I'm running V25.1.10 and have hit a snag with a multi-WAN setup which I suspect may be a bug (and possibly still present in later versions).
My setup consists of both a FTTP broadband connection (PPPoE) on the "WAN" interface (by identifier) and a Cable internet connection on opt4 (DHCP). Until recently, the Cable gateway was my primary connection (i.e. the default-route), and the PPPoE gateway was my secondary (failover), and everything was fine.
However today, I wanted to flip things around, so I promoted my PPPoE interface's gateway to a higher priority, so it became the default-route. It was then I noticed that inbound connections to my Cable internet's IP address began failing. The reason - the replies were routing asymmetrically and were going back out my PPPoE connection (clearly following the default route!).
I have double checked and I definitely do NOT have the "Disable reply-to on WAN rules" option ticked in Firewall->Settings->Advanced, which means OPNsense should be adding a reply-to flag to my inbound WAN rules for my cable internet connection.
When I dump out my ruleset (i.e. cat /tmp/rules.debug), no reply-to flag is being set on my inbound cable WAN rules. Although reply-to IS being correctly added to my PPPoE connection's inbound WAN rules.
So it almost seems like OPNsense only considers my PPPoE connection a WAN connection (even though I have an active, albeit lower-priority gateway on that interface).
I know I could go through and manually edit all my Cable internet WAN rules to force the reply-to, to the gateway of the cable internet, but this seems a kludge and also I have a few NAT port-forwards setup which don't seem to allow that option when using an associated, auto-generated WAN firewall rule (which cannot be edited). So I'd need to split these port-forwards out into NAT+separate access rules, which is even more kludgy!
This issue was masked when my default-route was set to the cable internet's gateway, because the return packets for inbound connections on my cable IP then just followed the default route back out the right (cable) interface. Seeing as my PPPoE connection IS getting the reply-to added to its rules, inbound connections to it always work OK, regardless of the default-route, which is why I never noticed the issue before switching gateways.
Does anybody have any thoughts on why OPNsense is refusing to add the reply-to flag on my cable interface's inbound WAN rules (but it's working just fine for the PPPoE interface!?!). Any help most appreciated!