Route traffic out WAN single VLAN out VPN

Hey ya'alll.

I'm trying to understand and figure out how to configure my router to properly route my traffic through the WAN interface and then a single VLAN/Subnet through my OpenVPN tunnel that i have. I have found several other examples (see references) but trying to figure it out for my network. Others didn't quite work. Like the other ones i turn on the client VPN connection and the default route goes through that that tunnel interface. Trying to get it so only the one VLAN will, and not all other VLANs. I'm just trying to figure out if its a Policy Based Routing (PBR) that will solve this, a routing table update, or a combo of the two. I have a OpenVPN server running but that connection works and is on a different tunnel interface.

Im trying to get LAN_IoT (192.168.10.0/24) on interface eth0.10 (i.e. VLAN 10) to route out the VPN connection, and all others to route out of my network through the WAN.

** NO VPN running~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all~**

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
8: br-LAN_IoT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-LAN_IoT
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.20.1/28 brd 192.168.20.15 scope global eth0.20
       valid_lft forever preferred_lft forever
12: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.30.1/28 brd 192.168.30.15 scope global eth0.30
       valid_lft forever preferred_lft forever
default via 192.168.0.1 dev eth1 proto static src 192.168.0.2
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev br-LAN_IoT proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 proto kernel scope link src 192.168.30.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
default via 192.168.0.1 dev eth1 proto static src 192.168.0.2
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev br-LAN_IoT proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 proto kernel scope link src 192.168.30.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local proto kernel scope link src 192.168.0.2
local 192.168.0.2 dev eth1 table local proto kernel scope host src 192.168.0.2
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.2
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.10.0 dev br-LAN_IoT table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-LAN_IoT table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-LAN_IoT table local proto kernel scope link src 192.168.10.1
broadcast 192.168.20.0 dev eth0.20 table local proto kernel scope link src 192.168.20.1
local 192.168.20.1 dev eth0.20 table local proto kernel scope host src 192.168.20.1
broadcast 192.168.20.15 dev eth0.20 table local proto kernel scope link src 192.168.20.1
broadcast 192.168.30.0 dev eth0.30 table local proto kernel scope link src 192.168.30.1
local 192.168.30.1 dev eth0.30 table local proto kernel scope host src 192.168.30.1
broadcast 192.168.30.15 dev eth0.30 table local proto kernel scope link src 192.168.30.1

** VPN running: ~# ip -4 addr; ip -4 route; ip -4 rule; ip -4 route list table all~**
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
8: br-LAN_IoT: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-LAN_IoT
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: eth0.20@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.20.1/28 brd 192.168.20.15 scope global eth0.20
       valid_lft forever preferred_lft forever
12: eth0.30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.30.1/28 brd 192.168.30.15 scope global eth0.30
       valid_lft forever preferred_lft forever
19: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 96.77.215.230 peer 96.77.215.229/32 scope global tun1
       valid_lft forever preferred_lft forever
0.0.0.0/1 via 96.77.215.229 dev tun1
default via 192.168.0.1 dev eth1 proto static src 192.168.0.2
96.77.215.224/27 via 96.77.215.229 dev tun1
96.77.215.225 via 192.168.0.1 dev eth1
96.77.215.229 dev tun1 proto kernel scope link src 96.77.215.230
128.0.0.0/1 via 96.77.215.229 dev tun1
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev br-LAN_IoT proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 proto kernel scope link src 192.168.30.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
0.0.0.0/1 via 96.77.215.229 dev tun1
default via 192.168.0.1 dev eth1 proto static src 192.168.0.2
96.77.215.224/27 via 96.77.215.229 dev tun1
96.77.215.225 via 192.168.0.1 dev eth1
96.77.215.229 dev tun1 proto kernel scope link src 96.77.215.230
128.0.0.0/1 via 96.77.215.229 dev tun1
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev br-LAN_IoT proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 proto kernel scope link src 192.168.30.1
local 96.77.215.230 dev tun1 table local proto kernel scope host src 96.77.215.230
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local proto kernel scope link src 192.168.0.2
local 192.168.0.2 dev eth1 table local proto kernel scope host src 192.168.0.2
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.2
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.10.0 dev br-LAN_IoT table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-LAN_IoT table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-LAN_IoT table local proto kernel scope link src 192.168.10.1
broadcast 192.168.20.0 dev eth0.20 table local proto kernel scope link src 192.168.20.1
local 192.168.20.1 dev eth0.20 table local proto kernel scope host src 192.168.20.1
broadcast 192.168.20.15 dev eth0.20 table local proto kernel scope link src 192.168.20.1
broadcast 192.168.30.0 dev eth0.30 table local proto kernel scope link src 192.168.30.1
local 192.168.30.1 dev eth0.30 table local proto kernel scope host src 192.168.30.1
broadcast 192.168.30.15 dev eth0.30 table local proto kernel scope link src 192.168.30.1

