dual wan policy base routing by ip and suermanager for vpn

hi
i have 2 internet (starlink and vdsl) and i configured mikrotik to run below scenario
i want to know can i configure flint2 for these scenarios to run together?
scenario1=policy base routing base on dst ip address => i want import 100 ip range address and if destination ip address matched imported ip list pass traffic through vdsl else if not matched pass traffic through starlink
scenario2=setup wireguard server on flint2 => i want setup vpn server on router and multiple vpn clients on phone or laptop so vpn client can connect to starlink through vdsl also i need restrict vpn users by monthly GB download
this is more detailed info for mikrotik

is it possible with openwrt?

Hi,

I assume both support, but may require you learn about how to set up the routing in the SSH.

scenario1 & 2 both can meet by routing via the SSH commands in the GL router.

I agree that both scenarios are supported somehow but that's the point: somehow

100 IP ranges will be a pain to add, at least using luci or the plain GUI. Using SSH should be at least working OK. Connecting VPN -> VDSL -> StarLink will be more difficult; not even sure if this asymmetric routing is possible... and if yes, I don't know how.

Not possible by default, you will need to get some OpenWrt plugins for that.

All in all I would like to say: If your MikroTik is doing a great job ... stay with it.

this is mikrotik exported configuration:

2024-07-13 10:05:52 by RouterOS 7.15.2

software id = AXJY-XK5P

model = C52iG-5HaxD2HaxD

serial number = HE608QHEK6C

/interface bridge
add name=HomeAndWiFi
/interface ethernet
set [ find default-name=ether1 ] name=ETH1-IR
set [ find default-name=ether2 ] name=ETH2-Star
set [ find default-name=ether3 ] name=ETH3-Home
/interface ovpn-client
add auth=sha256 certificate=cert_ovpn-import1720784395 cipher=aes128-cbc
connect-to=metalinjection.us disabled=yes mac-address=FE:1A:EB:24:93:DB
name=ovpn-import1720784395 port=8041 protocol=udp user=
ROUISKMGPUOUIA0BPVHHXZZ6SQFGDGMT verify-server-certificate=yes
/interface wifi
set [ find default-name=wifi2 ] configuration.mode=ap .ssid=Home2Ghz
disabled=no name=2Ghz
set [ find default-name=wifi1 ] configuration.mode=ap .ssid=Home5Ghz
disabled=no name=5Ghz
add configuration.ssid=Guests disabled=no mac-address=4A:A9:8A:6C:93:0E
master-interface=5Ghz name=wifi1
add configuration.ssid=Guests disabled=no mac-address=4A:A9:8A:6C:93:0F
master-interface=2Ghz name=wifi2
/interface wireguard
add listen-port=50524 mtu=1420 name=WARP
/interface list
add name=WAN
add name=LAN
/ip pool
add name=HomeDHCP ranges=192.168.10.5-192.168.10.250
add name=OpenVPN ranges=10.100.0.5-10.100.0.250
/ip dhcp-server
add address-pool=HomeDHCP interface=HomeAndWiFi name=Home_Network
/ppp profile
add dns-server=1.1.1.1 local-address=10.100.0.1 name=VPN-PROFILE
remote-address=OpenVPN use-encryption=yes use-ipv6=no
/routing table
add disabled=no fib name=Starlink
add disabled=no fib name=WARP
add disabled=no fib name=OVPN
/interface bridge filter
add action=drop chain=forward in-interface=wifi1
add action=drop chain=forward out-interface=wifi1
add action=drop chain=forward in-interface=wifi2
add action=drop chain=forward out-interface=wifi2
/interface bridge port
add bridge=HomeAndWiFi interface=ETH3-Home
add bridge=HomeAndWiFi interface=2Ghz
add bridge=HomeAndWiFi interface=5Ghz
add bridge=HomeAndWiFi interface=wifi1
add bridge=HomeAndWiFi interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ETH1-IR list=WAN
add interface=HomeAndWiFi list=LAN
/interface ovpn-server server
set auth=sha1,sha512 certificate=Server cipher=
aes128-cbc,aes192-cbc,aes256-cbc default-profile=VPN-PROFILE enabled=yes
