Block Private Networks - Wireguard

[spetrillo]

Hello all,

Not sure where this question belongs so I will put it here.

I have a Wireguard S2S tunnel running and operating well. I am able to be at site A and get to resouorces at Site B. What I have noticed is that it seems to be working in one direction. Let me detail my setup.

Site A is an OPNsense firewall with direct connectivity to Internet ISP. Site B is an OPNsense firewall that is setup to be a DMZ host, behind an ISP router. On site A's firewall WAN interface I have Block Private Networks checked, whereas on the site B side this is unchecked.

There is a WG tunnel setup between the sites, so I am wondering if the block private networks option on site A is not allowing site B private IPs to be able to communicate with site A devices. My subnets on site B are 10.0.1.0/24 and 10.0.10.0/24, which are RFC1918 addresses.

I can ping a device at Site B, from my site A PC. When I try to ping a device at Site A, from a device at site B it fails. I am wondering if the Block Private Networks on Site A OPNsense firewall is causing this. What I would like to do is opne the free flow of ports, both TCP UDP, across the WG tunnel. I would also like to keep the Block Private Networks option on Site A, but only when its across the WAN interface natively.

Can this be accomplished? Am I barking up the right tree?

Thanks,
Steve