For that, on my configuration, I create the 2 wireguard interfaces (seems good for you)
From the router, you need to be able to ping all IP (LAN and to the 2 Wireguard interface), if you can’t, you need to fix it before any other step.
I create a new zone in the firewall (called LAN_WG) where all the Wireguard interface are in and make the rules :
Lan =>wan+LAN_WG input, output, forward Accept (no masquerading)
LAN_WG=>wan ACCEPT ACCEPT DROP, no masquerading
not changed WAN=>drop drop accept drop, with masquerading
After that, in the “Traffic rules” section, I add 1 rule (adapt if required) :
Forwarded (accept forward), IPv4+IPv6, from any zone IP X.X.X.X, Y.Y.Y.Y to any zone X.X.X.X Y.Y.Y.Y
For you, replace X.X.X.X, Y.Y.Y.Y by 192.168.150.0/24, 192.168.140.0/24, 192.168.120.0/24
Maybe I missed some configuration, but I think it’s a good start.
On my setup, I use BIRD for the routes due to a more complex configuration.
Thanks a lot for the advice. I will reset my current settings and try it the next days.
Any sugestion for the wg peers?
currently, I set up e.g. 192.168.120.120/32 and nothing on allowed IP.
According to my tests I got unstable results. In my current settings. Sometimes i had to setup an allowed peer on client, sometimes on client and server and sometimes it seems Im not able to connect a specific ip on lan in any case.
It did not change anything. I tested it with my Synology NAS I could not find It t from a Wireguard device. Also I’m not able to connect from my NAS any wireguard device.