VPN Director: Prioritize Site-to-Site VPN over WAN

[benih]

I have 2 RT-AX86Us with Merlin 388.2 across two locations, connected via 2x VPN Tunnels. Generally, all internet traffic shall go via VPN for privacy reasons. Except my Synology Box needs to go to WAN (otherwise some things will not work). This gives me the following VPN Director rules on Router A:
1. Synology Box to WAN
2. If Remote IP Range = "other site" => VPN1
3. All else => VPN2

It works amazing, I'm really impressed by Merlin how easy and stable it is.

Now I want the Synology Box to create Backups against a Disk attached on Router B (on the other site connected via site-to-site VPN). Based on the rules above traffic from the Synology box is being sent to WAN which obviously makes it impossible to reach the other site via the site-to-site VPN tunnel. So I face kind of a design challenge.

I'm aware of the VPN Director prioritization (WAN > OVPN > WG) but was wondering if there might be another solution or idea to this combination? Some sort of a manual routing or override (not via GUI) to make Rule#2 "stronger" than the WAN rule? Or to add an exception to Rule #1 for Remote IPs that are in the "other side LAN"?

Thx for all inputs and thoughts

 

[elorimer]

New rule #1? Synology box to othersite Router -> VPN1

 

[benih]

New rule #1? Synology box to othersite Router -> VPN1

Thx elorimer. I can‘t. I have a weppage running in a docker container on the synology box that is accessed via ddns on Router 1/port forwarding from external. This is why the synology box (connected to router 1) needs the wan rule.

 

[elorimer]

Still not following why it needs a wan rule since VPN director deals with traffic out, not traffic in. But I freely confess my brain circuitry can't process this kind of logic problem. (Same with taxes!)

Still, if VPN director starts with the implict rule of everything to WAN, except for the following, perhaps you divide your network in half. Put the Synology in the first half, and in the second half put everything you want to go out VPN2. Delete #1, then change #3 (now #2) to everything in the second half --> VPN2.

 

[benih]

#3 is my wish to have devices go via Proton VPN for privacy, instead of directly to the WAN. With the exception of the Synology Box and the Router itself. Currently rule #3 covers the entire subnet 172.16.100/24 (site A subnet) which is why I had to add the "exception rule" #1 for the Synology Box.

Maybe I was overthinking this a bit. I follow your proposal about cutting it in half and use the IP range 172.16.100/25 (.0 - .127) for my "normal devices" that should go via Proton VPN for normal browsing. I also changed DHCP range to 172.16.100.1-172.16.100.127. Rule #2 is changed to Local IPs = 172.16.100.0/25. All "special devices" that should go via WAN have a static IP > .127, hence eliminating the need for Rule #1 for the Synology Box.

Thank you very much for your patience and thoughts, its all working nicely now!