Hi all. Thanks for checking in. I’ve been looking at Routing Rules and Routes to try and solve a couple of problems but I keep screwing up and taking down my whole network (and I’ve never been more grateful for serial ports).
What I’m trying to do is use different WAN connections for different VLANs/subnets. To begin with, I would like to route my general-purpose subnet (VLAN104) WAN traffic over a Proton Wireguard VPN while leaving all my other subnets using my standard ISP connection. Afterwards, I’d like to additionally route a subnet I use to give my neighbour Internet access (VLAN102) over a different Proton Wireguard VPN. Annoyingly, both the Wireguard VPN connections use the same private IP addresses though I suspect that won’t actually matter that much in practise.
I starting to suspect I’m barking up the wrong tree trying to use Routing Rules but I’d appreciate any advice.
You must log in or register to comment.
So, not openwrt, but I just did this with Omada software and was similarly confused. The step I missed was creating IP Groups. Policy routing is correct, but I wasn’t able to policy route VLANs. I had to create IP Groups that corresponded to the VLANs and then policy route the IP Groups.
So, I don’t use OpenWRT (for main router), but generally in each vlan you will need:
- The WG interface in that vlan so all hosts can send their traffic to it.
- DHCP server that sends the WG (local side IP) as the default route. Can also set statically on all devices. When a device on that vlan wants to send a packet to the internet it will do an ARP request for the local vlan IP then forward the IP packet to the router.
- You will need to do some NAT as you have many private IPs for your devices in the vlan mapped to one IP given through WG. Packets that hit the WG interface should be forwarded down the tunnel with a translated source address of the local WG IP and whatever ports are in use publicly. Return packets reverse this operation.
- Repeat for additional vlans.
