SiteToSite routing problems with different gateways

[TheHellSite]

Hello,

I have a small routing problem with my SiteToSite VPN setup.

I only need clients of Site B to access the network of Site A.
Site A also has RoadWarriors connecting to it.
Access from Site A to Site B is not necessary.

I configured WireGuard on both sites as seen below.
The Site A WireGuard RoadWarrior firewall rule allows access to any. (1__site-a-firewall-rules.png)
The Site A WireGuard SiteToSite firewall rule allows access to any. (1__site-a-firewall-rules.png)
Then I created a WG_STS_A gateway on Site B pointing to the peer address of Site A.
Then I created a firewall rule on Site B that routes requests to the Site A subnets via the WG_STS_A gateway. (3__site-b-firewall-rules.png)

Everything is working almost just fine.
Site B has access to all LAN clients of Site A except for the modem webinterface.
Clients on Site A that would like to access the modem webinterface reach it using the WAN_MODEM gateway. (2__site-a-interface-wan_modem.png)
The modem webinterface access is working fine for all local clients on Site A and for all WireGuard RoadWarrior clients connected to Site A.

However Site B clients can not access the modem webinterface. Ping is also not working.
The firewall logs indicate that Site B clients can reach the modem address (10.55.1.1) but the reponse seems to get lost.
The firewall logs don't indicate any dropped / blocked packages.

I hope someone can tell me what I am missing here.

Code: [Select]

WireGuard on Site A
===================
    RoadWarrior Config
    ==================
        Tab:            Local
        Name:           RoadWarrior
        Instance:       0
        Tunnel Address: 10.55.11.1/24
        Peers:          notebook, phone, ... many more (except Site-B)
        Disable Routes: enabled

            Peer Example
            ============
            Tab:        Endpoints
            Name:       notebook
            AllowedIPs: 10.55.11.21/32
                        (notebook peer)

    SiteToSite Config
    =================
        Tab:            Local
        Name:           SiteToSite
        Instance:       1
        Tunnel Address: 10.55.22.1/30
        Peers:          Site-B
        Disable Routes: disabled
                        (I had to disable this so Site A clients could respond to Site B requests.)
                        ((Otherwise I would have had to manually create a STS_B_Gateway and STS_B_Route in the OPNsense settings.))

            Peer Example
            ============
            Tab:        Endpoints
            Name:       Site-B
            AllowedIPs: 10.55.22.2/32, 10.136.0.0/16
                        (Site B peer), (Site B subnets)



WireGuard on Site B
===================
    SiteToSite Config
    =================
        Tab:            Local
        Name:           SiteToSite
        Instance:       1
        Tunnel Address: 10.55.22.2/32
        Peers:          Site-A
        Disable Routes: enabled

            Peer Example
            ============
            Tab:        Endpoints
            Name:       Site-A
            AllowedIPs: 10.55.0.0/16
                        (Site A subnets)

[TheHellSite]

Bump.