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=162.159.192.1 endpoint-port=
2408 interface=WARP name=CloudFlare public-key=
"bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo="
/ip address
add address=192.168.10.1/24 interface=HomeAndWiFi network=192.168.10.0
add address=172.16.0.2 interface=WARP network=172.16.0.2
/ip dhcp-client
add add-default-route=no interface=ETH1-IR
add interface=ETH2-Star
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.10.1
/ip firewall address-list
add address=104.19.223.79 list=Iran-Local
add address=104.19.222.79 list=Iran-Local
add address=192.168.1.0/24 list=Iran-Local
add address=192.168.10.0/24 list=Iran-Local
add address=192.168.8.0/24 list=Iran-Local
add address=217.219.204.0/24 comment="Iran (Islamic Republic of)" list=
Iran-Local
add address=217.219.205.64/26 comment="Iran (Islamic Republic of)" list=
Iran-Local
add address=217.219.205.128/25 comment="Iran (Islamic Republic of)" list=
Iran-Local
add address=217.219.206.0/23 comment="Iran (Islamic Republic of)" list=
Iran-Local
add address=217.219.208.0/20 comment="Iran (Islamic Republic of)" list=
Iran-Local
add address=217.219.224.0/19 comment=Arvan-Cloud list=Iran-Local
add address=94.182.182.28/30 list=Iran-Local
add address=94.101.182.0/27 list=Iran-Local
add address=92.114.16.80/28 list=Iran-Local
add address=188.229.116.16/29 list=Iran-Local
add address=185.228.238.0/28 list=Iran-Local
add address=94.182.153.24/29 list=Iran-Local
add address=2.144.3.128/28 list=Iran-Local
add address=89.45.48.64/28 list=Iran-Local
add address=37.32.16.0/27 list=Iran-Local
add address=37.32.17.0/27 list=Iran-Local
add address=37.32.18.0/27 list=Iran-Local
add address=37.32.19.0/27 list=Iran-Local
add address=185.215.232.0/22 list=Iran-Local
add address=109.230.200.48/29 list=Iran-Local
add address=12.202.180.120 list=Iran-Local
add address=185.147.178.14 comment="Iran (Islamic Republic of) manual" list=
Iran-Local
add address=185.143.233.0/24 list=Iran-Local
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=!Iran-Local
new-routing-mark=WARP passthrough=yes src-address=10.100.0.0/24
add action=mark-routing chain=prerouting dst-address-list=!Iran-Local
new-routing-mark=WARP passthrough=yes src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ETH1-IR src-address=
192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ETH2-Star src-address=
192.168.10.0/24
add action=masquerade chain=srcnat out-interface=ETH2-Star src-address=
10.100.0.0/24
add action=masquerade chain=srcnat out-interface=ETH1-IR src-address=
10.100.0.0/24
add action=masquerade chain=srcnat out-interface=WARP src-address=
10.100.0.0/24
add action=masquerade chain=srcnat out-interface=WARP src-address=
192.168.10.0/24

ovpn-import1720784395 not ready

add action=masquerade chain=srcnat out-interface=ovpn-import1720784395
src-address=192.168.10.0/24
/ip route
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1
routing-table=Starlink scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WARP routing-table=
WARP scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=162.159.192.1/32 gateway=192.168.1.1
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=ovpn-import1720784395
routing-table=OVPN suppress-hw-offload=no
add comment=sia disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
ETH2-Star routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=Sia profile=VPN-PROFILE service=ovpn
add name=asadi profile=VPN-PROFILE service=ovpn
add name=jay profile=VPN-PROFILE service=ovpn
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system script
add dont-require-permissions=no name=change owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"for "