I would like to repurpose my Mikrotik router as dumb AP or second router. The primary router (GL inet) has only one LAN port and can only run one wireguard instance. I need two or ideally 3 simultaneous wireguard connections to commercial VPN providers for different VLANs. There is also no stable vanilla version of OpenWRT for that GL inet model and PBR is missing from the repos so I am focusing now on setting up the Mikrotik router. In the past I have used that router with VLANs and wireguard using PBR with no major issues for a couple of years. However, now I am struggling to get in working as a secondary router.
Currently, I set it up as a dumb AP. The VLANs are working correctly, I can access internet using devices connected to Mikrotik and ping machines connected to primary router. On the other hand, wireguard is not working. I can see that a handshake is established, but no traffic is passed through it. I am also unable to start PBR. The log shows: service waiting for wan gateway… and then PBR stops.
Can I use wireguard on dumb AP since it’s not routing? Alternatively, what other setup would work for my goals (VLAN aware additional LAN ports and wireguard)?
Edit: the wireguard needs only to be used by devices that will be plugged directly to Mikrotik. Primary router will handle single wireguard instance for the other devices.
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "MikroTik hAP ac2",
"board_name": "mikrotik,hap-ac2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ipq40xx/mikrotik",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXX'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
option bridge_empty '1'
config device
option name 'lan1'
option macaddr 'XXX'
config device
option name 'lan2'
option macaddr 'XXX'
config device
option name 'lan3'
option macaddr 'XXX'
config device
option name 'lan4'
option macaddr 'XXX'
config interface 'lan'
option device 'br-lan.1'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '192.168.1.1'
option gateway '192.168.1.1'
config device
option name 'wan'
option macaddr 'XXX'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'wan:t'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan2'
list ports 'wan:t'
config interface 'lan10'
option proto 'none'
option device 'br-lan.10'
config interface 'wg1'
option proto 'wireguard'
option private_key 'XXX'
list addresses 'XXX/32'
list dns 'XXX'
option delegate '0'
option force_link '1'
config wireguard_wg1
option description 'test-router.conf'
option public_key 'XXX'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'XXX'
option endpoint_port '51820'
option persistent_keepalive '25'
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'wg1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg1'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wg1'