Wireguard and internal networks

[dusky]

Hello friends. Sorry for bad english.
I had a problem that I couldn't solve. In the picture below, I have drawn an approximate network topology, where I connected Mikrotik and OpnSense into one network using a Wireguard. Everything works between routers, internal networks are pinged, but the computers behind them cannot ping each other.
 https://ibb.co/ft6MyBd
Namely, any computer from the network 192.168.68.0/24 does not ping 192.168.23.0/24 and vice versa. Moreover, computers with 192.168.68.0/24, which is behind Mikrotik, cannot ping the vpn gateway of Wareguard 10.15.0.1, although the Mikrotik 10.15.0.12 interface is pinged. From the network 192.168.23.0, pings reach 10.15.0.1, but they don’t go to the 68 network anymore. I understand that the problem is on the side of OPNSense, namely, it is possible in the firewall ... The gateways in the internal networks are configured correctly.
The firewall on OPNSense is configured according to the instructions from your site, namely, 2 rules have been created for the WAN and WG interfaces. Added a route for the 68network to 10.15.0.12 in the gateways.
I do not know already where to dig, what do you advise?

[bartjsmit]

Computers on 192.168.68.0/24 must have a static route to 192.168.20.0/24 via the Wireguard tunnel and computers on 192.168.20.0/24 must have a static route back to 192.168.68.0/24, also via the tunnel.

You can set these manually, or you can add them to your DHCP configuration on each network.

Right now, the packets will go out the default gateway onto the internet where they will be ignored as specified in RFC 1918.

Bart...

[dusky]

routes are registered on routers or you mean prescription of routes on the computers?

[bartjsmit]

Run a traceroute from a client to a server and see if packets are going the right way.

Routing decisions are made on the endpoints and on each router in the path.

[dusky]

I did tracing, both from Mikrotik and from the computer behind it - the routes go correctly. But from the network computer they are lost behind 192.168.68.1, but the address of the WG interface 10.15.0.12 is pinged.
https://ibb.co/qy9VrVT

It seems to me that the matter is in the firewall on the open-sense, since I cannot even ping 10.15.0.1 from the local network behind the microit. Private networks are blocked on the WAN interface there
https://ibb.co/pbc9bp4

I'll try to disable this rule tonight and see what happens.

[dusky]

Nothing happened. It turned out to ping from 192.168.23.0.24 ==> 10.15.0.1 by changing the rule in the firewall in the WG branch, changing the branch of source packets from the "WG net" to "any". But the 23 network never pinged.

[bartjsmit]

Specify the source IP address in ping for multi-homed computers so that you're sure the traffic is going out of the right interface.

If you can't see routing issues and you don't have deny entries in your firewall log, the next step is packet captures.

Wireshark is your friend. https://www.wireshark.org/

Bart...

[dusky]

The problem was solved by specifying in the firewall rule, in the wayguard branch, in the paragraph incoming from "wg1 net" to "any" and prescribing the correct route. Now the question about this farewall rule - how critical is it to allow connections in the inbox to "any"?
https://ibb.co/1M0vpHF
https://ibb.co/1XSGgZk