Hello All,
I have an OpenVPN server running as MetaRouter (OpenWRT).
I’d like to implement few firewall rules for clients but even though I can see IPs when torching virtual interface, firewall rules have no effect.
Should I be marking packets using mangle rule prior to accept/deny them in filter table ?
Thank you
If you create virtual interfaces for guest and route your traffic you can limit traffic using firewall, if you are bridging, then you have to allow use of ip firewall for bridged interfaces.
If you are assigning physical interfaces to metarouter all the filtering has to be done on the guest as host os has no say on what is passed to the guest. Let’s say, guest os barely sees packets that are passed to guests and has no control.
There’s a single virtual interface assigned to the MetaRouter, no bridge, no physical interface implied.
When torching the virtual interface, I can see traffic going through with source IP being the client’s and destination IP being, well, anything in my network.
But when I add a rule in filter table, it has strictly no effect, no package is being catched.
how does your firewall filter rule looks, as a virtual interface does not differ from any other interface, except being virtual. To the RouterOS itself, it looks like ethernet.
I was sure I tried to put my rules at the top and bottom of the set and it didn’t do anything but now it works 
So firewall on RouterOS is first-match policy, right ?
yes, it is the first match, only in special cases where is path through available packet can be processed by filter that follow. Actions like accept, drop will not pass through packets.