[Help] Multi-WAN Reply-to Broken? AmneziaWG Inbound Fails on WAN2 after v26.1 Up

[metacyx]

Hey everyone,

I'm reaching out to see if anyone else is experiencing Multi-WAN routing issues on the new v26.1 release. I recently upgraded from v25.7, and while the rule migration to "Rule (new)" seemed successful, my inbound load balancing/failover logic is broken.

The Setup:
- OPNsense v26.1 (previously rock-solid on v25.7.11_9).
- Dual WAN setup using PPPoE (pppoe0 for WAN1, pppoe1 for WAN2).
- Internal AmneziaWG service hosted in the LAN.

The Issue:
Prior to the upgrade, external clients could handshake with the AmneziaWG service via either WAN1 or WAN2 public IPs without issue. Post-upgrade, WAN2 is effectively "dead" for inbound connections. WAN1 continues to work perfectly.

Packet Capture & Behavior:
I did some digging via shell packet captures, and the results are baffling:
1. When a client attempts to connect to the WAN2 IP, I see traffic hitting BOTH pppoe0 and pppoe1 simultaneously.
2. The source IP on both interfaces is identified as the WAN2 public IP.
3. Despite the traffic being visible, the handshake never completes.

Troubleshooting Steps Taken:
- Completely deleted and recreated the Port Forward (NAT) and Firewall rules for the service.
- Isolated the issue by disabling WAN1 rules entirely, but WAN2 still refused to pass the handshake.
- Followed the official migration guide to ensure rules were correctly mapped to the new architecture.

Workaround:
I've since rolled back to v25.7.11_9, and everything started working instantly without a single configuration change.

Is there a known regression in v26.1 regarding "Reply-to" behavior for PPPoE interfaces or Multi-WAN policy routing? It feels like the return path is being misrouted or the state is getting confused between the two WAN interfaces.

Any help or pointers on what to check in the new rule logic would be much appreciated!