Here's the right way to do it:
https://forum.openwrt.org/t/ipsec-routing-firewall4/127101/6 - #by jow