WAN - ether1, access to the provider
172.20.10.2/24 - address obtained from the provider
172.20.10.1 - it gateway
LAN - 192.168.1.0/24
10.10.10.2/32 - address obtained from the VPN server
10.10.10.1 - it gateway
with option add-default-route=yes all traffic by default should go through the VPN
The theory is this, now all traffic by default goes through the VPN.
You need to mark the desired traffic and send it to the desired route.
1. To wrap all traffic in the VPN except certain IP
# create a list of addresses that should not go through the VPN
ip firewall address-list add list=exclude_list address=192.168.1.10
ip firewall address-list add list=exclude_list address=192.168.1.11
# mark packets
ip firewall mangle add chain=PREROUTING policy action=mark-routing dst-address-list=exclude_list new-routing-mark=ether1_route_mangle passthrough=no src-address=192.168.1.0/24
# change the route goes to ISP
ip route add dst-address=0.0.0.0/0 gateway=172.20.10.1 distance=1 routing-mark=ether1_route_mangle
2. To wrap all traffic in VPN in addition to specific domains *.host.com or subdomains *
Same as in option 1, only instead of IP enter domain
ip firewall address-list add list=exclude_list address=host.com
ip firewall address-list add list=exclude_list address=test.host.com
3. To wrap all traffic in the VPN except certain IP + with the exception of certain devices (clients)
It's the same as the first option?
"certain devices" have IP/domain, just add them to the list