Watchguard and Asterisk

I’m using a Watchguard XTM 21 and have FreePBX running on a RaspberryPi 3 behind the watchguard. I have one SIP phone (Yealink T32) also behind the Watchguard that works well. The problem is with using Zoiper to register. An extension is setup and registers OK while on my LAN but when I am on a different network and try to register using my domain name ( which is pointed to the WAN address of the Watchguard) It times out. I used the HostWatch app included with the watchguard to track the connections. It reports:

To -
Port - 5060/udp
Direction - out(trusted2->BOVPN/IPsec)
Connection - Denied

Using the HostWatch filters I found that this is an “Unhandled internal packet”.
Why is BOVPN being used?
I have configured and reconfigured policies - no luck.
Anyone using an old Watchguard and is willing to share your policy configuration for SIP?

Thanks for any help.

Clearly a question for Watchguard and not FreePBX, no?

That may be the answer. I thought if someone has been successful with a similar setup, I could at least get a sanity check on my work so far.

Ping your PBX from the other network. If no results then you have a routing problem. Either you create a static route at your PBX guiding the packets back to the VPN or you fix your routing table at the gateway.