How can I set up policy based routing using netifd to send packets from one particular network (named 'novpn') out the 'wan' interface and everything else through the default routing table?
I've looked at all the policy based routing examples in the wiki and none of them do this and none of them make it clear how one might be able to do this. There's no other documentation. I've searched the web, searched these forums and asked on IRC and I've come up with nothing.
I'm not sure what you're referring to here. I was using the vpn-policy-routing and luci-app-vpn-policy-routing packages but I had problems with masquerading between networks and vpn-policy-routing was identified as the likely culprit after an extensive debugging session on IRC. So, having now upgraded to 21.02, I've decided to discard vpn-policy-routing and use netifd to manage policy based routing. (That's why the title of the post says "with netifd"
Yes, this is what I was referring to. Sorry to hear you had trouble with those. I currently use both to be able to choose how devices on my LAN connect to the Internet (ISP A or ISP B) and also to make a few use a WireGuard connection for streaming purposes. I find it much easier than having to deal with network and firewall settings. Hope you find the reason why vpn-policy-routing is not working on your side, so maybe you can try my suggestion above.
Static IPv4 routes can be defined on specific interfaces using route sections
but what does it mean for a route to be defined "on" a specific interface? The second example from the documentation lists the equivalent ip command for a section that includes an interface option but the ip command doesn't make use of the information in the interface option. This section:
In my case 'vpn' is a Wireguard interface.
And this particular option means "shoot 'em all packets towards this interface and let Wireguard sort 'em out"
No need to specify gateway, since Wireguard sends packets to the relevant peer according to allowed_ips setting. And the next hop routes packets further, according to its own routing table(-s).
But again, thats how I see it working, in laymans terms. @jow described it more correctly.
I'm astonished by how simple this was. (And yet how difficult it was to get any kind of assistance.) I've added it as an example to the wiki, hopefully people who follow won't have to suffer as I have.
/etc/config$ ip route show default
default dev SSWG proto static scope link
default via ISP-GATEWAY dev eth0 proto static src ISP-IPADDRESS metric 10
/etc/config$ ip rule
0: from all lookup local
1: from SINGULAR-DEVICE/32 iif br-lan lookup 100
32766: from all lookup main
32767: from all lookup default
/etc/config$ ip route show table 100
default via ISP-GATEWAY dev eth0 proto static metric 10