Routing public IP through Wiregard tunnel

[shamu]

Hi folks,

inspired by this article (sadly in German)
   https://administrator.de/tutorial/feste-ips-zuhause-in-pfsense-via-wireguard-tunnel-1124828094.html
I tried to set up the following scenario:

- small cloud machine with 2 public IPv4 addresses (1)
- OPNsense v23.1.11 @home with dynamic public IP address (2)
- Wireguard tunnel between 1 and 2 to forward 2nd public IP address of 1 to 2

For setting it up and getting it basically working I found this article
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
extremly helpfull!

What does work so far? Well,

• WG tunnel between 1 and 2 is up and working stable, i.e. it rebuilds automatically after rebooting one of the two machines
• packages from the IN addressed to 2nd public IP address of 1 reach 2 through the tunnel - verfied by live log
• connections initated by machines in my DMZ (perimeter net) are leaving the WG tunnel at 1 using the 2nd public IP address of 1. I use source NAT to change RCF1918 addresses I use in DMZ (perimeter net) to 2nd public IP address of 1

But, what doesn't work is forwarding packages using 2nd public IP address of 1 as destination address to my destination hosts in my DMZ (perimeter net).

So far I spend several hours on testing different NAT and if rules, but OPNsense always drops incoming packages with message

Default deny / state violation rule

No idea anymore how or where to go ahead! Do you have an suggestions? May be one of you has the scenario described above already running!

Any help would be greatly appreciated!

Greetinx,

shamu