When I use mullvad with nextdns enabled (also checked the override dns checkbox) and rebind protection off.
when I go to VPN policies and Enable VPN Policy and Use VPN for all processes on the router. and then in the dropdown I select Do not use VPN for the items in the list if I type a website in it, and do ipconfig /flushdns, and in my browser I use the brave://net-internals/#dns to clear browsers dns, for some reason the website always times out for me.
I also changed the conntrack to a high number but that doesn’t fix it, it seems the bypass works but then it goes into a firewall dropped state.
-EDIT-
I think I might found the problem, I believe it does work I just entered example.com inside the filter and this one comes through (but it failed after I opened a anonymous window after checking further), but when I put watismijnip.nl it gives me a dropped connection and says connection reset, when I do the same to google.com it says connection ended, the strangest is that when I use nslookup I do resolve a ip, and at rare times I also get dns_probe_possible even after I flush in brave and in windows.
I encountered a similar issue with version 4 (beta). The VPN domain bypass is not working when you have VLANs in the mix. the policy works on bridge (br-lan) device but when you and add bridge vlan filtering and change the interface device setting to br-lan.(vlan id). the VPN policy bypass doesn’t work at all. it appears that the vlan segmentation doesn’t work well with the vpn bypass policy table.
It would be nice to have this capability. I hope Gl-inet addresses this issue in ver 4.0 stable release.
you are 100% right, I just checked the script, its only doing things for br-lan and the guest interface as far as I can see, I manually added these via iptables rules but I hope it can be added in the future , (I had alot of troubles with cloudfront.net and mullvad on a certain site)
iptables -t mangle -I ROUTE_POLICY -i wlan0 -m set --match-set bypass_vpn_domain dst -j MARK --set-mark 0x80000/0x80000
iptables -t mangle -I ROUTE_POLICY -i wlan0 -p tcp --dport 53 -j MARK --set-mark 0x100000/0x100000
iptables -t mangle -I ROUTE_POLICY -i wlan0 -p udp --dport 53 -j MARK --set-mark 0x100000/0x100000
edited this is for mac:
iptables -t nat -A ROUTE_POLICY -i wlan0 -m set --match-set bypass_vpn_mac src -p tcp --dport 53 -j DNAT --to 192.168.1.1 (your wan ip)
I’m not 100% sure if it works, but it seems it does you can replace wlan0 for other interfaces but I need to check longer if it really is since I’m dealing with a cloudfront domain which keeps changing the dns entries.