Instructions were tested on TomatoUSB Version 1.28 by shibby.
We always recommend Tomato Advance, if your router is compatible. It includes a policy based routing setup page in the web interface.
In this scenario we will exclude a single LAN IP address from using the OpenVPN tunnel established on the TomatoUSB router. This is useful if you want some device from your network (smart TV, gaming console etc.) NOT to use the VPN and access the Internet directly through your ISP. Below are the rules to achieve this, you can either enter them from the SSH console on the TomatoUSB router or you can add them as a WAN UP script in
Administration > Scripts > WAN Up tab
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter iptables -t mangle -F PREROUTING ip route add default table 200 via 126.96.36.199 ip rule add fwmark 1 table 200 ip route flush cache iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -j MARK --set-mark 1
in the example above, router's gateway is 188.8.131.52, the LAN IP we want to bypass the VPN tunnel (use the ISP connection) is 192.168.0.115.
**Please note that in examples below we will only add the firewall (iptables) rules, the routing rules (first 5 lines) will be unchanged and you should get them from the example above. **
The routing rules are the same from the same example, only the iptables line is different:
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.100/29 -j MARK --set-mark 1
Notice the /29 network mask (6 IP addresses) instead of /32 (a single IP). In this example, 6 IPs from the LAN will bypass the VPN tunnel: from 192.168.0.97 to 192.168.0.102. Use a network mask calculator for this, like subnet-calculator.com, jodies.de/ipcalc. Google "network mask calculator" for more.
In this example we will exclude a single IP address from using the VPN for a single destination port. We will use port 80/HTTP which means that all browsing on port 80 will go via ISP and all other traffic via VPN
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -p tcp --dport 80 -j MARK --set-mark 1
We can use multiple ports, for example port 80 and 443 (https)
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
Or we can use the rules in opposite: all traffic via ISP and only ports 80 and 443 via VPN:
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115/32 -p tcp -m multiport --dport ! 80,443 -j MARK --set-mark 1
In this scenario, we want to be able to access a PC from the LAN on a service such as VNC.
When the router is connected to the VPN and we port-forward an inbound connection to a LAN PC, like FTP or VNC, the connection can't be establish because the LAN PC will reply through the VPN tunnel. So we have to bypass the tunnel based on source port in order to be able to connect to that service.
iptables -t mangle -I PREROUTING -i br0 -s 192.168.0.115 -p tcp --sport 5900 -j MARK --set-mark 1
In the above example we marked the packets from VNC to be excluded from the VPN tunnel. Change the port from 5900 to other you want to be able to access from the Internet, like 21 for FTP or 80 for HTTP if you run a web-site on the LAN PC.