Alias affects wireguard tunnel although not activated rule

[paul_a2]

Hi,

I have a really strange issue that took me long time to figure out - but I dont know howto troubleshoot it good enough for bugreport. I run latest OPNSense version (21.7.3_1) and tunnel my traffic out through Wireguard tunnel. Sometimes to get netflix etc working I add an IP to an exclusion alias (ips_exclude_vpn) that has own rule.

This works fine, but I added an Chromecast Ultra with fixed IP yesterday. The Chromecast did not get proper internet access, and I spent 4-6h troubleshooting it. In end I added the chromecast IP to exclusion alias list, and it started working.

The strange thing is that I did not active the exclusion rule on firewall - I only added CCU IP (192.168.1.161) to exclusion alias list and forced fw rule reload and it started to work. I can repeat this: if I remove IP from exclusion alias CCU looses internet access, but if it is on list it has internet access. So far what I have not tried is to have CCU on exclusion list and activate exclusion rule (aka I dont know if it actually would avoid WG-tunnel).

But as such I find it very strange that CCU needs to be on an alias list to be able to get internet access to work on a rule that is not active, that should not be the case?

Edit: added attachments. If I remove the 2nd IP from alias as said my Chromecast looses internet connectivity fully although I do not touch bypass_rule