Selective Routing and multiple VLANs

I’m looking into RouterOS as a possible solution to my problems - this is more a pre-sales question and a “Can I do this?!” than wanting full answers and the exact process. I’m in the middle of setting up a home lab and wish to implement selective routing for specific domains across two networks. I’ve not yet played with the RouterOS trial as 24 hours is a very short time to experiment with. Frustratingly some of the domains I need to bypass the VPN for are behind Cloudflare so listing IPs is impractical. VPN will be L2TP, SSTP or OpenVPN connections (although I’m arguing with my provider at the moment about their terrible OpenVPN speeds - 20mbits on a 150mbit connection is insane when L2TP tests at over 100mbits).

192.168.0.X Network (Router Based, router has HW firewall) IPV4 only. IPV6 Disabled.
192.168.0.1 Router/Modem
192.168.0.2-99 Wifi DHCP controlled by router. Manual VPN setup.
192.168.0.100 FreeNAS Server (Wired) 100% Bypass (VMs denoted as FN)
192.168.0.101 Windows 10 PC (Wired) VPN for normal sites, Bypass for specific domains and IPs (VMs denoted as WS)
192.168.0.102 DHCP/Gateway VM (RouterOS in a VM on the FreeNAS server) Will route traffic via VPN or Bypass as appropriate
192.168.0.103-254 Future Expansion

10.0.0.X Network (VM Based) IPV4 only. IPV6 Disabled.
10.0.0.1 DHCP/Gateway VM (RouterOS in a VM on the FreeNAS server) second virtual ethernet on 192.168.0.102, bridged (FN VM)
10.0.0.2 Transmission VM (FN Jail) 100% VPN
10.0.0.3 Plex VM (FN VM) 100% Bypass
10.0.0.4 Sonarr VM (FN VM) VPN to Proxy
10.0.0.5 Jackett VM (FN VM) VPN to Proxy
10.0.0.6 OwnCloud VM (FN VM) 100% Bypass
10.0.0.7 Amazon Cloud uploading VM (FN VM) 100% bypass
10.0.0.50-125 FreeNAS VM DHCP Pool (Mostly pop-up linux test servers) 100% VPN
10.0.0.126-254 Windows VM DHCP Pool (Mostly pop-up linux test servers) 100% VPN

Remote Servers:
Kimsufi 100/100 (2TB, no limits) - Transmission, CIFS, Owncloud, IRC, Teamspeak. ~30mbit transfer to home network without VPN. Root Access.
Hetzner 1000/1000 Server (2TB Raid 1 + 2TB backup. no limits) - Transmission, Webserver, CIFS. ~50mbit transfer to home network without VPN. Root Access.
Hetzner Storage Box Service (2TB Drive no limits) - CIFS only (OwnCloud via Hetzner server)
Amazon Cloud - Unlimited Storage. Encryption and storage via encfs and acd_cli.

What I’ve not yet worked out:

  1. How best to set up a DHCP server/Gateway (RouterOS) that analyses traffic by a) Local IP (specific local IPs will not be allowed to bypass the VPN), b) Destination domain (specific domains must either bypass the VPN or us “VPN to Proxy”, c) Destination IP (Specific IPs like my remote servers should completely bypass the VPN for all connections) and directs the connection appropriately, if possible making use of the “VPN to Proxy” chain for static IP on specific cases.
  2. Whether I should place the DHCP Server/Gateway VM within the router’s DMZ or forward specific ports to it for further forwarding to individual VMs.
  3. Whether a seperate dual gbit nic atom/celeron/i3 based machine (or if RouterOS can do all this, a hardware based RouterOS router) would make more sense than a gateway VM (although I’d prefer to avoid this and keep costs down!)
  4. How to ensure local traffic is only routed locally and doesn’t touch the VPN or external connections
  5. How to set up automatic connection to the VPN on boot (I wold presume RouterOS would handle this)
  6. How to set up a killswitch so no external traffic can pass if the VPN connection fails
  7. If there is a way to connect to multiple VPN servers at once and load balance for increased speed (I can have up to 5 simultanious VPN connections and unlimited server swaps). This isn’t a deal breaker if impossible.
  8. How to prevent specific local IPs communicating with the internet based on MAC address (I’d rather my Wifi based Wemo plug sockets could only talk to the local network for example and that hackers in China do not switch my speakers on and off!) - I’d need to set up temporary rules to bypass this for updates etc. Oh IoT how I wish you were designed with security in mind!
  9. How to prevent inbound connections to the 10.0.0.X VLAN from outside the local network (IE prevent SSH access from outside the local network while still allowing linux ISO torrents to download)
  10. Whether this would be a lot easier on a single VLAN.

I’ve also drafted out some iptables rules for the VMs that should prevent too much leakage but am unsure how easily these would be covered by RouterOS - is it good practice to run firewalls onthe VMs as well?

#!/bin/sh

PATH=/sbin

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

ip route flush cache
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/16 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -o em1 -d 192.168.1.0/24 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j DROP

iptables -A OUTPUT -d vpn.gateways.here/16 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.0/16 -j ACCEPT

iptables -A OUTPUT -o tun0 -j ACCEPT

iptables -A INPUT -i tun0 -p tcp --destination-port 6881:6999 -j ACCEPT
iptables -A INPUT -i tun0 -p tcp --dport 21400 -j ACCEPT
iptables -A INPUT -i tun0 -p tcp --dport 20100 -j ACCEPT

iptables -P FORWARD DROP
iptables -I FORWARD -d 192.168.1.0 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -o tun0 -j ACCEPT

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o em1 -j SNAT --to-source 192.168.1.2

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
echo 1 > /proc/sys/net/ipv4/ip_forward

The biggest question before I spend a long time playing (and swearing!) is can RouterOS do all this?