Port scan reports all ports closed when connected via WireGuard to FritzBox

Hi,
I'm facing an issue when connected via WireGuard to my FritzBox with IP 192.168.40.1. The client is an mobile device running Android.
This FritzBox is connected to IoT subnet provided by OpenWrt router on interface with IP 192.168.40.11.

I want to connect to a webservice running in subnet server 172.16.50.0/24.

I have enabled logging for firewall zone iot and server. The logfile shows this when running a port scan with a selection of common ports.

root@rb760igs:~# logread -f -e DPT=80
Wed Mar 19 18:19:31 2025 kern.warn kernel: [406105.489417] reject iot in: IN=br-lan.40 OUT=br-lan.50 MAC=27:56:03:46:fd:c6 SRC=192.168.40.200 DST=172.16.50.99 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=7487 DF PROTO=TCP SPT=33798 DPT=8000 WINDOW=65535 RES=0x00 SYN URGP=0
Wed Mar 19 18:19:31 2025 kern.warn kernel: [406105.511159] reject iot in: IN=br-lan.40 OUT=br-lan.50 MAC=27:56:03:46:fd:c6 SRC=192.168.40.200 DST=172.16.50.99 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=29947 DF PROTO=TCP SPT=58030 DPT=8008 WINDOW=65535 RES=0x00 SYN URGP=0
Wed Mar 19 18:19:31 2025 kern.warn kernel: [406105.533134] reject iot in: IN=br-lan.40 OUT=br-lan.50 MAC=27:56:03:46:fd:c6 SRC=192.168.40.200 DST=172.16.50.99 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=52811 DF PROTO=TCP SPT=47528 DPT=8080 WINDOW=65535 RES=0x00 SYN URGP=0

One can see in the log that DPT=8000, 8008,8080 is rejected.

My conclusion is that relevant port 80 (listening port of webservice) is not blocked by OpenWrt firewall. This is expected behaviour of OpenWrt firewall.

When I disable WireGuard and connect mobile device directly to subnet IoT I cannot reproduce this issue. In this case device is using IP 192.168.40.108.

Can you please advise how to troubleshoot this issue?

THX

Can you draw a diagram of the network with IP addresses?

It looks like your main internet facing router is running OpenWRT, why do you not run WireGuard on this router instead of on the Fritzbox?

Is the Fritzbox running OpenWRT?

If you connect with your phone on cellular to the WireGuard server do you have a working connection?

Subnet iot is managed by OpenWrt with gateway 192.168.40.1 provided by FritzBox. The means FritzBox is the router of this subnet and OpenWrt is controlling access with firewall zone iot.

I have 2 internet access points; one is connected to OpenWrt, the other to FritzBox.
Any mobile device is connect to subnet iot at home, therefore I decided to use WireGuard provided by Fritz.Box to connect the same devices to the same subnet when using VPN.

No, FritzBox is branded by ISP.

No, port scan fails independant if connected to cellular or mobile.

Actually port scan fails for any destination IP including subnet 192.168.40.0/24 when connected with WireGuard.

Could you draw a system topology digram, complete with the brand+model of each device, the firmware it is running, the addresses, and where the wireguard endpoint(s) exist within the setup?