Configuring firewall and routing for a standalone wireguard server in LAN

[dseven]

So if you use the correct address for your WG network, and don't invert, does that work?

[ThisUsernameHasBeenTaken]

Nevermind. I have rebooted the OPNsense and everything went back to normal. I.e. the rule which makes sense now is working and I got the Internet and all access.

I really don't know what happened - cache maybe?

The configuration that works for me (maybe it will be useful for somebody):

• Set up the Wireguard server on a host inside the LAN with no masquerading. Enable net.ipv4.ip_forward=1 and net.ipv4.conf.all.proxy_arp=1 options. Make its IP static and remember it.
• Configure peers
• Create a Port Forward rule to forward incoming connections from WAN port to the Wireguard server port.
• Create a Pass rule for the WAN interface to allow connections to the Wireguard port.
• Create a Pass rule in the LAN firewall section to allow connections from the Wireguard network (i.e. source = Wireguard network)
• Go to Firewall -> Settings -> Advanced and enable "Static route filtering" setting
• Go to System -> Gateways -> Configuration and add a new gateway in the LAN interface with the priority less than WAN gateway and address pointing to the Wireguard server
• Go to System -> Routes and create a new route to Wireguard network address via freshly created Gateway
• Go to Firewall -> NAT -> Outbound. Set "Hybrid outbound NAT rule generation" mode and add a new rule: Interface = WAN; Source = Wireguard network
• Optional: I have also created a firewall alias for the Wireguard network - it looks better in my opinion...

@dseven, thank you very much for your help and advice!!!