Debian

Can you help me understand the principle of routing in the connection diagram?

There are 2 networks connected via Wireguard.
[192.168.11.0/24] <-...
...-> [router-192.168.11.1] <--> [192.168.11.3] [email protected]/[email protected]=== [192.168 .1.44] <--> [router-192.168.1.1] <-...
...-> [192.168.1.0/24]

192.168.11.3 and 192.168.1.44 are debian cars.

On 192.168.11.3, the rules are:
-A FORWARD -i wg0s -j ACCEPT
-A FORWARD -i wg0s -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o wg0s -m state - -state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.1.3.0/24 -o br0 -j SNAT --to-source 192.168.11.3

On 192.168.1.44 the rules are:
-A FORWARD -i wg0 -j ACCEPT
-A FORWARD -i wg0 -o enp4s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp4s0 -o wg0 -m state - -state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -s 10.1.3.0/24 -o enp4s0 -j ​​MASQUERADE The funny thing

is that from 192.168.11.3 itself I can ping 192.168.1.72 (for example) and packets come there from IP wheelbarrows 192.168.1.44 (IP is substituted), and from the subnet behind it (192.168.11.0/24) packets are already going under their IPs (without being substituted).

Adding a rule to 192.168.1.44 solves the problem:
-A POSTROUTING -s 192.168.11.0/24 -o enp4s0 -j ​​MASQUERADE

Why is that? Is this how it should be or can it be done better?