Zerotier and PBR. Two routers- server and client

I have two routers behind double nat:

• Router A (zerotier server) - Has LAN IP 192.168.10.1/24 and zerotier ip 192.168.196.1. And I want to use this router as a gateway ( vpn) .
• Router B (zerotier client) - Has LAN IP 192.168.40.1/24 and zerotier ip - 192.168.196.2.
  On Router B I have pbr, other vpn (wireguard) with other lans.
  Early we discussed Zerotier on two routers about settings zerotier vpn tunel.
  When I use comand zerotier-cli set allowDefault=1 it became a default route ( the ip addres from router A) and in other lans on router B no internet.

How should I do routing in pbr, please help.

Router B config

NETWORK

 uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdea:2ff4:83d7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr '12:8e:d5:c0:5c:00'

config device
        option name 'wan'
        option macaddr '12:8e:d5:c0:5c:00'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.10.10.10/24'
        list dns '10.2.0.100'

config wireguard_wg0
        option description 'bananarouter.conf'
        option public_key ''
        option preshared_key '='
        list allowed_ips '10.2.0.0/24'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '185.'
        option endpoint_port '51820'
        option route_allowed_ips '0'

config device
        option type 'bridge'
        option name 'br-wg'
        option bridge_empty '1'

config interface 'wireguardLAN'
        option proto 'static'
        option device 'br-wg'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        list dns '10.2.0.100'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        list ipaddr '192.168.20.1/24'

config device
        option type 'bridge'
        option name 'br-zerotier'
        option bridge_empty '1'

config interface 'ZeroTierLAN'
        option proto 'static'
        option device 'br-zerotier'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config interface 'zerotier'
        option proto 'static'
        option device 'ztcfw6muno'
        option ipaddr '192.168.196.2'
        option netmask '255.255.255.0'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        list server '192.168.10.1'
        option dnssec '1'
        list address '/status.client/192.168.20.1'

config dhcp 'lan'
        option interface 'lan'
        option start '2'
        option limit '254'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dns 'fdea:2ff4:83d7::1'
        list dhcp_option '6,192.168.100.1'
        list dhcp_option '3,192.168.100.1'
        list dhcp_option_force '114,http://status.client'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wireguardLAN'
        option interface 'wireguardLAN'
        option start '2'
        option limit '254'
        option leasetime '24h'
        list dhcp_option '6,10.2.0.100'

config dhcp 'guest'
        option interface 'guest'
        option start '2'
        option limit '254'
        option leasetime '24h'
        list dhcp_option '6,192.168.10.1'
        list dhcp_option '6,192.168.100.1'

config dhcp 'ZeroTierLAN'
        option interface 'ZeroTierLAN'
        option start '2'
        option limit '254'
        option leasetime '24h'
        option ra 'server'
        option dhcpv6 'server'
        list dhcp_option '6,192.168.100.1'

config ipset 'nds_walledgarden'
        list name 'walledgarden'
        list name 'walledgarden'
        option table 'nds_filter'
        option table_family 'ip'

config ipset 'nds_blocklist'
        list name 'blocklist'
        list name 'blocklist'
        option table 'nds_filter'
        option table_family 'ip'

 uci export firewall
package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wireguardvpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg0'

config zone
        option name 'wgLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'wireguardLAN'

config forwarding
        option src 'wgLAN'
        option dest 'wan'

config forwarding
        option src 'wgLAN'
        option dest 'wireguardvpn'

config zone 'guest'
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-ZeroTier-Inbound'
        list proto 'udp'
        option src '*'
        option dest_port '9993'
        option target 'ACCEPT'

config zone
        option name 'ZeroTierVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'zerotier'

config zone
        option name 'zerotierlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'ZeroTierLAN'

config forwarding
        option src 'ZeroTierVPN'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config include 'opennds'
        option type 'script'
        option path '/usr/lib/opennds/restart.sh'

config forwarding
        option src 'ZeroTierVPN'
        option dest 'zerotierlan'

config forwarding
        option src 'zerotierlan'
        option dest 'ZeroTierVPN'

config forwarding
        option src 'zerotierlan'
        option dest 'wan'

PBR

uci export pbr
package pbr

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option wan_mark '000100'
        option fw_mask '00ff00'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'guest'
        option src_addr '192.168.20.1/24'
        option dest_addr '!192.168.20.1/24'
        option interface 'wan'

config policy
        option name 'wireguardVPN'
        option src_addr '192.168.30.1/24'
        option dest_addr '!192.168.30.1/24'
        option interface 'wg0'

config policy
        option name 'zerotierlan'
        option src_addr '192.168.40.0/24'
        option interface 'zerotier'
        option enabled '0'

config policy
        option name 'lanclear'
        option src_addr '192.68.100.0/24'
        option dest_addr '!192.68.100.0/24'
        option interface 'wan'

Screenshot 2024-04-16 at 12-32-04 banana - LuCI1361×1905 257 KB