I have setup a KVM host using a routed bridge (interface br0) where the virtual machines are connected. I can reach services inside the VMs on the bridge from the KVM host without problems. I can reach services on the bridged VMs from the internet (public zone) due to
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
I have added OpenVPN server to the KVM host (using tun0) and want to reach services on the bridged VMs from an OpenVPN client. This works if firewallD is shutdown but not with firewallD.
I tried adding tun0 to the internal zone and br0 to the dmz and enable https service (e.g.) on both, but no difference. HTTPS is only reachable from the public zone (internet).
I also tried various additional direct passthrough commands but to no avail. I guess there is something basic I overlook, but since I overlook it ...