Exclude traffic for host in iptables tproxy rule?

[Klaaktu]

(I have edited the post to ask a different question, as the original one seems to be a dead end...)

When redirecting traffic from a device to sslocal with iptables, how to exclude those that are meant for the host?
I have sslocal and dnscrypt-proxy on an OpenWrt router. When I use these rules, the device is unable to obtain IP address through DHCP.

ip -{4|6} route add local default dev lo table 100
ip -{4|6} rule add fwmark 0x1 lookup 100
{iptables | ip6tables} -t mangle -A PREROUTING -m mac --mac-source <mac_address> -p {tcp | udp} -j TPROXY --on-port 60080 --tproxy-mark 0x1

For IPv4, I can use the private address of the router ! -d 192.168.1.1
But in IPv6, the br-lan interface only has a public IP address, and --out-interface can't be used in PREROUTING chain.

p.s. nftables might have some options that can help, but OpenWrt doesn't seem to have tproxy for nftables...

[Klaaktu]

old comment: nvm, it's not a good idea.
(original idea: a shadowsocks hotspot, and redirect only traffic from hotspot to sslocal redir)

[zonyitoo]

So what exactly problem did you encounter?

[Klaaktu]

@zonyitoo well... for starters it turns out my usb wifi adapter is incompatible with Ubuntu (AP can't be connected). When tested in Windows, I see that the connected device only gets a NAT'd IPv4 from a new subnet (together with the AP interface), and there is no IPv6 address.
Besides I do have a ubnt er-x router so I decided to install stuff on that...

[zonyitoo]

I couldn't provide any solution for you because I have no idea.

[Klaaktu]

I guess having no IP is normal. (The hotspot is meant to share the Internet of the host not act as a switch.)

[Klaaktu]

iptables -t mangle -A PREROUTING -p {tcp | udp} -m addrtype ! --dst-type LOCAL,BROADCAST -m mac --mac-source <mac_address> -j TPROXY --on-port 60080 --tproxy-mark 0x1

BROADCAST for excluding DHCPv4
OpenWrt needs kmod-ipt-tproxy, iptables-tproxy, iptables-mod-extra
Nintendo Switch doesn't seem to have IPv6 (no config, no show address, no link local correspond to mac) so didn't try ip6tables.
In addition, for OpenWrt, ip stuff is best put into /etc/config/network

config route
	option interface 'loopback'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option type 'local'
	option table '100'

config rule
	option mark '0x1'
	option lookup '100'

Now I just need to figure out why sslocal is not receiving anything with these rules...