In latest, negated firewall groups can be used, but cli is not clear:
vyos@vyos# set firewall name FOO rule 10 source group address-group Possible completions: <text> Group of addresses NO_VPN_v4_BYPASS VPN_v4_BYPASS vyos@vyos# set policy route VPN_v4_BYPASS rule 10 destination group address-group Possible completions: <text> Group of addresses NO_VPN_v4_BYPASS VPN_v4_BYPASS ## Negated working vyos@vyos# run show config comm | grep policy set policy route VPN_v4_BYPASS rule 110 set table '100' set policy route VPN_v4_BYPASS rule 110 source group address-group '!NO_VPN_v4_BYPASS'
A more clear cli would be better, so user know that negated firewall groups can be used