How to excempt a single ethernet client from VPN when VPN policies are already used otherwise?

GLrs · 2022-07-10T10:37:29.588Z

Hi,

MT-1300 here, FW 3.212 (or 3.215), VPN client connected, VPN policies already used for target-host based exceptions (Policy “Domain/IP”, Rules “Do not use for the following”). Additional Policy: “Use VPN for guest network” - disabled.

Is there an easy (e.g. GUI) way to excempt a single ethernet client from using the VPN?
Maybe by assigning it to GuestNet (no need for GuestNet-DHCP to be available)?

Already tried adding its LAN IP to VPN policies but (es expected) those are target exceptions, not source exceptions.

alzhao · 2022-07-13T10:22:36.441Z

The source exceptions you should use “mac based” policy.

GLrs · 2022-07-13T10:41:19.747Z

Thanks for replying.
But the challenge is this:

VPN policies already used for target-host based exceptions (Policy “Domain/IP”, Rules “Do not use for the following”)

So one could rephrase the question to: How can I use Domain/IP policies and MAC Address policies at the very same time?
GUI solution preferred but would edit some configs on the CL as well.

alzhao · 2022-07-13T10:55:03.484Z

I see. Then it is difficult from the UI.

For guest wifi, you can bridge one lan port with the guest wifi. Now all bind to private wifi.

Now eth0.1 is the lan interface and contains all the two ports.

You need to create eth0.3 for one port and then bridge it with guest wifi.

Have to try and see.

image573×542 10.5 KB

GLrs · 2022-07-13T12:03:41.653Z

…found an (mostly for myself*) better way to enable both lists at once:
I edited /etc/init.d/gl_route_policy to permanently set glconfig.route_policy.type to domain_bypass and mac_bypass.

1769×130 2.5 KB

Tested and working in firmware 3.212, should work in all similar firmwares.
.
* my solution completely disables VPN modes other than Do not use VPN for the following