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd88:85be:1936::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option macaddr '20:AA:4B:84:C0:E3'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option macaddr 'C8:60:00:74:6D:28'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'
        option vid '2'

config interface 'vpn_srv'
        option proto 'none'
        option auto '1'
        option _orig_ifname 'tun0'
        option _orig_bridge 'false'
        option ifname 'tun0'

config interface 'vpn_client'
        option proto 'none'
        option auto '0'
        option _orig_ifname 'tun1'
        option _orig_bridge 'false'
        option ifname 'tun1'

config none 'proto'

config 1 'auto'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '2 5t'
        option vid '20'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '30'
        option ports '1 5t'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '3 5t'
        option vid '10'

config interface 'LAN_IoT'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.10.1'
        option ifname 'eth0.10'
        option type 'bridge'

config interface 'LAN_SRV'
        option proto 'static'
        option ifname 'eth0.20'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.240'

config interface 'LAN_SVC'
        option proto 'static'
        option ifname 'eth0.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.240'

/etc/config/firewall

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'Allow_OpenVPN_Inbound'
        option target 'ACCEPT'
        option src '*'
        option dest_port '10417'
        option name 'Allow_OpenVPN_Inbound'
        option proto 'tcp udp'

config rule
        option target 'ACCEPT'
        option src 'VPN_SRV'
        option dest 'LAN_SRV'
        option proto 'tcp udp'
        option name 'vpn_forwarding_LAN-SRV_in'

config rule
        option target 'ACCEPT'
        option dest 'wan'
        option name 'vpn_forwarding_wan'
        option src 'VPN_SRV'

config rule
        option target 'ACCEPT'
        option dest_port '53'
        option proto 'udp'
        option src 'LAN_IoT'
        option dest_ip '192.168.10.1'
        option name 'Allow-IoT-DNS'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67'
        option src 'LAN_IoT'
        option name 'Allow-IoT-DHCP'

config rule
        option target 'ACCEPT'
        option proto 'icmp'
        option src 'LAN_IoT'
        option name 'Allow-IoT-Ping'
        option icmp_type 'echo-reply echo-request'

config rule
        option target 'ACCEPT'
        option dest_port '53'
        option src 'LAN_SRV'
        option name 'Allow-SRV-DNS'
        option proto 'udp'
        option dest_ip '192.168.20.1'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67'
        option name 'Allow-SRV-DHCP'
        option src 'LAN_SRV'

config rule
        option target 'ACCEPT'
        option name 'Allow-SRV-Ping'
        option proto 'icmp'
        option icmp_type 'echo-reply echo-request'
        option src 'LAN_SRV'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '8920'
        option name 'Allow-SRV-Emby-secure'
        option src '*'
        option dest 'LAN_SRV'
        option dest_ip '192.168.20.3'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '8096'
        option name 'Allow-SRV-Emby-unsecure'
        option src '*'
        option dest 'LAN_SRV'
        option dest_ip '192.168.20.3'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '445'
        option name 'Allow-SRV-smb'
        option src 'lan'
        option dest 'LAN_SRV'
        option dest_ip '192.168.20.2'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '22'
        option name 'Allow-SRV-ssh'
        option src 'lan'
        option dest 'LAN_SRV'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '80'
        option src 'lan'
        option dest_ip '192.168.30.3'
        option name 'Allow-SVC-Print-web'
        option dest 'LAN_SVC'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '8080'
        option name 'Allow-SVC-Print-proxy'
        option src 'lan'
        option dest 'LAN_SVC'
        option dest_ip '192.168.30.3'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '3910'
        option name 'Allow-SVC-Print-prnrequest'
        option src 'lan'
        option dest 'LAN_SVC'
        option dest_ip '192.168.30.3'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '443'
        option name 'Allow-SVC-Print-TLS'
        option src 'lan'
        option dest 'LAN_SVC'
        option dest_ip '192.168.30.3'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '443'
        option name 'Allow-SVC-PBX-TLS'
        option src 'lan'
        option dest 'LAN_SVC'
        option dest_ip '192.168.30.2'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '80'
        option name 'Allow-SVC-PBX-web'
        option src 'lan'
        option dest 'LAN_SVC'
        option dest_ip '192.168.30.2'

config rule
        option target 'ACCEPT'
        option proto 'tcp'
        option dest_port '22'
        option name 'Allow-SVC-PBX-ssh'
        option src 'lan'
        option dest 'LAN_SVC'

config rule
        option target 'ACCEPT'
        option dest_port '53'
        option name 'Allow-SVC-DNS'
        option src 'LAN_SVC'
        option dest_ip '192.168.30.1'
        option proto 'udp'

config rule
        option target 'ACCEPT'
        option name 'Allow-SVC-Ping'
        option proto 'icmp'
        option icmp_type 'echo-reply echo-request'
        option src 'LAN_SVC'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67'
        option name 'Allow-SVC-DHCP'
        option src 'LAN_SVC'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '8920'
        option name 'emby'
        option src_dport '8920'
        option dest 'LAN_SRV'
        option dest_ip '192.168.20.3'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '10417'
        option dest_port '10417'
        option name 'openvpn'
        option enabled '0'
        option dest 'LAN_SRV'
        option dest_ip '192.168.20.2'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '22'
        option dest_port '22'
        option name 'ssh'
        option dest 'LAN_SRV'
        option dest_ip '192.168.20.2'

