 gateway, as IP of wireguard51 peer" out-interface=wireguard51
/ip firewall service-port
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Route wgVLAN50 through wireguard50 gateway" \
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard50 \
pref-src="" routing-table=wg50route scope=30 suppress-hw-offload=no \
target-scope=10
add comment="Route wgVLAN51 through wireguard51 gateway" \
disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard51 \
pref-src="" routing-table=wg51route scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=https-cert disabled=no
set api disabled=yes
set api-ssl disabled=yes
/routing rule
add action=lookup-only-in-table comment=\
"Route Src. wgLAN50 to wireguard50 interface" disabled=no src-address=\
172.17.50.0/24 table=wg50route
add action=lookup-only-in-table comment=\
"Route Src. wgLAN51 to wireguard51 interface" disabled=no src-address=\
172.17.51.0/24 table=wg51route
/system logging
add disabled=yes topics=dns
add disabled=yes topics=wireguard
add disabled=yes topics=route
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN