Flint 2 Policy Based Routing Implementation

Within OpenWRT there is a Luci app called Policy Based Routing which makes it very easy to route devices through VPNs with very granular control, example i have with my setup is that up to x.x.x.15 i have going through the WAN as these are services on my server or just devices that don't need a VPN, the remainder of the subnet is then allocated through DHCP which are routed through VPN or outright blocked. I would like to replicated this through GL iNets firmware but have found no way to accomplish this. Routing via MAC address may be reliable for the router but a nightmare for devices as 90% now have a security feature turned on automatically called randomized MAC address, VLANS and Guest SSIDs would be way more work than using a new firmware would be worth.
I would assume for a lot of people a new policy option that defaults to all outgoing traffic using VPN but then selectively allow device IPs to use the WAN, not MACs. Side note, yes i know i can install openWRT apps, but that becomes a whole new battle when one side is fighting the other and conflicting.

That's my rant and question, thanks.

1 Like

Having them mixed would be a big :+1:

Currently my iptv wants full wan, but i also want my gaming on vpn with the ability to domain split tunnel in case they block mullvad again.

Though... I noticed lately split tunnels can also be a pain to debug, i noticed a kinda annoying issue between nextdns and rockstargames site, for rockstar i route it through tor via PBR, but rockstar uses cloudflare, nextdns uses it too, so in a mather of time all cloudflare ip goes unwanted over tor, i could verify that on test.nextdns.io that is one of the things which make my split tunnel broken, but i don't think that is fixable, but for me still fine aslong the p2p traffic in these games has the vpn. :smile:

I've been trying to make PBR work with firmware OpenWrt 24.10.0-rc2 but no go. I set up my wireguard VPN with global settings in gl.inet webui, then setup AdGuard Home. Then I go to Luci, install luci-app-pbr. I then go to services > policy routing. Since I post a lot on offerup, I tried to set the offerup domain and IP to preroute to wan interface. No dice. I was able to do this in the gl.inet webui using Policy Mode: Based on Target Domain or IP, put the offerup domain and IP in the setting, then go to adgaurd home and put the offerup IP in the DNS rewrite section. But the problem is, I want to exclude my PS5 and work laptop from using VPN, and gl.inet tech told me that you can only use one Policy Mode setting at a time. But he said that this is being worked on firmware 4.8 so crossing fingers. Here's the email response:

"Yes, our VPN rules are either based on Mac addresses or based on domains, cannot be selected both. For the custom routing rule, it is to custom routes that go through VPN, it is based on IP routes not device or domain.

The only way is connecting those devices bypass VPN to the WAN side and the LAN side still use VPN based on domains. We don't have a rule can cover both at this moment, we are developing this function on our 4.8 firmware.

Best Regards

Bernard Lo

GL-iNET Technical Support."