Another question popped up in my VPN config. I don't really need any traffic outside of my TUN interface, this Splitting is not needed for me and I could just however let the config be as it is.
I want my whole network to drop outgoing/incoming traffic once my network fails. To achieve this, I simply removed the forwarding between LAN and WAN and only created a forward between WAN and TUN - thus the only way that my devices should be able to connect to the internet would be over the TUN interface.
That works surprisingly very well for all my devices, except the router itself, once for example the interface drops I can see all other devices without internet (great) and the router itself accessing over WAN directly (not great).
How would I have to route that my router itself is a "real device on LAN"?
I assume your WAN and VPN connections are in different firewall zones. Have you tried to reject "output" in the WAN zone? After doing that you can add traffic rules for the traffic you need, i.e. to the VPN server and maybe the DNS server if you need to look up the IP address of the VPN server.
Not yet! I'll report back later if that has worked. Good idea.
Yesterday night I somehow locked myself out with a similar thought.
Is it also possible to just route specific ports? Might sound like an idiotic question but I am fairly new to networking.
Not easily, I think it requires the mwan3 package or similar. Usually only the destination address is taken into account when routing.
Just in case someone comes accross - I wasn't able to solve this easily. I experimented with an virtual WAN interface and it should be possible in this way somehow but gave up, I found an application-specific solution for my problem