I have recently connected to IVPN by wireguard for the usual reasons, sick of tracking and the like, but I also want to run some existing services which are DNAT'ed in to some machines on my LAN.
PBR seemed to be the obvious solution to keep my DNAT services directed out to my one public IP address and then send all adhoc web browsing etc. out over the IVPN service.
My web server is working fine with this new arrangement as is my email server, but you guessed it, one service is not
For reasons that I won't go in to now, several hosts out on the Internet make ssh connections in to my router and there they are locked into a chroot jail - these services all work fine without the IVPN and PBR running.
This is what I have got so far:-
in /etc/config/firewall I have the following. config redirect option dest_port '22' option src 'wan' option src_dport '<a-high-port-number>' option target 'DNAT' list proto 'tcp' option name 'AutoSSH-in_to_router' option dest 'lan' option dest_ip '<the-LAN-address-of-my-openwrt-router>' option reflection '0'
config policy option name 'autossh-in' option src_addr '<the-LAN-address-of-my-openwrt-router>' option dest_port '<a-high-port-number>' option interface 'ignore'
When I watch the SSH connection from the far end I see nothing at after
"debug1: Connecting to  port ."
and at the same time while I watch SSHD running in the foreground on my router, I see nothing at all.
Neither do I see anything interesting on my router's syslog .
From this I conclude that no packets are ever reaching SSHD from the DNAT entry while PBR is running.
...have I described my problem clearly?
... and constructive advice would be appreciated.