I have a AR750 in my office and have multiple sites connected to it. I am able to access the Router and the LAN from the Server side to the clients. EXCEPT one site which I can only access the router address, not the LAN. I have setup the LAN access using the guides from GL.inet and I still cant get this one site to allow LAN access.
see picture attached. The 10.2.60.10 is a X750 tmobile connection with great reception.
WireGuard.
CGNAT is the problem: Carrier-grade NAT - Wikipedia
Nothing you can do about it because you can’t open ports.
Incoming VPN and cellular is a no-go mostly.
I can access the router address remotely.
Also, had this working when the IP address was different. The address of my LAN was 192.168.33.10 and it worked for months with the X750. I had to change the IP addresses to meet customer requirements.
I will also mention that I can currently log into router and go to diagnostics and ping the LAN ip address from the router all remotely. I just cant hit the addresses directly with web browser like I could before. Seems more of a firewall or forwarding issue but I cant find it.
Did you set up the new routes and firewall rules correctly?
I Factory restored and setup fresh on the client side making sure I had the routes in there. I did the same for my 7 other sites that are working. That is why I am struggling with this one. I cant figure out what is different.
I used the guide below.
I figured it out…
I now have access to my entire remote LAN network, all devices including the router itself.
This option is not enabled on my other remote sites that are running 3.x firmware… but the new 4.x firmware needed it. NOT sure why exactly
I kept thinking it was getting the traffic there… Based on my tracert going all the way to the router and stalling I thought, it had to be something not allowing the traffic to come back.
see photo
Though normally masquarading is not something you want for lan 
Normally only the exit zones should be masquarading.
Such as wan, a wgclient, maybe a wgserver aswell.
i think what you ideally want is forwarding zone for wireguard to lan, and lan to wireguard, this way clients in wireguard can reach lan, and from lan to wireguard, if that doesn’t work it might be a option inside gl inet vpn settings to allow wan. 
Also double check on created zones if input was not set to drop, anyway im glad you got it working if you want to go further you can make a backup😉
