How to Route only specific ports through VPN (openvpn) via Tomato firmware

Excellent write up by in this source link

Codes below are credited to Grdnkln in the forum.

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
#  http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
#  http://linux-ip.net/html/adv-multi-internet.html
#  http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
#  To list the current rules on the router, issue the command:
#      iptables -t mangle -L PREROUTING
#
#  Flush/reset all the rules to default by issuing the command:
#      iptables -t mangle -F PREROUTING
#

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
# EXAMPLES:
#
#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can configure exceptions afterwards)
#    iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#  Ports 80 and 443 will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#  All traffic from a particular computer on the LAN will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#  All traffic to a specific Internet IP address will use the VPN
#    iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#  All UDP and ICMP traffic will bypass the VPN
#    iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
#    iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1


# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br1 -j MARK --set-mark 1

# Enable VPN for a specific range
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.20-192.168.1.50 -j MARK --set-mark 0


# Spotify explicitly uses the VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 78.31.8.1-78.31.15.254 -j MARK --set-mark 0
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 193.182.8.1-193.182.15.254 -j MARK --set-mark 0

Multiple SSID using Tomato USB firmware

 credits goes to the thread owner:
source

"
You often happens that someone such as a friend wants to take a moment out of your internet? Administration wifi password it is not safe, given that it receives from unlimited access to our entire network LAN (often U.S.). Skipping the fact that often "for himself" does not limit the speed of internet access. At the end I will add that the culprit can easily (often unconsciously) zawirusować other computers on our network. And what if it is a stranger to us? It's all something to think about and reflect on the time I do not need to network "demilitarized," or limited confidence. In this tutorial, we'll call her hospitality network.

Here's a quick tutorial showing how to set up the guest wifi network under the assumption that:
- Br0 -> LAN port 1 +2 +3 +4 + 1 by addressing SSID 192.168.1.1/24 DHCP server enabled
- Br1 -> SSID 2 for guests with addressing 192.168.2.1/24 DHCP server enabled


Step 1 The new bridge

The Basic-> LAN doing a new bridge br1 192.168.2.x, DHCP enabled (192.168.1.x br0 already have as default). I suggest the lease time set relatively low, eg 60 minutes. In addition, position the DHCP range on up to 5 devices. Rather more visitors at a time to use your network will not be ... is not it?




Step 2 New VLAN

The Advanced-> VLAN VID doing a new example (3) and assign to it LAN1 bridge (br1). VLAN does not have to include any of the LAN ports. Important to exist. When you press Save router will reboot.




Step 3 New SSID

The Advanced-> Virtual Wireless Overview tab to add a new interface wl0.1 example, I set the broadcast (SSID) and plug in to the newly created br1 network.



After pressing the "Add" automatically jump to a bookmark wl0.1 to further configure a new wireless network.



Set the encryption on it (or if you do not want it to be an open network) and press the "Overview". We will return to the main tab. If everything is correct, click "SAVE".


Step 4 Verification

We can check the Advanced-> VLAN or our wlan'y are correctly assigned to the different bridge, Bridge eth1 to LAN (br0) and Bridge wl0.1 to LAN1 (br1).




Council

1) If you want to block a br1 mapping Samba shares (eg usb drive plugged in), we add the Samba File Sharing-Custom Configuration hosts allow = 192.168.1., Or authorized for use only Samba br0 ip class

2) The newly created `a WLAN can not be removed (not the GUI). You can only disable it. You can decipher in the Notes. 
"