Traffic Policy Routing - which package to use?

Looking for some advice, I am looking to implement traffic policy routing (make some hosts in my LAN use different wan gateways). There seem to exist two packages with luci interfaces that may work: vpn-policy-routing and wman3.

I think my needs are very simple, I have 3 interfaces for internet use that I need to use in different networks.

  • WAN (router physical link) has my real IP address; should be last-resort.
  • Wireguard tunnel for 90% of my LAN traffic of 'real clients' (workstations)
  • OpenVPN tunnel for 10% of my LAN traffic for 'privacy clients' (docker, VMs, containers)

Often times I face issues that require me to quickly disable (turn off/on) which default gateway a client should use; example: online banking may need me to use my real IP so its important for me that changing this is quick and as simple as possible.

My second wish is continue monitoring of each of these tunnels; if one of them fails automatically swap all IPv4/IPv6 traffic of clients to failover (only for the case of workstations)

mwan3 on paper looks to have what I am looking for; but the setup complexity seems very very high. are there other packages that can do what I am looking for with ease of configuration?

OpenVPN can failover by default, instead you may need a kill-switch to prevent traffic leak when the connection fails.

WireGuard is basically the opposite, i.e. a kill-switch is enabled by default, and it requires periodic connectivity check and explicit actions to failover.

Both OpenVPN and WireGuard can failover to WAN if you manually put down the VPN interface.
But it still requires to utilize external tools like mwan3 or custom user scripts for automation.

yeah routes, rules and the right metric will do the job..

if all clients are reserved or only one subnet is leased and the rest are are static... then you can just toggle between logical network addresses on the same medium and use separate gateways per uplink... ( and the clients are relatively trusted + uplinks are one way... )... that's just my preferred way of handling toggling like this though... and not many do things like this due to only logical separation locally...

wifi lets you have a network per ssid... so that is another way to toggle easily... as are vlan aware switches network wide...

One issue I have faced before is that I may face an outage on one of the tunnels and I can't quickly change all my 10s of WIFI devices to another SSD.

Currently I have opnsense doing my WIFI and policy routing but I am trying to deprecate opnsense and have openwrt be my one-to-rule them all home router if I can pull it off.

The only real use for opnsense in my network at the moment is that it runs my openvpn_client connection for privacy; it has arppinger and automatic failover setup.

I do have two WIFI SSIDs broadcast; my default goes to opnsense for all traffic and then OpenWrt SSID is my backup "pure connection / no tunnel" so i can manage stuff when opnsense breaks.

I'm guessing that the default kill-switch behavior may need to be disabled for my use case since I have 3 networks? So 3 routing tables.

Thinking about @anon50098793 suggestion; I think for one of my use cases I can use a separate VLAN entirely for 'openvpn' / 'privacy' traffic. As long as I can make sure that traffic on that vlan segment and dhcp scope has no leaks - is there a good document explaining how one may change the default routing table behavior for an entire vlan/segment?

I forget how 'metric' works in failover scenario; is there a package like arppinger that can handle automatic failover (e.g: openvpn interface can no longer reach - update metrics)?

Reading your requirements, I'd say that VPN-PBR is better suited for you.

This setting in VPN-PBR is global. If you wish to enable it for the workstations, it will be applied to VMs as well.

1 Like

I think mwan3 is perfect for your needs. It’s actually quite easy to setup once you grasp the concept. This video helped me get started:
I suggest doing the separate VLAN for your secure clients. I suggest adding another third VLAN that you can connect to through vpn when you need to access the wan directly. This, of course, would require you to setup a vpn server on the router.

The overview of the setup would be like this:

3 Lan segments;
LAN_OV (secure clients)
LAN_DC (direct connect)

3 wan interfaces

3 members
WG_member, WAN_WG interface, metric 1
OV_member, WAN_OV interface, metric 1
DC_member, WAN_DC interface, metric 2 (higher metric lower priority)

3 policies
WG_policy; with WG_member & DC_member, last resort unreachable.
OV_policy; with OV_member & DC_member, last resort unreachable.
DC_policy; with DC_member, last resort unreachable.

3 Rules
WG_rule; LAN_WG use WG_policy.
OV_rule; LAN_OV use OV_policy.
DC_rule; LAN_DC use DC_policy.

There’s also a notification tab where you can make set an action or script to run when interfaces go down or up.

1 Like

When you say global, do you mean its per vlan (physical interface or DHCP scope)?

If so then yes, what I am looking for is hosts in a specific firewall zone to be mapped to specific wan_gateway but also have the ability to do per-host redirection without affecting the entire vlan

No, global means for every policy that you configure.