In latest, negated firewall groups can be used, but cli is not clear:
vyos@vyos# set firewall name FOO rule 10 source group address-group
Possible completions:
<text> Group of addresses
NO_VPN_v4_BYPASS
VPN_v4_BYPASS
vyos@vyos# set policy route VPN_v4_BYPASS rule 10 destination group address-group
Possible completions:
<text> Group of addresses
NO_VPN_v4_BYPASS
VPN_v4_BYPASS
## Negated working
vyos@vyos# run show config comm | grep policy
set policy route VPN_v4_BYPASS rule 110 set table '100'
set policy route VPN_v4_BYPASS rule 110 source group address-group '!NO_VPN_v4_BYPASS'A more clear cli would be better, so user know that negated firewall groups can be used