Hello,
I have two OPNsense 26.1.4 instances with the same configuration (but different CIDRs).
OPNsense A (no issues) was updated from 25.x to 26.1, and then the firewall was migrated to the new rules.
OPNsense B (has issues) was installed fresh. The legacy firewall rules were manually copied from OPNsense A, and the firewall was migrated to the new rules.
I have a native network and several VLANs:
native: 10.0.0.0/24
vlan2: 10.0.2.0/24
vlanN: 10.0.N.0/24
vlan6: 10.0.6.0/24
These networks are grouped into interface groups:
group1: native, vlan2, ...
group2: vlan6, ...
I also have a VIP (IP alias), which I tried binding to the loopback or the native interface: 192.168.10.10
OPNsense HAProxy is bound to the VIP address on port 443.
Firewall rules:
Allow IN on interface "group1" from any to "This Firewall" TCP/443
Allow IN on interface "group2" from any to "This Firewall" TCP/443
When I try to access the VIP from a computer in vlan6, the traffic is blocked.
In the live logs, I see:
block IN interface vlan2 from 10.0.6.123:12345 to 192.168.10.10:443
If I disable the rule
"allow IN interface 'group2' ...", I get:
block IN interface vlan6 from 10.0.6.123:12345 to 192.168.10.10:443
I don't understand why vlan2 appears in the first case. And why it is blocked.
I forgot to mention that I'm using a DNAT rule:
On any interface, from any source to the WAN address on port 443, traffic is translated to 192.168.10.10:443.
So I only have issues when a device on vlan6 tries to connect via NAT. If it connects directly to 192.168.10.10, everything works.
After that, I tried to create a single DNAT rule applied only to the vlan6 interface. However, the firewall still detects traffic on the vlan2 interface. I also tried disabling the vlan2 interface and removing the VLAN from the L2 switch. Nothing changes