This is an issue that has been puzzling me for some time, but I believe I now have a solution. In case it is of interest to others, here is a method I found to work. It should be possible to copy/paste the code below, but you will need to change the addresses used in the examples of course.
Let's say that we have defined a number of bridges, including:
br0 (set to 192.168.100.0/24)
br1 (set to 192.168.110.0/24)
br2 (set to 192.168.120.0/24)
br3 (set to 18.104.22.168/24)
And that our network gateway is 10.10.10.10
We have OpenVPN running, and it is configured to redirect all traffic to the tunnel.
The requirement is that we want br0, br1 & br3 traffic to be redirected, but br2 traffic to go direct to the Internet
Step 1) Create a secondary routing table (called ETHER)
mkdir /etc/iproute2 echo -e "#\n\ # reserved values\n\ #\n\ 255 local\n\ 254 main\n\ 253 default\n\ 0 unspec\n\ #\n\ # local\n\ #\n\ #1 inr.ruhep\n\ # Our custom tables\n\ 10 ETHER" >/etc/iproute2/rt_tables
Step 2) Add a rule to route br2 traffic to it
ip rule add from 192.168.120.0/24 table ETHER
Step 3) Add some routes to the ETHER table
ip route flush all table ETHER ip route add 127.0.0.0/8 dev lo table ETHER ip route add 192.168.120.0/24 dev br2 table ETHER ip route add default via 10.10.10.10 dev vlan2 table ETHER ip route flush cache
Step 4) Add a NAT rule for VLANs other that 0 that are to go down the tunnel
iptables -t nat -I POSTROUTING -s 192.168.110.0/255.255.255.0 -o tun11 -j MASQUERADE iptables -t nat -I POSTROUTING -s 192.168.130.0/255.255.255.0 -o tun11 -j MASQUERADE
(Step 4 may not be required in later builds if this has been fixed in rc/vpn.c per earlier posting)
That should be it. br2 traffic will go direct to the Internet, all other traffic will be redirected to the VPN tunnel.