config zone 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option forward 'REJECT'
        option network 'vpn0 vpn_srv'
        option name 'VPN_SRV'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config zone
        option name 'LAN_IoT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'LAN_IoT'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'LAN_IoT'

config forwarding
        option dest 'LAN_IoT'
        option src 'lan'

config zone
        option name 'LAN_SRV'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'LAN_SRV'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'LAN_SRV'

config forwarding
        option dest 'LAN_SRV'
        option src 'lan'

config zone
        option name 'LAN_SVC'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'LAN_SVC'
        option input 'REJECT'

config forwarding
        option dest 'wan'
        option src 'LAN_SVC'

config forwarding
        option dest 'LAN_SVC'
        option src 'LAN_SRV'

config forwarding
        option dest 'LAN_SVC'
        option src 'lan'

config forwarding
        option dest 'LAN_SRV'
        option src 'VPN_SRV'

config forwarding
        option dest 'LAN_SVC'
        option src 'VPN_SRV'

config forwarding
        option dest 'lan'
        option src 'VPN_SRV'

config forwarding
        option dest 'wan'
        option src 'VPN_SRV'

config forwarding
        option src 'lan'
        option dest 'VPN_SRV'

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'vpn_client'
        option name 'VPN_CLIENT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'

config forwarding
        option src 'LAN_IoT'
        option dest 'VPN_CLIENT'

config forwarding
        option dest 'VPN_CLIENT'
        option src 'lan'

Routing table /etc/iproute2/rt_tables

#
# reserved values
#
128     prelocal
255     local
254     main
253     default
200     vpnclient
0       unspec
#
# local
#
#1      inr.ruhep

OpenVPN Client Config

dev tun1
proto udp
remote <my domain> 1137
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3

<ca>
</ca>

<cert>
</cert>

<key>
</key>

References:






Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik

Please edit your posting accordingly.
Thanks!

1 Like

Thanks didnt know the difference between the quote and the pre-formatted.

Maybe i need to rephrase what im asking for. Update: i use PBR and i can get connection correctly, but my 192.168.1.1 (VLAN 1) address cannot reach any of my other VLAN even though i have rules and policies to allow. My other VLAN can reach each other. i.e. my IoT VLAN can be reached my SVR VLAN to watch my media server.

The question, how can i set it so my WAN is the routers default route, but the PBR will route my IoT network out my VPN, but still be able to route internally in my network (i.e. reach my server VLAN)?


root@WR:/etc/config# ip -4 route list table all
default via 192.168.0.1 dev eth1 table 201
192.168.10.0/24 dev br-LAN_IoT table 201 proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 table 201 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 table 201 proto kernel scope link src 192.168.30.1
default via 96.77.215.230 dev tun1 table 203
192.168.10.0/24 dev br-LAN_IoT table 203 proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 table 203 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 table 203 proto kernel scope link src 192.168.30.1
0.0.0.0/1 via 96.77.215.229 dev tun1
default via 192.168.0.1 dev eth1 proto static src 192.168.0.2
96.77.215.224/27 via 96.77.215.229 dev tun1
96.77.215.225 via 192.168.0.1 dev eth1
96.77.215.229 dev tun1 proto kernel scope link src 96.77.215.230
128.0.0.0/1 via 96.77.215.229 dev tun1
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev br-LAN_IoT proto kernel scope link src 192.168.10.1
192.168.20.0/28 dev eth0.20 proto kernel scope link src 192.168.20.1
192.168.30.0/28 dev eth0.30 proto kernel scope link src 192.168.30.1
local 96.77.215.230 dev tun1 table local proto kernel scope host src 96.77.215.230
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.0.0 dev eth1 table local proto kernel scope link src 192.168.0.2
local 192.168.0.2 dev eth1 table local proto kernel scope host src 192.168.0.2
broadcast 192.168.0.255 dev eth1 table local proto kernel scope link src 192.168.0.2
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.10.0 dev br-LAN_IoT table local proto kernel scope link src 192.168.10.1
local 192.168.10.1 dev br-LAN_IoT table local proto kernel scope host src 192.168.10.1
broadcast 192.168.10.255 dev br-LAN_IoT table local proto kernel scope link src 192.168.10.1
broadcast 192.168.20.0 dev eth0.20 table local proto kernel scope link src 192.168.20.1
local 192.168.20.1 dev eth0.20 table local proto kernel scope host src 192.168.20.1
broadcast 192.168.20.15 dev eth0.20 table local proto kernel scope link src 192.168.20.1
broadcast 192.168.30.0 dev eth0.30 table local proto kernel scope link src 192.168.30.1
local 192.168.30.1 dev eth0.30 table local proto kernel scope host src 192.168.30.1
broadcast 192.168.30.15 dev eth0.30 table local proto kernel scope link src 192.168.30.1