Using TOS 3.11.1 and vpn-policy-routing 0.0.2-34, I configured this routing policy:
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option ipset_enabled '1'
option dnsmasq_enabled '0'
option strict_enforcement '1'
option enabled '1'
config policy
option interface 'wan'
option name 'DMZ HTTPS Server'
option local_ports '443'
option remote_addresses '0.0.0.0/0'
option remote_ports '0-65535'
option local_addresses '192.168.2.1/24'
The two rules for WAN and VPN are correctly created in the routing policy database:
$ ip rule
...
32752: from all fwmark 0x20000 lookup 202
32753: from all fwmark 0x10000 lookup 201
...
but the firewall rule to mark IP packets coming from 192.168.2.1/24 is not set. Looking at /var/log/messages, there is this error:
2018-12-28 00:43:49 notice [3138]: ERROR: iptables -t mangle -I VPR_PREROUTING 1 -j MARK --set-xmark 0x010000/0xff0000 -s 192.168.2.1/24 -p tcp -m multiport --sport 443 -d 0.0.0.0/0 -p tcp -m multiport --dport 0:65535 -m comment --comment DMZ_HTTPS_Server
When I run manually the iptables command reported in the error, I get:
iptables v1.6.1: multiple -p flags not allowed
Try `iptables -h' or 'iptables --help' for more information.