Exclude device from Wireguard

RLM · May 12, 2026, 6:22pm

I have read much on the forum about how to exclude a device from using Wireguard for outgoing traffic. I've done my best to follow the instructions from @egc here:

I do not understand enough to finish the job. Would someone please help me?

Objective: send TV traffic though WAN instead of the Wireguard tunnel. Wireguard is already installed and seems to be working.

Problems encountered:

Must the IP address of the TV be static? If so, how to set it as static?
Where do I find the IP6 address of the TV? This station does not appear anywhere in luCI that I have looked.
Three errors occurred during installation of DNSmasq-full: udhcpc: started, v1.37.0; udhcpc: broadcasting discover; udhcpc: no lease, failing
I could not save a new IP set. Is FQDN needed for this situation? If not, why can I not save?
I was lost on pages 11-13 of egc's instructions. The instructions are probably good; my knowledge is not. I could not make a rule in the pre-routing chain. For all things, I need either instructions for luCI or step-by-step instructions.

Which configs would be helpful to see?

Many thanks in advance.

lleachii · May 12, 2026, 6:36pm

On the main overview page, you should see your TV's DHCP lease, press the button:

Then you must have SLAAC and not DHCPv6 enabled?

(It would be directly under the section I described previously, under the section " Active DHCPv6 Leases".)

Why did you need to install dnsmasq-full?

Please provide more detail on why you're setting up an ipset. No, FQDN is generally not used or needed.

@egc

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

egc · May 12, 2026, 6:59pm

You do not need to setup PBR manually.

You can use the pbr app which also has luci-app-pbr
See:

RLM · May 12, 2026, 7:21pm

Many thanks for your quick offer of help, lleachii!

There are no active leases. The TV is on.

I am not familiar with SLAAC. I do not recall doing anything unusual when I set this router up. I do not know enough to do something unusual. But Network > DHCP shows no v4 or v6 leases. I see in the lan interface that dynamic DHCP is on. Is that the same as SLAAC? What should I use?

To follow egc's instructions.

ubus call system board

"kernel": "6.12.74",
	"hostname": "Kindness",
	"system": "ARMv8 Processor rev 4",
	"model": "Cudy WR3000S v1",
	"board_name": "cudy,wr3000s-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32802-f505120278",
		"target": "mediatek/filogic",
		"description": "OpenWrt 25.12.2 r32802-f505120278",
		"builddate": "1774469393"

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd55:4a9b:b532::/48'
	option packet_steering '1'
	option dhcp_default_duid '00047c24256b052a46918529f6c125b1f647'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option peerdns '0'
	list dns '2620:fe::fe'
	list dns '2620:fe::9'

config interface 'Mullvad'
	option proto 'wireguard'
	option private_key [redacted]
	list addresses '10.75.20.75/32'
	list addresses 'fc00:bbbb:bbbb:bb01::c:144a/128'
	list dns '100.64.0.63'
	option multipath 'off'
	option mtu '1280'

config wireguard_Mullvad
	option description 'us-chi-wg-312.conf'
	option public_key [redacted]
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host '173.249.253.127'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config route
	option interface 'wan'
	option target '0.0.0.0/0'
	option table '100'
	option gateway '192.168.0.1'

config route6
	option interface 'wan6'
	option target '::0/0'
	option table '100'
	option gateway 'fe80::bef5:81ff:fc4e:82a2'
	option disabled '1'

config rule
	option priority '2000'
	option src '192.168.1.249/32'
	option dest '0.0.0.0/0'
	option lookup '100'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list addnmount '/bin/busybox'
	list addnmount '/var/run/adblock-lean/abl-blocklist.gz'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodi

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'Mullvad'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Mullvad_client'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'Mullvad'

config forwarding
	option src 'lan'
	option dest 'Mullvad_client'

config ipset
	option name 'TV-to-WAN4'
	option family 'ipv4'
	list match 'src_ip'
	list entry '192.168.1.249/32'

config ipset
	option name 'TV-to-WAN6'
	option family 'ipv6'
	list match 'src_ip'
	option enabled '0'

config rule
	option dest '*'
	option name 'mark-TV4'
	option family 'ipv4'
	list proto 'all'
	option ipset 'TV-to-WAN4'
	list src_ip '192.168.1.249'
	option target 'MARK'
	option set_mark '0x00000100/0x0000ff00'

config rule
	option dest '*'
	option name 'mark-TV6'
	list proto 'all'
	option target 'MARK'
	option set_mark '0x00000100/0x0000ff00'

I meant to ask where I can find the ULA or LL address of the TV, not its IP6 address.

I do not know how to change settings through the UCI, so I prefer luCI instructions. But I'm probably missing something basic, so if you tell me how to change settings in the UCI, I will. Would be good to know. Of course, I'd also like to know where to go in luCI.

I hope that I have redacted appropriately.

lleachii · May 12, 2026, 7:25pm

Your config is missing DHCPv6 settings.

No DHCPv4 lease?

Odd.

@egc should be able to assist.

RLM · May 12, 2026, 7:36pm

Hi egc.

You do not need to setup PBR manually.
You can use the pbr app which also has luci-app-pbr

Oh, darn. I used your instructions because I misread something and I thought that your approach was the more simple one. I had looked at melmac's instructions for the pbr app and, at first glance, found them daunting, so I was happy to find yours (when I thought that it was a simpler approach). I remembered your excellent instructions for setting up Wireguard and expected more of the same.

OK. I will install the pbr app. Then I should find an easier-to-use luCI interface for something like IP-based exclusion from the tunnel?

I will also look more closely at melmac's instructions.

Could you please help me solve the mystery of DHCP leases on in my installation, now that you see some configs? Is whatever I am doing instead of leases OK?

RLM · May 12, 2026, 7:38pm

Oh, there is a v4 lease. Sorry.

I don't know why there are no v6 leases. Is that OK?

lleachii · May 12, 2026, 7:39pm

This part:

RLM · May 12, 2026, 7:59pm

Sorry. I meant: I don’t know why there are no DHCP v6 settings. Is this a problem?

egc · May 12, 2026, 8:03pm

You can use the ipv4 address of the tv for pbr no need for an ipv6 address

RLM · May 13, 2026, 2:43pm

Thank you.

RLM · May 13, 2026, 2:51pm

The dumb AP was issuing leases. I unchecked that it was the authoritative issuer. Is anything else needed to prevent it from issuing leases?

The dumb AP also has firewall zones. Should they be removed?

Do these errors explain why the dumb AP lost WAN access today? Why speeds have been lower than usual?

I should check all the dumb AP settings against the set-up instructions.

Thanks for your help.

egc · May 13, 2026, 2:55pm

How to setup a dumb AP:

Instructions for disabling DHCP are there

RLM · May 13, 2026, 3:00pm

Thanks. I was going to check that document. I used it when I set up the dumb AP, and the AP has worked well for a year. I don’t know what happened recently.