Pbr not working

Hi everyone!
I've got a problem with routing on my OpenWrt.
I have a BPI-R3 with OpenWrt 23.05.3 r23809-234f1a2efa. I added a LTE modem so I can use it as wireless AP. I'm also running OpenVPN as client.
My goal is to tunnel traffic using pbr trough the VPN tunnel. But so far only packets get routed trough the tunnel that are in the same subnet as the tap device.
Which matches the routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         100.86.xxx.yyy  0.0.0.0         UG    55     0        0 wwan0
100.86.xxx.yyy  *               255.255.255.252 U     55     0        0 wwan0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.42.0    *               255.255.255.0   U     25     0        0 tap0

I created a simple pbr policy to test my setup:

config policy
	option name 'oVPN ping test'
	option interface 'oVPN'
	option dest_addr '8.8.8.8'
	option proto 'icmp'

If I ping 8.8.8.8 I can see, using tcpdump, the icmp packets popping up on br-lan. But they don't get routed. Resulting in a 'destination host unreachable' message. If I disable that policy the packets get correctly routed via the default route.
I also did, for testing, set up a static route:

config route
	option interface 'oVPN'
	option target '0.0.0.0/0'
	option gateway '192.168.42.127'
	option metric '20'
	option disabled '1'

But that was a bad idea and didn't work at all. Messing up all the routing.
So I guess I'm doing something fundamentally wrong here.

For some more information here's my /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8c:9d82:4e9c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'sfp2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.252'
	option netmask '255.255.255.0'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'wan'

config device
	option name 'eth1'
	option macaddr '92:10:33:7d:f6:26'

config device
	option name 'wan'
	option macaddr '92:10:33:7d:f6:26'

config interface 'wan'
	option device 'br-wan'
	option proto 'dhcp'
	option metric '45'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'broadband'
	option proto 'modemmanager'
	option device '/sys/devices/platform/soc/11200000.usb/usb1/1-1/1-1.1'
	option apn 'web.vodafone.de'
	option pincode '****'
	option auth 'none'
	option iptype 'ipv4'
	option loglevel 'ERR'
	option auto '0'
	option metric '55'

config route
	option interface 'oVPN'
	option target '0.0.0.0/0'
	option gateway '192.168.42.127'
	option metric '20'
	option disabled '1'

config interface 'oVPN'
	option proto 'dhcp'
	option device 'tap0'
	option metric '25'

And my /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ssh'
	list proto 'tcp'
	option src 'vpn'
	option src_dport '41512'
	option dest_port '22'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'wwan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'broadband'

config zone
	option name 'vpn'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'oVPN'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wwan'

Any help here is highly appreciated! :slight_smile: