"Extract" traffic from a bridge and route it to wireguard interface


I'd like to put a bridging router between LAN and GW to "divert" traffic (intended for the gatway) from the bridge and route it to a vpn-interface on the same router.

+------+     +--------------+     +------+ 
|      +-----|eth0.1  eth0.2|-----|      |
|  GW  |     |      wg0     |     | LAN  |
+------+     +--------------+     +------+ 

I have no idea where to start (tried successfully to block packets with kmod-br-netfilter but was not able to redirect them).
Is that even possible?

Can someone point me to the right direction?

Normally it should not be bridging but routing.
You could change the default gateway of the lan hosts that need to use the wireguard.
Or you can try if there is some way to do DNAT in ebtables.


Thank you for your answer!

I'v done some routing setups an they all work very well, but in this case the router should not modify the existing lan (dhcp, portforwarding, static routing from gateway to lan should not be modified)

Good idea!
Forgot to mention that the wireguard interface on the router is the client and nat is done by the other side so it will be double-nat
But i'll try this tomorrow.

Thank you!

1 Like

For completeness if anyone come across this post:

DNAT works perfectly because of the PREROUTING chain.

  1. opkg install kmod-br-netfilter
  2. /etc/sysctl.conf:
  1. iptables -t nat -A PREROUTING -d <net to extract> -j DNAT --to-destination <wg tunnelendpint>

Maybe this can be done via luci but i did not find the DNAT button.

1 Like

It's in the Firewall - Port Forwards tab.