About traffic separation in tor

Hello Dear Friends,
I wanna separate the traffic. I have a number of "cidr". I want the sites that use these "cidr" to be visited with the real public IP when someone is using the "tor" and the rest of the sites to use "tor". If it is possible, May I ask you how? Please guide me Thank you in advance.

Usually you need to create a firewall rule to intercept the LAN traffic and redirect it to the tor client (port 9040 on the router).

Just create an ip set containing the addresses to be excluded and add it to the redirect rule like this:

option ipset '!excluded_addresses'

DO NOT disable lan to wan forwarding.


Hello dear friend,
Please Explain to me the order that is necessary for full. There are some "ip" in this path /root/cidr.txt that I want "tor" to ignore the sites that end with this IP and not to use "tor" when entering these sites. please explain simply how can I do this.
thank you in advance.

Which version of OpenWrt are you running?

1 Like

version 22.03.3

1 Like

The format of the file is like this, right?

Run the following commands:

uci add firewall ipset
uci set firewall.@ipset[-1].name='tor_exceptions'
uci set firewall.@ipset[-1].match='dest_net'
uci set firewall.@ipset[-1].enabled='1'
uci set firewall.@ipset[-1].loadfile='/root/cidr.txt'

uci add firewall include
uci set firewall.@include[-1].type='nftables'
uci set firewall.@include[-1].path='/etc/tor.nft'
uci set firewall.@include[-1].position='chain-pre'
uci set firewall.@include[-1].chain='dstnat'

cat << "EOF" > /etc/tor.nft
iifname "br-lan" ip daddr != @tor_exceptions meta nfproto { ipv4, ipv6 } tcp flags syn fib daddr type != { local, broadcast } counter redirect to :9040
uci commit firewall
fw4 restart

Verify that the nftables set and the redirect rule are created correctly

nft list set inet fw4 tor_exceptions
nft list chain inet fw4 dstnat

If you want to use DNS over Tor, see the guide.