subj.: как?
Вероятно, нужно добиться, чтобы transmission-daemon был доступен только tun0-интерфейс?
root@GL-MT300N-V2:~# uname -a
Linux GL-MT300N-V2 4.4.92 #0 Tue Oct 17 17:46:20 2017 mips GNU/Linux
root@GL-MT300N-V2:~# ifconfig
br-lan Link encap:Ethernet HWaddr E4:95:6E:42:F7:36
inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: адрес Scope:Global
inet6 addr: адрес Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2364 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1156519 (1.1 MiB)
eth0 Link encap:Ethernet HWaddr E4:95:6E:42:F7:36
inet6 addr: адрес Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3089 errors:0 dropped:0 overruns:0 frame:0
TX packets:5124 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:805932 (787.0 KiB) TX bytes:1663570 (1.5 MiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr E4:95:6E:42:F7:36
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2364 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:1156519 (1.1 MiB)
eth0.2 Link encap:Ethernet HWaddr E4:95:6E:42:F7:36
inet addr:192.168.178.24 Bcast:192.168.178.255 Mask:255.255.255.0
inet6 addr: адрес Scope:Link
inet6 addr: адрес Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3083 errors:0 dropped:0 overruns:0 frame:0
TX packets:2746 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:749374 (731.8 KiB) TX bytes:484242 (472.8 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:75 errors:0 dropped:0 overruns:0 frame:0
TX packets:75 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:8238 (8.0 KiB) TX bytes:8238 (8.0 KiB)
ra0 Link encap:Ethernet HWaddr E4:95:6E:42:F7:36
inet6 addr: адрес Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:6
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:адрес P-t-P:адрес Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1277 errors:0 dropped:0 overruns:0 frame:0
TX packets:1071 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:398129 (388.7 KiB) TX bytes:166063 (162.1 KiB)
root@GL-MT300N-V2:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'glservice_rule'
option name 'glservice'
option dest_port '83'
option proto 'tcp udp'
option src 'wan'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'shadowsocks'
option type 'script'
option path '/var/etc/shadowsocks.include'
option reload '1'
config rule 'ssh_rule'
option name 'ssh'
option dest_port '22'
option proto 'tcp'
option src 'wan'
option target 'ACCEPT'
config rule 'rule_80'
option name '80'
option dest_port '80'
option proto 'tcp'
option src 'wan'
option target 'ACCEPT'
config rule 'transmission_tcp_rule'
option name 'tcp9091'
option dest_port '9091'
option proto 'tcp'
option src 'wan'
option target 'ACCEPT'
config rule 'transmission_udp_rule'
option name 'udp9091'
option dest_port '9091'
option proto 'udp'
option src 'wan'
option target 'ACCEPT'
config zone 'vpn_zone'
option name 'VPN_client'
option input 'ACCEPT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option network 'VPN_client'
config forwarding 'forwarding_vpn1'
option dest 'VPN_client'
option src 'lan'
config rule 'vpn_server_rule'
option name 'Allow-OpenVPN-Inbound'
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '1194'
config zone 'vpn_server_zone'
option name 'vpn-server'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option device 'tun-SERVER'
config forwarding 'vpn_server_wan'
option src 'vpn-server'
option dest 'wan'
config forwarding 'vpn_server_lan'
option src 'vpn-server'
option dest 'lan'