Network service filter does not work

[Bozdw]

I know there are some complexities related to VPN and firewall, not sure if iptables happens before or after the VPN. If iptables does work, in theory all you'd have to do is move up the NSFW rule to above the VPN rule but it may make more sense to configure your VPN firewall directly using the config file or custom options in the GUI.

In fact if you move NSFW above the yazfi and VPN rules, then it should take care of both issues, but you need to check the rules after it to make sure the guest (wl0.1 and/or the subnet associated) are accounted for in those, and that nothing in those will interfere (i.e. blocking DHCP, dns, etc).

Another way, at least for the guest network, is to change the default accept in the yazfi chain to RETURN. However again, you need to check the rules that come after that to make sure they all account for wl0.1 and/or the associated subnet.

You can also look at using EBTABLES to filter stuff as it comes into the bridge interfaces. That may actually be your easiest solution as you can just apply a new policy as the default chains are usually empty (permit any). However without having yazfi I'm not sure how they're assigning interfaces to bridges etc. Should be doable though.

EBTABLES, I will look into it. Thanks.