viewtopic.php?t=182340
(1) Your first config is totally hosed, there is no bridge and yet you invoke some bridge firewall settings that are rarely used (exception vice the horm).
(2) You also use vlan-id=1 for some reason which is the standard default vlan on the MT bridge if used and not recommended to be identified or used for anything else aka no actual vlans carrying data.
(3) found it very confusing that you called ether1 LAN, and thus your LAN and an etherport have the same name,,,,,,,,,, I wouldnt do it to reduce any confusion.
(3) okay on the second device you at least define a bridge!
(4) I would use a different wireguard name on the two devices, reduces any confusion in the mind. Same with wireguard listen port.
(5) Would be good if you used the same bridge construct on Device 1 as you use on Device 2, wehre the vlans are identifed as being part of bridge and not ether1
(6) You do the same silly thing with vlan1 on device 2.
(7 ) YOu use bridge firewall filtering where it is probably not required and could get in the way.
(8)
Clearly there is a gross lack of understanding of how vlans work in conjuction with trunk ports ( carry all tagged vlans between smart devices ),
and access ports ( which carry one untagged vlan)
and hybrid ports ( which carry one untagged vlan and as many tagged vlans as required )
++++++++++++++++
wireguard errors
++++++++++++++++
(9) Wireguard peers on DEVICE 1, should include the other device wireguard as shown and what is the point of keep alive if device A is the server/receiving initial handshake???
/interface wireguard peers
add allowed-address=10.4.60.2/32,10.4.20.0/24 interface=WIREGUARD persistent-keepalive=25s public-key=\
"****"
(10) You have one correct route for Device 1, you need an additional route for the other subnet traversing the tunnel.
This is the same problem on Device 2, you need an additional router for the other subnet traversing the tunnel.
By that I mean, the local subnet you need to tell router to route it out tunnel and the remote subnet coming in, will need to know where to route the return traffic back through the tunnel.
add dst-address=localSubnet gwy=Wireguard table=main
add dst-address=remoteSubnet gwy=Wireguard table=main
(11) Wireguard Addres on Device2 is WRONG, it cannot be the same as Device 1, so change it too:
add address=10.4.60.
2/24 interface=WIREGUARD network=10.4.60.0