Then, what would be the easiest way? Note down and create a group of IPv4/6 addresses manually and adding it to the table? And then have a default route to leave all other traffic untouched?
Something like…?
set firewall group address-group IPs-to-route address 1.2.3.4
set firewall group address-group IPs-to-route address 5.6.7.8
set firewall group address-group IPs-to-route address 9.10.11.12
set policy route Route-to-wg rule 200 set table 200
set policy route Route-to-wg rule 200 destination group address-group IPs-to-route
set policy route Route-to-wg interface eth1
set protocols static table 200 route 0.0.0.0/0 interface wg0
set nat source rule 200 outbound-interface wg0
set nat source rule 200 translation address masquerade
set firewall group address-group IPV4GROUP address x.x.x.x
set firewall group address-group IPV4GROUP address x.x.x.x-x.x.x.x
set firewall group ipv6-address-group IPV6GROUP address h:h:h:h:h:h:h:h
set policy route TO-WIREGUARD rule 200 set table 200
set policy route TO-WIREGUARD rule 200 destination group address-group IPV4GROUP
set policy route TO-WIREGUARD interface eth1
set policy route6 TO-WIREGUARD rule 200 set table 200
set policy route6 TO-WIREGUARD rule 200 destination group address-group IPV6GROUP
set policy route6 TO-WIREGUARD interface eth1
set protocols static table 200 route 0.0.0.0/0 interface wg0
set protocols static table 200 route6 ::/0 interface wg0
set nat source rule 200 outbound-interface wg0
set nat source rule 200 translation address masquerade
Though it still requires to do some digging to find all relevant target ips… Maybe there’s something more clever that could be done using something like AdGuard Home?
dnsmasq has an option, to add resolved IPs for specific resolved names to ipset object. Or nftset.
Is it possible to create an empty group, and auto-populate resulting object from DNS requests?