WireGuard S2S: Return Traffic Uses WAN Instead of Tunnel for Port-Forwarded Traf

[pieewiee]

I have a WireGuard site-to-site setup with port forwarding, but I'm running into issues with the return traffic taking the WAN path instead of the tunnel. I've tried various configurations but can't seem to get it working correctly. Here's my setup:

Setup Description:
- FW1 (10.5.5.1) and FW2 (10.5.5.2) connected via WireGuard
- Port Forward (DNAT) on FW1: TCP/22 -> 192.168.4.100 (LAN host behind FW2)
- WireGuard tunnel works, traffic reaches FW2
- Issue: Return traffic uses WAN gateway of FW2 instead of WireGuard tunnel

WireGuard Instance Configuration FW2:
- MTU: 1412
- Tunnel address: 10.5.5.2/24
- Peers: FW1
- Gateway: 10.5.5.1
- Disable routes: Yes[/li][/list]


WireGuard Peer Configuration FW2:
- Peer (FW1):
- Allowed IPs: 0.0.0.0/0, 10.0.0.0/24, 10.5.5.0/24

Static Routes:
- 10.5.5.0/24 via FW1 - 10.5.5.1
- 10.0.0.0/24 via FW1 - 10.5.5.1
- 0.0.0.0/0 via WAN_PPPOE

Gateway Configuration:
- FW1 (WG0): IPv4, Priority 253, Gateway 10.5.5.1
- WAN_PPPOE (WAN): IPv4, Priority 1, Gateway

What I've Tried:
- Created outbound NAT rules
- Created LAN interface firewall rule:
  * Interface: LAN
  * Direction: in
  * Source: WG_CLIENT
  * Destination: RFC1918_Networks (inverted)
  * Gateway: FW1 - 10.5.5.1
  This rule force any outbound traffic to use the WireGuard tunnel as gateway.  but not the inbound

Despite this configuration, the return traffic for the port forward still goes through WAN instead of the tunnel.

Questions:
1. How can I force the return traffic to use the WireGuard tunnel?
2. Is this related to reply-to/gateway settings in firewall rules?
3. Are there specific routing configurations needed?

Any help would be greatly appreciated.