What actually surprises me a bit is that mesh-on-wan with VXLAN works. When doing a $ iptables -S | grep 6696 in my KVM setup with no wifi interface I get no results. So I'm wondering if it works by accident, if VXLAN by accident is less strict than mesh-on-wan without VXLAN (zone "wired_mesh" rejects INPUT and FORWARD, but I don't see a zone for "wired_mesh_vxlan").

There are rules "mesh_babel" and "mesh_l3roamd" for zone "mesh" (which I believe is wireless only?). But I don't see such babel/l3roamd rules for zone "wired_mesh".

With Babel, there is no way to distinguish mesh and non-mesh traffic on the same interface by the packet type, so this simply cannot work - after all, mesh traffic must never leak into the WAN network for security reasons!

Non-VXLAN wired meshing is deprecated for batadv, and was never intended to be possible with Babel at all. It is a bug in our site checkers that it is possible to build a Babel-based firmware with vxlan = false.

Note that the reason for the behavior you're seeing is that all mesh traffic through WAN will be filtered by the regular WAN zone with Babel (blocking most of it), while batadv uses a non-IP Ethertype which bypasses the firewall entirely.

If babel doesn't explicitly needs it's own VLAN another idea might be to use a macvlan then if vxlan is off

#2376 is merged now, so I'm closing this.