Schritt A: VLANs nicht mehr an Horus routen (NAT-Modell).

OPNsense-Peer nur 10.1.1.22/32 + 10.100.2/24; OPNsense-NAT-Checkliste ergänzt.

Co-authored-by: Cursor <cursoragent@cursor.com>

shared/horus-opnsense-wireguard/wg0-opnsense-routes.sh

@@ -1,12 +1,12 @@
 #!/bin/bash
 # Horus: Routes für OPNsense-Peer — wg syncconf legt AllowedIPs-Routen nicht an
-# Deploy: /usr/local/sbin/wg0-opnsense-routes.sh + systemd wg0-opnsense-routes.service
+# Schritt A: nur Tunnel-IP + Services-Netz (keine VLANs)
 set -euo pipefail
 ip link show wg0 &>/dev/null || exit 0
-for net in \
-  10.1.1.22/32 \
-  192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 \
-  192.168.40.0/24 192.168.50.0/24 192.168.60.0/24 \
-  10.100.2.0/24; do
+for net in 10.1.1.22/32 10.100.2.0/24; do
   ip route replace "$net" dev wg0
 done
+for net in 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 \
+           192.168.40.0/24 192.168.50.0/24 192.168.60.0/24; do
+  ip route del "$net" dev wg0 2>/dev/null || true
+done