Iptables rule to route traffic from specified wlan interface to specified wan?

Hello everyone, my openwrt has two wan connection,

wan0 used as default route, (dev name pppoe-wan)
wan1 currently not used (dev name pppoe-another_isp)

and two wlan interface

wlan0 5G wifi
wlan1 2.4G wifi

currently all traffic routed through wan0, now I want to create another ssid , all traffic of this new ssid route through wan1.

I'm following https://openwrt.org/docs/guide-user/network/wifi/basic guide to create another wifi interface(it named wlan0-1 in ip addr output) successfully and it worked (still route through wan0 ), how can I makes all traffic from this new ssid route to wan1 ?

I'm thinking about

iptables -t nat -I PREROUTING -i wlan0-1  --???route to another_isp???

but don't know how to do this? Thanks for advising

(I hope to using wan1 dev name pppoe-second_isp as target, instead of its ip address)

You need to do Policy Based Routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.

Thanks for suggestion , I'm trying pbr package, but currently I can't make wlan0-1 interface connected device using specified rule (but using ip is OK). according to doc, I should use @wlan0-1 as src_addr, but it didn't work

I have never used the @wlan0 option. You can verify if it works by checking the mangle table of iptables.
Or try with source IP addresses. In any case for further troubleshooting you need to supply a few things.

it do create corresponding entries in mangle table, now I have

464K  435M VPR_PREROUTING  all  --  *      *              mark match 0x0/0xff0000

Chain VPR_PREROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination
 171K  122M MARK       all  --  *      *            /* chmob */ MARK xset 0x60000/0xff0000
    0     0 MARK       all  --  *      *              PHYSDEV match --physdev-in wlan0-1 /* chmob */ MARK xset 0x60000/0xff0000

src_addr set to worked , but if I using @wlan0-1 as src_addr, this rule (PHYSDEV match rule) never matched (0 package), seems this rule didn't match package from wlan0-1

Then I suggest you stick to source IPs.

Thanks for suggestion, but I've already confirmed using source IP worked. My intention is to make all device connect to SPECIFIED WLAN auto route to second wan.

Assign the wireless interface to the network:

Route specific LAN to specific WAN:


Ok I'll take a try.

I've followed the instruction , now my openwrt has another bridge with different subnet, and my additional wifi (guest wifi in reference) can be connected (with correct dhcp response), but "policy based rounting" part seems not work, my traffic from additional wifi still goes through default wan interface.

I've tried using pbr package to route this subnet ip to my second wan and it worked. since they're both using rule based route so should both work, or neither work. I think my setup problem is that my default setup already has a special rule (even without second lan/wan) for transparent proxy,

0:      from all lookup local
1:      from all fwmark 0x1 lookup 100   ---->  my transparent proxy rule
2:      from all iif br-chmob lookup 80   -----> route specific lan to specific wan rule
3:      from all iif pppoe-wan_chmob lookup 80
10000:  from lookup 80
10000:  from lookup 80
20000:  from all to lookup 80
20000:  from all to lookup 80
32766:  from all lookup main
32767:  from all lookup default
90157:  from all iif lo lookup 80
90161:  from all iif lo lookup 80

transparent proxy rule matched first so my setup break. using pbr create following rules:

0:      from all lookup local
0:      from all fwmark 0x10000/0xff0000 lookup 201     
0:      from all fwmark 0x20000/0xff0000 lookup 202
0:      from all fwmark 0x30000/0xff0000 lookup 203
0:      from all fwmark 0x40000/0xff0000 lookup 204
0:      from all fwmark 0x50000/0xff0000 lookup 205
0:      from all fwmark 0x60000/0xff0000 lookup 206
0:      from all fwmark 0x70000/0xff0000 lookup 207   --->pbr rules
1:      from all fwmark 0x1 lookup 100                   ---------> my transparent proxy rule
32766:  from all lookup main
32767:  from all lookup default

pbr rules came first so it worked (I think)

anyway second bridge/subnet is requirement for successful setup (although I still use pbr for route, but that's ip rule order problem).

It's best to avoid mixing custom rules with VPN Policy Routing.
I've tested each method separately and they both work for me.

Most likely, your proxy rule requires to exclude the private subnet.
You can try to add a filter with negated destination address.


You can try to add a filter with negated destination address.

could you please explain it further? does that mean the ip rule command can add 'subnet' arguments ?

uci set firewall.@redirect[X].dest_ip="!"
uci commit firewall
/etc/init.d/firewall restart



Thx, will take a look

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.