Hello,
I'm running 2 VRRP routers, that have some VLANS configured. See the interfaces: But now I've got a problem when setting up firewall rules.
In the forward chain I'm trying to match against the output interface (which actually should be vrrp62), but I've noticed that some packets are using vlan62 and others are using vrrp62 as output interface.

I wonder how this happens? This way I'd need to setup all rules twice.

I guess this is caused because the route list has a dynamic route entry for each interface: vlan62 and vrrp62 which cannot be deactivated nor deleted.

A possible workaround:
Use the mangle rules to add a mark to all packets matching vlan62 and vrrp62. On the filter table use this mark instead of the output interface to match packets. But that doesn't feel like a real solution to me, more like a dirty workaround

Did you by any chance miss this?

Note: address on VRRP interface must have /32 netmask if address configured on VRRP is from the same subnet as on router's any other interface.

I've indeed missed this... And it makes so much sense! Thanks!