Hope that someone can give a push in the right direction:
I have a setup with a LAN, Wireguard and WAN/WAN6 setup
I can swap between Wireguard and WAN through VPN Policy Routing.
What I need is an automatic fallback to WAN in case the wireguard tunnel is broken ... I have to sacrifice security for operational stability if that happens.
This seems to have solved my problem: #Hi 674574, thank you for your input … actually your advice seems to have done the trick. Still testing but I haven’t been able to create the issue again so far.
I created two WG interfaces (separate private keys) and did not mark the “Route Allowed IPs” in the Peers section of both interfaces.
I created the firewall as you can see on Zones picture.
A positive side effect was in the “VPN Policy Routing” where the default Service Gateway now is the WAN. (not randomly between Gateways, WAN, WG1 & WG2).
This means that the router has an auto fallback to WAN in case a WG tunnel looses connection, by using the config parameter "Strict enforcement" with "do not enforce policies ....."
"