Wireguard on Dumb AP/second router

I would like to repurpose my Mikrotik router as dumb AP or second router. The primary router (GL inet) has only one LAN port and can only run one wireguard instance. I need two or ideally 3 simultaneous wireguard connections to commercial VPN providers for different VLANs. There is also no stable vanilla version of OpenWRT for that GL inet model and PBR is missing from the repos so I am focusing now on setting up the Mikrotik router. In the past I have used that router with VLANs and wireguard using PBR with no major issues for a couple of years. However, now I am struggling to get in working as a secondary router.

Currently, I set it up as a dumb AP. The VLANs are working correctly, I can access internet using devices connected to Mikrotik and ping machines connected to primary router. On the other hand, wireguard is not working. I can see that a handshake is established, but no traffic is passed through it. I am also unable to start PBR. The log shows: service waiting for wan gateway… and then PBR stops.

Can I use wireguard on dumb AP since it’s not routing? Alternatively, what other setup would work for my goals (VLAN aware additional LAN ports and wireguard)?

Edit: the wireguard needs only to be used by devices that will be plugged directly to Mikrotik. Primary router will handle single wireguard instance for the other devices.

        "kernel": "5.15.162",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "MikroTik hAP ac2",
        "board_name": "mikrotik,hap-ac2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "ipq40xx/mikrotik",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXX'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'
        option bridge_empty '1'

config device
        option name 'lan1'
        option macaddr 'XXX'

config device
        option name 'lan2'
        option macaddr 'XXX'

config device
        option name 'lan3'
        option macaddr 'XXX'

config device
        option name 'lan4'
        option macaddr 'XXX'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.1'
        option gateway '192.168.1.1'

config device
        option name 'wan'
        option macaddr 'XXX'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan2'
        list ports 'wan:t'

config interface 'lan10'
        option proto 'none'
        option device 'br-lan.10'

config interface 'wg1'
        option proto 'wireguard'
        option private_key 'XXX'
        list addresses 'XXX/32'
        list dns 'XXX'
        option delegate '0'
        option force_link '1'

config wireguard_wg1
        option description 'test-router.conf'
        option public_key 'XXX'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'XXX'
        option endpoint_port '51820'
        option persistent_keepalive '25'
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'wg1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg1'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wg1'

Why? Plenty of processing power to handle multiple interfaces.

It's GL inet software limitation. Their proprietary software does not allow more than one instance. The hardware is much more powerful than the Mikrotik, but since there is no vanilla OpenWRT version available yet for my model and no PBR in their custom repos, I do not see how it could be done on that router. Otherwise, that would be the preferred solution.

Why not put OpenWrt on the device? It is very stable in my experience.

It's Spitz AX GL-X3000. There are just snapshot versions for now. I am waiting for a stable release. From what I have read on the forums the 5G modem part is not so stable and the speed will take a hit. Since 5G is my sole way to have internet access right now, getting extra wireguard interfaces on that device does not outweigh those issues.