Wireguard weird behavior

lcs

Hi,
My current setup is :

pfSense Site A (VPS) <=== WG TUN === > pfSense Site B (behind NAT)
I can ping both sites from each fw.
Rules are wide open. There's ANY rule on each interface tab, while the "Wireguard" interface group is empty with the following configuration done on both ends :

Site A

Site B

IF Site A

IF Site B

GW Site A

GW Site B

Problem 1 : I get random IF IN/OUT errors on both ends. Even with the peers disabled, static routes disabled, GW monitoring disabled.
Site A has ERR IN ; Site B has ERR OUT. Even after reboot of any of the FWs, as soon as I log in to the webui I see some ERRs
Example :

Sometimes the In\Out Bytes are 0 and the ERRs are rising.
I tried playing with the MTU and MSS. Even with the default values of 1500 I don't see any fragmentation on packet cap. Currently it's set to 1420/1380 to see if there will be any change - so far no.

How can I troubleshoot the cause of the errors when no traffic is passing through the tunnel ?

Problem 2 : I'm using Site 1 as an entry point to some servies at Site B.
Chain : Internet -> Site A -> WG tunnel -> Site B -> Traefik -> Service

On Site A I have a static route
ex.

NAT Rule

When testing ports from public internet I can see hits on both FWs, but the result is port closed

ex. Site A

Site B

I have another NAT rule to pass 25 via another OpenVPN tunnel and it's working fine.
But the port tested via the WG tunnel is not reachable.
I can see the port open when testing from Site A FW via the WG interface but not from WAN.
Another thing is, I don't see any kind of incomming requests to the traefik proxy. It's like the traffic is not reaching the proxy at all.

Locally everything works

Forgot to add something.
On Site B when I do pcap on the WAN interface and filter for ex. 151.251.244.68 (a random IP from my cell) I get

15:44:57.620779 IP 10.160.227.2.443 > 151.251.244.68.3325: tcp 0
15:44:58.626336 IP 10.160.227.2.443 > 151.251.244.68.3325: tcp 0
15:45:00.646200 IP 10.160.227.2.443 > 151.251.244.68.3325: tcp 0
15:45:04.770288 IP 10.160.227.2.443 > 151.251.244.68.3325: tcp 0
15:45:12.962319 IP 10.160.227.2.443 > 151.251.244.68.3325: tcp 0

and the same from Site A

15:47:33.625342 IP 151.251.244.68.3102 > 46.xx.xx.xx.443: tcp 0
15:47:33.831357 IP 151.251.244.68.3103 > 46.xx.xx.xx..25: tcp 0
15:47:33.863144 IP 46.xx.xx.xx..25 > 151.251.244.68.3103: tcp 0
15:47:33.908237 IP 151.251.244.68.3103 > 46.xx.xx.xx..25: tcp 0
15:47:33.908279 IP 151.251.244.68.3103 > 46.xx.xx.xx..25: tcp 0
15:47:33.942517 IP 46.xx.xx.xx..25 > 151.251.244.68.3103: tcp 0
15:47:34.017973 IP 46.xx.xx.xx...25 > 151.251.244.68.3103: tcp 40
15:47:34.018294 IP 46.xx.xx.xx..25 > 151.251.244.68.3103: tcp 0
15:47:34.072218 IP 151.251.244.68.3103 > 46.xx.xx.xx..25: tcp 0
15:47:34.072251 IP 151.251.244.68.3103 > 46.xx.xx.xx.25: tcp 0

Bob.Dig

@lcs Maybe you can't have your Firewall Web-UI still on port 443. I always change it right at the beginning so I can't tell for sure.

lcs

@Bob-Dig That's not the case.
I tried to NAT to another random IP via the WG tunnel. for ex. random internal web server on port 80 and it is the same.

lcs

It turned out the traffic is reaching the rev proxy, but for some reason the packet is broken (maybe?)
Attaching a pcap from the proxy cap.pcap