“Bridge” layer 3 devices how to? (route based VPN)

In a routed VPN Server - Road Warrior scenario (host to site), the RW is getting via DHCP an IP address thought the IPSec tunnel. The idea is that the RW once connected will become "part" of the LAN on the other side all within the same subnet.

Since it is within the same subnet I can't "route" traffic, but an XFRM device is a layer 3 so I can not make it part of the bridge (like you could do with a TAP device vs TUN device).

Just adding iptables FORWARD rules doesn't help: iptables -I FORWARD -i ipsec0 -o br-lan -j ACCEPT and the other way around.

It works when I add another 2 rules to Masquare the traffic...but that doesn't seem to be the right way to do it since I'm already on the same subnet.

"iperf3" from the RW to the Router (through the tunnel) and running iperf3 on the router itself.. which normally would reduce the performance is actually almost 2x as good vs RW == tunnel - router - Lan client.

Maybe "route" based VPN is not designed for "same subnet"??

Are you using the farp module? I think it's need for Proxy ARP when you use IP addresses from another interface.

https://openwrt.org/packages/pkgdata/strongswan-mod-farp

That is layer 2 operation. To do what you want is layer 2 bridging, there is no routing. The tunnel should be within br-lan. Since firewalling works at layer 3, there's no need to set up firewall rules, indeed no ability to. The RW has to be trusted completely like it were locally connected to the LAN.