I’m running an internal Wireguard server for remote workers on an RB5009. I have the Wireguard host running in a seperate VLAN to my internal data network but in a VLAN that has other sensitive hosts. I am thinking that I need to create a new VLAN for what we used to call a DMZ. I want to be able to firewall these remote workers from internal data network hosts. Should I create a a new VLAN so I have a subnet boundary on which to set up firewall rules? At present the Wireguard traffic is all going through the default “Accept Established” rule on the RB5009.

You can create multiple wireguard interfaces and connect to them separately.

I know that, that's how I currently have it set up but for other reasons (using wg-portal to have other people manage the profile creation / management) I want these remote users off of the Mikrotik on to standalone Wireguard.

So you want to forward the remote users to a stand alone Wireguard server?

As erlinden intimates, the requirement is not clear.
Wireguard is its own separate entity and needs no VLAN.
Through wireguard allowed IPs and firewall rules one can direct users coming in and going out as needed.

There is no wireguard network on a vlan perse.....
You can have users coming in through wireguard, access only certain subnets or just a single device, using firewall rules.

Whether an actual standard server is in its own vlan or not is dependent upon your needs.
+++++++++++++++++++

To recap the wireguard host ( server for handshake ) does not run in a vlan.
The remote users coming in can be directed to have access to whatever vlans or devices you so choose........

For assistance,
a. provide clear requirements of where user traffic is coming from and where it needs to go.
b. provide clear requirements for any local traffic that needs to go out wireguard ( probably none if its strictly remote users to your router and network )
c. provide config of router /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. );

I understand all of this, really I do.

I want my internal Wireguard host segregated from all other internal servers / hosts.

If you understand Wireguard you realise that an end user can change their Allowed IP's to point to, say, a different internal subnet / host. I want to firewall the users from accessing anything other than what I want to allow.

Yes, I realise I could terminate these Wirguard users in their own Wireguard instance on the RB5009 - I do not want to do that.

Yes, I realise that Wireguard runs its own subnet for users' allocated IP addresses.

I have pretty much built it anyway now but I have created a DMZ (VLAN trunked to Proxmox server) in which I have built the Wireguard server. Firewall rules allow traffic in / out of this DMZ VLAN.

User can set whatever he wants, but wg traffic still doesn't bypass firewall. So if you tell in-interface=wg-users out-interface=whatever-allowed action accept and drop at the end, you are fine.

Sure I understand how it works, and its simple in terms of what is allowed or not allowed, and it appears you have made it way more complex than required.

When a remote user comes in you simply allocate firewall rules accordingly on the incoming side, for good security..........
Examples: wg subnet 10.0.123.0/24

add action=accept chain=forward in-interface=wireguard1 src-address=10.0.123.5 dst-address=192.168.10.0/24
.....
.....
add action=drop chain=forward comment="drop all else"

in this case I have allowed a single wireguard user access to a subnet.
you can create interface lists for various subnets that are reachable by remote wireguard users
you can create firewall address lists for various devices that are reachable by remote wireguard users
you can create firewall address lists to identify a group of specific remote wireguard users and apply them as per the above.
MANY WAYs to do this, without resorting to anything else.

Finally you can also segregate users by IP address so that the rules are very clear...... { users provided this wireguard address schema are limited by what you allow )
add address=10.0.123.1./24 interface=wireguard1 network=10.0.123.0 { remote users provided this wireguard address schema are limited only to what you allow )
add address=10.0.246.1./24 interface=wireguard1 network=10.0.246.0 { remote users provided this wireguard address schema are limited only to what you allow )

and then apply firewall rules accordingly.
add action=accept chain=forward in-interface=wireguard1 src-address=10.0.123.0/24 dst-address=192.168.10.0/24
add action=accept chain=forward in-interface=wireguard1 src-address=10.0.246.0/24 dst-address=192.168.50.0/24
.....
.....
add action=drop chain=forward comment="drop all else"

But that's not what I asked about. I do not want to terminate these Wireguard users on the RB5009 (see earlier post).

Provide a diagram as you are unable to articulate clear requirements in writing.
Also recommend stating requirements NOT in config speak but in terms of use cases and users traffic that needs to be executed.

But that's not what I asked about. I do not want to terminate these Wireguard users on the RB5009 (see earlier post).

In that case apply simple port forward towards the server which will accept these wireguard users.
And be smart and use another port then the one you already have in use.

Hi Holvoe perhaps you understand the requirement a bit better.
1. Is the OP trying to have clients attempt to reach Server at Router B via the public IP of Router A, and then have that traffic enter a wireguard tunnel and travel to Router B where the server resides??
OR
2. Is the OP trying to force users arriving at wireguard interface on target Router, and send them to a specific Server on target Router?
OR
3. Something else ???

From what I understand he wants to have users using a wireguard server NOT on RB5009.
So a different server.

Hence port forward and be done with it.

Yes, its amazing how clearly you can articulate the facts, with so few words.
Simply port forwarding the incoming wg port to the lanip of the wireguard server ON THE NETWORK.
Confusion stems as the OP stated he is running the wireguard ON THE 5009

In any case you can port forward to any IP address, so the server can be on any VLAN one wishes.
With proper firewall rules, aka drop all else at end of forward chain, no one has access to the server and the server has access to nothing.
Just add the forward rules for allowed traffic and done.

I *think* OP was trying to ask about limiting access to the whole network for the WG users. I think he *could* use a VLAN or simply configure the firewall on the WG server node like anav was describing.

Well if you go by the title of the thread it does intimate what erlinden is suggesting, ( a wireguard server on the NETWORK, not on the router ).

Well if you go by the title of the thread it does intimate what erlinden is suggesting, ( a wireguard server on the NETWORK, not on the router ).

Yes that is the way I took it.