Messages

Correct.

10.1.1.0/29 is for WireGuard Tunnel IPs.
172.16.10.0/24 is LAN at the 10.1.1.1/29 side.
10.0.0.0/24 is LAN at the 10.1.1.2/29 side.

10.0.0.65 is 10.1.1.2, it's a host/VPS connected into the OPNSense.
172.16.10.2 is a server on the LAN, behind the OPNsense.

Thanks for the suggestions, unfortunately I have no Wireguard (Group) rules at all.

OPNSense
LAN: 172.16.10.254
WG1: 10.1.1.1

Client:
WG0: 10.1.1.2

From the client, I can ping anything on the 172.16.10.254. I can also make TCP connections to open ports.

For some reason, the lack of Allow ACL on WG1, or even an explicit Deny does absolutely nothing. Traffic still passes to LAN.
I tried putting an Outbound ACL on LAN to block the traffic, that does work. It's quite odd to put the ACL on the outbound interface and not block it at the source. Surely this isn't how it's supposed to work?

I have a WireGuard Instance operational with various Clients working as expected, except for the fact that Firewall rules don't seem to apply or do anything on the WG interface. I've gone over the Floating/Auto generated rules, there's nothing that would be an implied "Allow All". Explicit Deny rules on WG1 don't work, removing all rules doesn't work. No matter what I do, ICMP traffic from the client still passes to my LAN.

Anyone have ideas? You can see in the screenshots I have no rule on WG1 allowing traffic to pass to my LAN interface (172.16.10.0/24) yet somehow, it's still allowed.