Setting VPN Routing by MAC address?

[Apnomis]

I'm having trouble with setting up VPN on my Asus RT-AC86U. I'm trying to set it up to use VPN as default and I've found setting IP 192.168.1.0/24 to VPN routes everything to VPN (albeit it disables the router.asus.com and I have to use the IP address directly to get to the settings menu) and then I can choose what I want to exclude, i.e. streaming devices that don't like VPN (I've tried to work out how to exclude streaming services from the VPN but I'm a novice and the thread went completely over my head!).

However selecting the device from the list just selects the IP address and as all my IP addresses are dynamic they occasionally change IP - when this happens they come under VPN protection again stopping me from using streaming services. Is there a way to set exceptions by MAC address instead?

Is there any way to set exceptions by device, or explain (in simple terms) how to set exceptions to video streaming sites? I've tried finding some step by step instructions but they get very techie very fast!

 

[CaptainSTX]

I'm having trouble with setting up VPN on my Asus RT-AC86U. I'm trying to set it up to use VPN as default and I've found setting IP 192.168.1.0/24 to VPN routes everything to VPN (albeit it disables the router.asus.com and I have to use the IP address directly to get to the settings menu) and then I can choose what I want to exclude, i.e. streaming devices that don't like VPN (I've tried to work out how to exclude streaming services from the VPN but I'm a novice and the thread went completely over my head!).

However selecting the device from the list just selects the IP address and as all my IP addresses are dynamic they occasionally change IP - when this happens they come under VPN protection again stopping me from using streaming services. Is there a way to set exceptions by MAC address instead?

Is there any way to set exceptions by device, or explain (in simple terms) how to set exceptions to video streaming sites? I've tried finding some step by step instructions but they get very techie very fast!

Is there some reason you don't want to assign devices static IPs? If you assign IPs then the Merlin firmware makes it easy to select WAN or VPN routing. As a shortcut you could assign all DHCP addresses in your IP pool to VPN and then just assign static IPs to your streaming devices outside this pool and by default they would route using the WAN.

 

[Martineau]

I'm having trouble with setting up VPN on my Asus RT-AC86U. I'm trying to set it up to use VPN as default and I've found setting IP 192.168.1.0/24 to VPN routes everything to VPN (albeit it disables the router.asus.com and I have to use the IP address directly to get to the settings menu) and then I can choose what I want to exclude, i.e. streaming devices that don't like VPN (I've tried to work out how to exclude streaming services from the VPN but I'm a novice and the thread went completely over my head!).

However selecting the device from the list just selects the IP address and as all my IP addresses are dynamic they occasionally change IP - when this happens they come under VPN protection again stopping me from using streaming services. Is there a way to set exceptions by MAC address instead?

Is there any way to set exceptions by device, or explain (in simple terms) how to set exceptions to video streaming sites? I've tried finding some step by step instructions but they get very techie very fast!

Usually (because the GUI makes it simpler) it is safer to assign static IP addresses for LAN devices to be selectively routed via a VPN/WAN.

However, with the use of very simple 'techie' scripting (if using RMerlin firmware), it is possible to selectively route MAC addresses, which may appear to be seemingly more secure (and requires less admin overhead i.e. assigning unique IPs to a usually already unique LAN entity ), although it is fairly trivial to spoof MAC addresses.

See the RMerlin Wiki and Example 5 in Selective Port (or MAC address) selective routing via VPN/WAN
although you may need to tweak the example if you want ALL traffic from the MAC address to be routed, rather than the examples' specified HTTP/HTTPS Ports.

 

[dosborne]

As CaptainSTX says, assigning IPs is your best bet as there is no way I know of to filter by MAC.

If you don't want to change the clients (i.e. you can leave them as DHCP), then you can set static IPs based on the MAC addresses in your DHCP server (see the manual assignment section). This will give you what you want. Static IPs (including those assigned by binding the MAC and IP addresses) for devices that are any type of server typically makes your network easier to manage and use (although obviously not mandatory).

 

[eibgrad]

Is there any way to set exceptions by device, or explain (in simple terms) how to set exceptions to video streaming sites? I've tried finding some step by step instructions but they get very techie very fast!

As others have suggested, the use of static leases is the way to go, at least when it comes to routing based on the source IP. However, when it comes to the *destination* IP, you don't need policy based routing at all. You just add static routes.

For example, if I want to force all traffic for 8.8.8.8 over the VPN, I can add the following to the OpenVPN client's custom configuration:

route 8.8.8.8 255.255.255.255 vpn_gateway

If instead I want it to be forced over the WAN, I can specify the following:

route 8.8.8.8 255.255.255.255 net_gateway

You can even specify a domain name, and it will create *multiple* routes if it resolves to multiple IPs.

route netflix.com 255.255.255.255 net_gateway

One caveat though. Some of the megasites like Netflix, Hulu, etc., will use many sub- domains, and the public IPs assigned to those sub-domains can change a lot more often than ppl suspect. You can also get different IPs depending on whether you use the WAN/ISP or VPN for name resolution. So it can be tricky to deal w/ destination IPs when it comes to certain sites. For simple sites, w/ reasonably consistent IPs, this technique works reasonably well.

 

[Xentrk]

I'm having trouble with setting up VPN on my Asus RT-AC86U. I'm trying to set it up to use VPN as default and I've found setting IP 192.168.1.0/24 to VPN routes everything to VPN (albeit it disables the router.asus.com and I have to use the IP address directly to get to the settings menu) and then I can choose what I want to exclude, i.e. streaming devices that don't like VPN (I've tried to work out how to exclude streaming services from the VPN but I'm a novice and the thread went completely over my head!).

However selecting the device from the list just selects the IP address and as all my IP addresses are dynamic they occasionally change IP - when this happens they come under VPN protection again stopping me from using streaming services. Is there a way to set exceptions by MAC address instead?

Is there any way to set exceptions by device, or explain (in simple terms) how to set exceptions to video streaming sites? I've tried finding some step by step instructions but they get very techie very fast!

@Martineau and I collaborated on a solution that may fit your use case requirements:

x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

Policy Rule Routing using the OpenVPN Client screen.