I'll start out by saying that I'm half way through successfully achieving what I want to do, but I'm missing just a couple of pieces.
The main goal, which does not seem to be uncommon, is to direct traffic from some devices through a VPN, but the majority of traffic directly to the internet.
The first effort was with a WRT54GL and the K24 VPN build of shibby, however the "ip rule" command failed. The second effort is now with a RT-N66U running K26-AIO 64k, and the following three commands were all that were needed to get my laptop running through my VPN, and all other traffic hitting the 'net directly:
ip rule add from 192.168.1.25 table 200 ip route add default via 10.10.10.10 dev tun11 table 200 ip route flush cache
(Note: replace 10.10.10.10 with proper VPN destination)
This solution works nicely for static IPs. But then I wanted a more elegant solution. The ultimate goal is this:
Create a second VLAN on 192.168.2.0/24, which redirects all internet traffic through the VPN but can still access 192.168.1.0/24
Create a virtual WLAN which connects to the above VLAN
Plug my main switch into the first physical router port (ie, main VLAN)
Plug a secondary "VPN" switch into the second physical router port (ie, VPN VLAN)
What I've done so far:
Set up the VPN, and unchecked "Redirect Internet traffic"
Created a bridge br1 for 192.168.2.0/24
Added a VLAN 3 on Port 4 Bridged on br1
(VLAN 1 is Ports 1,2,3 on br0, and VLAN 2 is WAN Port bridged on WAN)
Created virtual wireless wl0.1 (2.4Ghz) and wl1.1 (5Ghz) both bridged to br1
At this point, all devices connected to wl0.0 and wl0.1, as well as all devices plugged into the main switch work as per normal.
Laptop connected to wl1.1 (on 192.168.2.0/24) can ping 192.168.1.1 and 192.168.2.1, but not anything else on 192.168.1
Now run these two commands (Note that I have *not* run the "ip rules" commands above at this stage:
iptables -I INPUT -i br1 -j ACCEPT iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j ACCEPT
Now, my laptop on 192.168.2 can access all devices on 192.168.1.0/24, as well as the internet.
If I turn off wireless and plug it into Port 4, it gets a 192.168.2 address, and can access 192.168.1.0/24.
All good so far.
So the missing link for me is how to connect these two bits together.
After adding the ip rule again:
ip rule add from 192.168.2.0/24 table 200
I lose the routing back to 192.168.1.0/24
So I continue on with:
ip route add 192.168.1.0/24 dev br0 table 200 ip route add 192.168.2.0/24 dev br1 table 200
This gets back full connectivity from 192.168.2.0/24 to both 192.168.1.0/24 and the internet, but not via the VPN.
So I continue on with this:
ip route add default dev tun11 table 200
(Also tried a few variations on above, with and without specifying "via x.x.x.x")
And I keep connectivity between the VLANs, but no connection to the outside world at all.
I also tried a few commands along these lines, but all internet traffic went out directly, not via VPN
iptables -I FORWARD -i br1 -o br0 -d 192.168.0.0/16 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br1 -o tun11 -d ! 192.168.0.0/16 -m state --state NEW -j ACCEPT
Thanks to anyone who a) spends the time reading my verbose post, and b) to anyone who can offer suggestions or a solution!