It is.
Using "specific MAC addresses" would require putting your device back to use WAN by default and make forwarding exceptions to using the WAN. Just FYI MACs are Layer 2 (not Layer 3 which is where routing is handled after the LAN). Let's start off by saying...wireguard doesn't have the be the "default route."
- if you have it checked, uncheck the make routes for subnets box under the wireguard interface
- config your router back to use the normal WAN
So...You want your router to use 2 separate default routes...that's easily done via policy-based routing on Linux systems. I will show a quick pseudo-config using the NORMAL default route as WAN, and setup a route you send devices to by an exception - using the Wireguard interface (as you inquired):
- From here, make sure each device on your LAN is assigned a static or DHCP-reserved or excluded IP, and note each IP you assign to each non set top box device in LAN (you could make the bottom part of the subnet DHCP and assign the upper half as static IPs e.g. 192.168.1.128/25 or DHCP start 128 and limit 100 addresses).
- From there, you go to the Firewall page and ADD allow traffic from LAN to wireguard (you can specify each MAC or IP under Traffic Rules, but no device will forward unless you give them the route via policy, this way - by adding a general policy, you'll never have to touch your firewall config to get the devices to use another default route).
I suggest adding a startup script like this to configure the devices to wireguard as their default route:
ip route add default dev [name you have wireguard interface] via [tunnel IP] table wg
ip rule add from [IP/32] table wg priority 5
ip rule add from [IP/32] table wg priority 6
ip rule add from [IP/32] table wg priority 7
#etc.....
OR if you do the DHCP reconfig instead and all set top boxes are given a static (reserved) 4th IP octet <= 127, simply:
ip route add default dev [name you have wireguard interface] via [tunnel IP] table wg
ip rule add from 192.168.1.128/25 table wg priority 5
IN ANY CASE, YOU HAVE TO CONFIGURE SOME IPs NOT TO CHANGE IF YOU WANT TO KEEP THE SAME LAN AND HAVE INDIVIDUAL DEVICES USE THE VPN.
This gives your network the following outbound route policy (doing the DHCP reconfig to Start 128 Limit 100):
- 192.168.1.0/24 full network in kernel
- 192.168.1.0/25
- 1-127: WAN
- 192.168.1.128/25
- 128-228: DHCP Wireguard
- 229-254: Available to statically assign to Wireguard
- 192.168.1.0/25
- 255: SUBNET BROADCAST IP
So making a VLAN/LAN/SSID for the boxes would do the same (but, the suggestion above would be a lot more complex to initially setup, and you may have other physical and logical restrictions, now or in the future, keeping you from doing so.