Routing based on Packet Type

Hi Folks,

I need to redirect all my http/https/dns traffic thru a tunnel . I’ve been checking to use PBR however theres no way to specify the traffic type.
Can you please help me out ? many thanks,


Could you please clarify if you are usign VPNs or you want to split traffic on your WAN interfaces? If its VPN, then what VPN are you using?

Kind Regards,

It’s a tunnel to a provider who inspects and allow/deny my traffic web.
For vpn, it can be understood for vpn. But just for web traffic . All the rest goes locally thru the wan


If you do not have any VPNs configured on your RUT and simply need to forward different types of traffic via different WAN interfaces (like mobile SIM or wired WAN), then you should be able to do so via multiwan. Those can be configured in Network → Failover → Multiwan. There, select load-balancing on the top and enable the interfaces you want to use:

Create rules at the bottom that will match UDP/TCP traffic (for example, port 53 for DNS) and use a policy you want (for example, mobile interface). Create the rules you need and move them to top of the list. The last rule should match the rest of the traffic and route it with your desired interface.

Kind Regards,

Thanks for the instruction but I still need to open an IPsec tunnel to the web security provider .

Is there a way to just some services (http and https) thru the vpn and the rest directly to the wan ?

Many thanks for your help


If you are using IPSec on RUT, the first thing that you can try is to specify the port selectors in your IPSec → Connection settings → Advanced settings. In locally allowed protocols specify tcp/80,tcp/443,udp/53. Then, check if the IPSec connection establishes and the traffic flow is correct.

Another theoretical thing that you could try is to use iptable rules to mark your traffic and use a separate routing table for it. For example:

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 0xABCD

Then, in Network → Routing → Policy Based Routing, create a new table with default route ( via IP address of you gateway. Then, create a rule that will match the packets based on the MARK and will use this new table for this traffic.

I have not tried this with IPSec, so let me know how it goes.

Kind Regards,

This topic was automatically closed after 15 days. New replies are no longer allowed.