[Help] Multi-WAN Reply-to Broken? AmneziaWG Inbound Fails on WAN2 after v26.1 Up

[metacyx]

Hey everyone,

I'm reaching out to see if anyone else is experiencing Multi-WAN routing issues on the new v26.1 release. I recently upgraded from v25.7, and while the rule migration to "Rule (new)" seemed successful, my inbound load balancing/failover logic is broken.

The Setup:
- OPNsense v26.1 (previously rock-solid on v25.7.11_9).
- Dual WAN setup using PPPoE (pppoe0 for WAN1, pppoe1 for WAN2).
- Internal AmneziaWG service hosted in the LAN.

The Issue:
Prior to the upgrade, external clients could handshake with the AmneziaWG service via either WAN1 or WAN2 public IPs without issue. Post-upgrade, WAN2 is effectively "dead" for inbound connections. WAN1 continues to work perfectly.

Packet Capture & Behavior:
I did some digging via shell packet captures, and the results are baffling:
1. When a client attempts to connect to the WAN2 IP, I see traffic hitting BOTH pppoe0 and pppoe1 simultaneously.
2. The source IP on both interfaces is identified as the WAN2 public IP.
3. Despite the traffic being visible, the handshake never completes.

Troubleshooting Steps Taken:
- Completely deleted and recreated the Port Forward (NAT) and Firewall rules for the service.
- Isolated the issue by disabling WAN1 rules entirely, but WAN2 still refused to pass the handshake.
- Followed the official migration guide to ensure rules were correctly mapped to the new architecture.

Workaround:
I've since rolled back to v25.7.11_9, and everything started working instantly without a single configuration change.

Is there a known regression in v26.1 regarding "Reply-to" behavior for PPPoE interfaces or Multi-WAN policy routing? It feels like the return path is being misrouted or the state is getting confused between the two WAN interfaces.

Any help or pointers on what to check in the new rule logic would be much appreciated!

[mm2023]

Hello everyone,

I seem to have a similar problem here.

My setup:
Virtualized OPNsense (Proxmox VE)
1 primary WAN connection
5 additional IP addresses created via additional virtual interfaces (created in Proxmox with assigned MAC addresses).

All IP addresses use the same upstream IP address as a gateway (Hetzner).


Previously: Corresponding firewall rules were created for each interface. In addition, corresponding port forwarding rules with automatic outbound NAT rules were created.
The traffic worked perfectly.

After the switch to 26.1, no traffic could be delivered. After all IP addresses were supplemented with /32, the traffic at least arrived at the respective host again. However, no responses were received from the services behind the additional IP addresses, while all packets running via the primary WAN connection continued to run unhindered.

It turned out that the packets were apparently being routed via vtnet0 instead of vtnet1, vtnet2, etc.
This means that the packets are apparently being discarded because they are coming back from a different interface than the one they came in on.

Despite numerous adjustments in all possible places, I have not been able to route the outgoing packets correctly via the interfaces through which they entered. Is this a bug?

I would be very grateful for any help!

[it-service-brb.de]

https://forum.opnsense.org/index.php?topic=50571.0

[TheSHAD0W]

Note that I've worked around this issue by setting the WAN I want to run servers from as default gateway and adding rules to all LAN nets to forward traffic to the other gateway. This breaks my failover plan and won't help if you're serving via multiple WANs so it's not perfect.