VPN Policies both MAC and Web address?

joet · April 19, 2022, 9:17pm

I want most devices to use the VPN, but some devices dont work well and some sites dont work well. I want to exclude those devices, and also those sites as well (so for all devices). By treating the list as an ‘exclusion’ list, I don’t see a conflict (one mode versus the other). Why not add mac address and sites to the list. example …

“Do not use VPN for the items in the list”
f8:54:b8:00:11:22 (mac device)
somehost com (web site)

meaning everything on the mac address device will skip the vpn, and everything else also will skip the vpn for the website in question (on those other devices). simple enough?

“include” would be the inverse, include anything that qualifies by device or by web address. current lists work the same, just using all mac or all website, with no other changes needed.

Is there some way of doing this, the current firmware/software only uses one-or-the-other-type-filter.

Also noted to make this useful (another post, that wildcards don’t work, so some sites are still problematic in that regard and need that as well, I assumed example, netflix com would mean *.netflix com?? but it doesn’t, so wildcards would solve that)

alzhao · April 20, 2022, 10:09am

The idea is great however it is just diffucult to do everything in one devices.

At the beginning we have such combination but eventually didn’t do like this.

Maybe you can learn some iptables kills?

joet · April 21, 2022, 9:02pm

Not sure why it was removed I guess, would be a nice feature.

I’m familiar with iptables, and access via Luci – but can you provide an example, specifically where the entry should be added? thanks

alzhao · April 22, 2022, 8:34am

In luci, you can add in network->firewall

joet · April 22, 2022, 6:47pm

An example iptable entry with this goal in mind ?

joet · April 28, 2022, 3:33am

Example: this command will reject the IP by name using iptables, blocking the address:

iptables -t filter -I INPUT -m string --string blockme.com -j REJECT

but what settings what would be used to allow (FORWARD?) the address, but skip the VPN, allowing the site, but not using the VPN

alzhao · April 28, 2022, 5:06am

Sorry I asked developers and they said it is very complicated and cannot be achived using simple iptables command. So have to give up.