Traffic to the VIP is detected on the wrong interface

[mfpb]

Hello,

I have two OPNsense 26.1.4 instances with the same configuration (but different CIDRs).

OPNsense A (no issues) was updated from 25.x to 26.1, and then the firewall was migrated to the new rules.
OPNsense B (has issues) was installed fresh. The legacy firewall rules were manually copied from OPNsense A, and the firewall was migrated to the new rules.

I have a native network and several VLANs:

native: 10.0.0.0/24
vlan2: 10.0.2.0/24
vlanN: 10.0.N.0/24
vlan6: 10.0.6.0/24

These networks are grouped into interface groups:

group1: native, vlan2, ...
group2: vlan6, ...

I also have a VIP (IP alias), which I tried binding to the loopback or the native interface: 192.168.10.10
OPNsense HAProxy is bound to the VIP address on port 443.

Firewall rules:

Allow IN on interface "group1" from any to "This Firewall" TCP/443
Allow IN on interface "group2" from any to "This Firewall" TCP/443

When I try to access the VIP from a computer in vlan6, the traffic is blocked.

In the live logs, I see:

block IN interface vlan2 from 10.0.6.123:12345 to 192.168.10.10:443

If I disable the rule
"allow IN interface 'group2' ...", I get:

block IN interface vlan6 from 10.0.6.123:12345 to 192.168.10.10:443

I don't understand why vlan2 appears in the first case. And why it is blocked.

[mfpb]

I forgot to mention that I'm using a DNAT rule:

On any interface, from any source to the WAN address on port 443, traffic is translated to 192.168.10.10:443.

So I only have issues when a device on vlan6 tries to connect via NAT. If it connects directly to 192.168.10.10, everything works.

After that, I tried to create a single DNAT rule applied only to the vlan6 interface. However, the firewall still detects traffic on the vlan2 interface. I also tried disabling the vlan2 interface and removing the VLAN from the L2 switch. Nothing changes