Description:
Currently, GL.iNet routers allow MAC-based VPN policies and Policy-Based Routing (PBR) separately. Users may want to combine these features so that certain devices are routed through VPN based on MAC address, while specific destinations (domains/IPs) bypass the VPN using PBR. See also threat Issue with Policy-Based Routing not overriding NordVPN default route - #3 by 31SEfs1YROPc8fUVUb2z
Proposed Feature:
- Support simultaneous use of MAC-based VPN policies and domain/IP-based PBR routing.
- Allow traffic matching PBR rules to bypass the VPN, regardless of the device’s MAC-based policy.
- Ensure that default VPN routes do not override PBR rules.
Background/Context:
- Users configure GL.iNet routers with VPN clients (OpenVPN/WireGuard) and use MAC-based routing to selectively route devices through VPN.
- PBR is used to route traffic to specific destinations via WAN or VPN.
- Currently, default VPN routes override PBR rules, preventing selective bypass of the VPN for certain destinations.
Impact Analysis:
- Functionality: Users gain flexibility to combine device-based and destination-based routing rules.
- Performance: Expected minor impact; improves user control over routing.
- Integration: Requires coordination between MAC-based VPN policies and PBR engine.
- Security: No adverse impact; provides more granular routing control.
- Compliance: Facilitates network setups where selective routing may be required.
Acceptance Criteria:
- Users can configure MAC-based VPN policies alongside PBR rules.
- Traffic matching PBR rules always follows PBR-defined paths, bypassing VPN if specified.
- Traffic not matching PBR continues to follow MAC-based VPN policies.
- Default VPN routes no longer override PBR rules.
Attachments/Links:
- Mermaid schematic illustrating current network setup and routing policies:
Online FlowChart & Diagrams Editor - Mermaid Live Editor
