Port forwarding through WireGuard

[xstaford]

Hi,

I'm struggling with port forwarding through WireGuard.
Totally i have 3 conected to each other opnsense and all subnets are fully accessible from each other.
Each office is connected via a separate instance-peer setup, so each WG instance has its own interface.

I am trying to port forward from wan opnsenseA to lan opnsenseB but it only works from the OpnsenseA local networks.

I tried adding a reply-to gateway of the WG interface for Wan rule, but that didn't help either. Maybe I misconfigured the gateway for WireGuard?
( ip of WG instance of opnsenseA (tried B also), monitor ip is lan ip of opnsenseB) opnsenseB has a dynamic Wan ip.


OpnsenseA logs show that everything is working as expected.


Meanwhile, OpnsenseB shows nothing at all...

However, if I try accessing the WAN from the LAN network of OpnsenseA, both OpnsenseA and OpnsenseB logs show activity.
The logs of opnsenseB


Any ideas what I might be missing?

And second question how to debug it? How to check traffic flow to understand what is going wrong?

[Monviech (Cedrik)]

Does your wireguard cryptokey routing (Allowed IPs) allow any IP address to get routed into the tunnel?