I need advice to add these firewall rules.
Please give instructions on how to add them with LUCI interface for ease of use because I will probably enable/disable or tweak the rules later on.
VPN typically depends on NTP which expects working DNS.
So, we do not restrict the router's own traffic, but only its clients.
You can create a separate firewall zone for the VPN interface.
Replace the LAN to WAN forwarding with LAN to VPN.
Also implement split-DNS to avoid DNS leak.
Do you mean it shouldn't work without NTP client? Because it has been working for me. I don't know if it can cause any harm to use it without ntp. But I can still enable it and open port 123 for NTP on WAN if that's necessary.
I already have a seperate firewall zone for VPN and already replaced LAN-WAN with LAN-VPN forwarding.
But I still need a way to configure the firewall for them.