OPNSense block ssh connection after specific time, if two interfaces assigned

[MPGxxxLegend]

Maybe someone here has some input.

I'm trying to implement the following but I've run into a problem that I can't exactly explain to myself. I want to install a WatchyourLan container that listens on all my VLAN/LANs, but only grant access from specific devices. So I installed ufw and take over routing from docker itself, next disabling iptables for docker. This has worked so far, until I add the interface from which subnet I manage the VM via SSH.

So I reset the VM and only added the interfaces and look and behold I found the problem, the OPNSense blocks the SSH traffic after a certain time.
[Picture-1]

Overview:
VM - 10.20.20.16/24 - VLAN ID 20 Homelab
[Picture-2]
PC - 10.20.10.2/24 - VLAN ID 10 User

VM as well as OPNSense runs on Proxmox as VM
As soon as I am in the same subnet with the PC, no problem, clearly it is not routed either
Creating a firewall rule that allows the traffic, the connection is blocked by OPNSense after 30 seconds
MAC addresses checked if anywhere identical, no only those of the VLAN with the parent interface
[Picture-3]

Furthermore, the fixed IPs of those VLAN/LANs stored for the VM are not visible in the ARP table under OPNSense or are short and disappear again.

Proxmox hardware
[Picture-4]

Why I haven't encountered the problem yet, because I don't have a VM with the same interface as my management PC.
Thx for the input.

[dseven]

I believe that your problem is being caused by asymmetric routing. Your PC (10.20.10.2) is connecting to the VM's "Homelab" interface (10.20.20.16) via the firewall, but the VM has a direct connection to the "User" network (10.20.10.0/24), so response packets will NOT go through the firewall. The firewall sees traffic in one direction only, and considers the connection invalid after a short timeout.

If you must keep the asymmetric routing in place, you may be able to work around this by adding a firewall rule to allow the traffic, and set "State Type" (Advanced) to "none", or maybe "sloppy state" (haven't tried this).

[MPGxxxLegend]

Asymmetric routing is the problem, also your solution is working, making a FW rule which allows the connection with "sloppy state" under advanced settings.

Is there any disadvantage for security using this rule?

[dseven]

I'm not a security expert, but I think the short answer is "yes" - it makes the firewall less strict (with respect to traffic matching that rule, and things like sequence number validation), so it is (at least slightly) less secure. For practical purposes, attacks would have to be sourced from your "User" network (not anywhere else on the big wide internet), so perhaps the risk is acceptably low. Security is always a compromise....