HowTo: Bypass VPN based on MAC and IP address in firmware 4.x (tested with MT-1300 (Beryl))

One shortfall of the GL-inet firmwares is that users have to decide if they want to bypass VPN based on client MAC or target IP address but cannot do both.

I modified /usr/bin/route_policy to be able to do both at the same time.
I do (ab)use image for this setup because few users will use VLANs and this way the webUI stays available to edit MAC- and IP-lists*. To edit either table select bypass based on MAC or IP and edit the table, after, switch back to bypass based on VLAN.

My modifications are solely between the lines “#***************************” (2 places), additionally I translated the comments to English.

HTH! (3.7 KB)

* can be done in the shell as well, edit /etc/config/vpnpolicy in that case


Thank you. We will consider merging your changes.

That’d be awesome (saved some effort to check/adapt scripts after each firmware update)!
Please keep the comments in English*, understandable basic doc really helps.

Best was IMO to insert my mod as the 5th option (making VLAN option 6).

I did not touch the functions reload_domain_firewall and reload_mac_firewall (only translated the comments) but instead added reload_combined_firewall as new function by copying the necessary lines from the aforementioned functions.
Same with the case selection “5” , I commented out the complete original.

So all one needed to do was insert Based on the Target Domain, Target IP or Client Device into the webUI as 5th option and uncomment the original “5”, renaming it to “6”.

Please find the suggested script attached as my contribution to your help. (3.7 KB)

* edit:
Or how about 2 lines of comments? 1st in Chinese for those developers who do not speak English and a 2nd line for ‘international’

Unfortunately, I don’t believe this will be merged soon, as it‘s quite different from the original design. While I understand that each mode should work together in cooperation, rather than one or the other. We can plan for this change after the team discusses and finds a suitable solution.

You can temporarily add the router_policy file to the backup file list of the configuration by going to
On the other hand, setting up VLAN related rules is more straightforward. You can do so by adding the relevant rules to /etc/firewall.user.