Hi
add firewall rules to fix this:
uci set firewall.wan_in_conn_mark=rule
uci set firewall.wan_in_conn_mark.name='wan_in_conn_mark'
uci set firewall.wan_in_conn_mark.src='wan'
uci set firewall.wan_in_conn_mark.dest='*'
uci set firewall.wan_in_conn_mark.set_xmark='0x80000/0x80000'
uci set firewall.wan_in_conn_mark.target='MARK'
uci set firewall.wan_in_conn_mark.extra='-j CONNMARK --set-xmark 0x80000/0x80000'
uci set firewall.wan_in_conn_mark.enabled='1'
uci set firewall.lan_in_conn_mark_restore=rule
uci set firewall.lan_in_conn_mark_restore.name='lan_in_conn_mark_restore'
uci set firewall.lan_in_conn_mark_restore.src='lan'
uci set firewall.lan_in_conn_mark_restore.dest='*'
uci set firewall.lan_in_conn_mark_restore.set_xmark='0x80000/0x80000'
uci set firewall.lan_in_conn_mark_restore.target='MARK'
uci set firewall.lan_in_conn_mark_restore.extra='-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
uci set firewall.lan_in_conn_mark_restore.enabled='1'
uci set firewall.out_conn_mark_restore=rule
uci set firewall.out_conn_mark_restore.name='out_conn_mark_restore'
uci set firewall.out_conn_mark_restore.dest='*'
uci set firewall.out_conn_mark_restore.set_xmark='0x80000/0x80000'
uci set firewall.out_conn_mark_restore.target='MARK'
uci set firewall.out_conn_mark_restore.extra='-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-mark'
uci set firewall.out_conn_mark_restore.enabled='1'
uci commit firewall
/etc/init.d/firewall reload
To revert:
uci delete firewall.wan_in_conn_mark
uci delete firewall.lan_in_conn_mark_restore
uci delete firewall.out_conn_mark_restore
uci commit firewall
/etc/init.d/firewall reload
Basically, these rules will generate the following iptables items:
iptables -t mangle -A PREROUTING -i wlan-sta0 -p tcp -m comment --comment "!fw3: wan_in_conn_mark" -j CONNMARK --set-xmark 0x80000/0x80000
iptables -t mangle -A PREROUTING -i wlan-sta0 -p udp -m comment --comment "!fw3: wan_in_conn_mark" -j CONNMARK --set-xmark 0x80000/0x80000
iptables -t mangle -A PREROUTING -i br-lan -p tcp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: lan_in_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A PREROUTING -i br-lan -p udp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: lan_in_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A OUTPUT -p tcp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: out_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
iptables -t mangle -A OUTPUT -p udp -m connmark --mark 0x80000/0x80000 -m comment --comment "!fw3: out_conn_mark_restore" -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
They mark wan incoming traffic with connmark 0x80000, when the traffic go outgoing direction, it restore connmark(ctmark) to nfmark, with mark 0x80000, it will go via route table 52 that not use vpn.