Issue with 26.1.1 Firewall rule migration - Wireguard Multi-WAN

[LucaS]

Hi everyone,

I'm reporting a specific issue I encountered after migrating my firewall rules to the new Automation (MVC) framework in OPNsense 26.1.1.

Setup (working in Legacy rules):

Multi-WAN configuration with 3 distinct WAN interfaces.

WireGuard instance listening on port 51820.

Port Forwarding: Each WAN has a NAT rule redirecting UDP 51820 to 127.0.0.1 (so a single WireGuard instance can handle all incoming connections).

NAT Outbound: Hybrid mode with Static Port enabled for WireGuard traffic.

The Problem:

While the rules remain in the Legacy section, everything works perfectly (handshakes are instant on all WANs).

After using the migration wizard to move the rules into the new MVC/Automation section (all rules appear correctly):

WireGuard handshakes fail completely on all interfaces.

I've tried setting "Filter Rule Association" to Pass, but this does not solve the issue.

NAT Outbound rules are still at the top, but the handshake still fails.

No blocks are visible in the logs for the NAT redirection, yet traffic doesn't seem to reach the local service correctly.

Rollback:

I performed a snapshot rollback to before the rule migration, and everything immediately worked again with the Legacy rules.

Observations:

It seems the new MVC/Automation framework has issues handling redirection to 127.0.0.1 in Multi-WAN scenarios.

Possibly it loses the reply-to state or fails to authorize loopback traversal implicitly, as the Legacy system did.

Question:

Has anyone else experienced this?

Is there a specific way to handle "This Firewall" (127.0.0.1) redirections in the new framework?

Environment:

OPNsense 26.1.1

WireGuard

3x WAN (2 PPPoE, 1 DHCP)

Thanks in advance.

[OPNenthu]

Possibly it loses the reply-to state

It does.  There's a just-developed patch for that which isn't released yet but you can apply it manually to try out.  They're looking for feedback.

https://forum.opnsense.org/index.php?topic=50760.0