Putting DHCP default gateway in different routing table

acosgrove · June 6, 2023, 2:40pm

I would suggest setting allowed-ips to those exact public subnets instead of 0.0.0.0/0 (unless you are in control of the other side as well).

exp:

* All traffic (local and forwarded!) should first consult routes from attached interfaces, static routes and OSPF
* All traffic which does not have a source from 192.0.2/24 should be routed via DSL default gateway
* All traffic which does have a source from 192.0.2/24 should use a default gateway back via the wireguard tunnel (“next-hop 192.0.2.226")

set nat source rule 100 outbound-interface 'eth0.2'
set nat source rule 100 translation address 'masquerade'
set policy local-route rule 101 destination '0.0.0.0/0'
set policy local-route rule 101 set table 'local'
set policy local-route rule 102 destination '0.0.0.0/0'
set policy local-route rule 102 set table 'main'
set policy local-route rule 103 destination '0.0.0.0/0'
set policy local-route rule 103 set table '171'
set policy local-route rule 103 source '192.0.2.0/24'
set policy local-route rule 104 destination '0.0.0.0/0'
set policy local-route rule 104 set table '170'

Policy and nat rule numbers are not related so you don’t have to sequence them together, that might help keeping you from confusing yourself (and others ).

On the local-route rule numbers become important though. These do correspond to the kernel ip rule table:

Your rule 101 and 102 are actually already in the kernel’s ip ruleset as 32765 and 32766, but you are effectively moving it up to the top and everything is going to match on these two without anything else being evaluated. These are treated like firewall rules, first match wins.

Rule 104 is going to become the new default