Use Cases & Examples

Real-world configuration scenarios for DNS routing, traffic routing rules, and private network management with Orange.

Combined Scenarios Routing Rules DNS Rules Quick Reference

Combined Scenarios

Complete configuration examples combining DNS and routing rules for real-world private network use cases.

Home 192.168.1.x O NAS .100 Router .1 Pi .50 WireGuard (when outside)
Home Network Management Scenario A
Static IP mapping for home devices. Direct access when home, WireGuard tunnel when away.
config.toml 
# DNS: Static IP mapping for home devices
[dns.rules]
"nas.home" = { host = "192.168.1.100" }
"router.home" = { host = "192.168.1.1" }
"pi.home" = { host = "192.168.1.50" }
"*.home.lab" = { to = ["192.168.1.1"] }
"default" = { to = ["8.8.8.8", "1.1.1.1"] }

# Routing: Direct when home, tunnel when outside
[[proxy.rules]]
geoip = "private"
direct = true

[[proxy.rules]]
domain = "*.home.lab"
when = { src = "192.168.1.0/24" }
direct = true

[[proxy.rules]]
domain = "*.home.lab"
to = "wg-home"
Dev Machine localhost :3000 :5173 :3306 :6379 Dev Servers Databases DIRECT
Development Environment Scenario B
Local dev domains and common development ports bypass gateway for smooth workflow.
config.toml 
# DNS: Local development domains
[dns.rules]
"*.localhost" = { host = "127.0.0.1" }
"*.local.dev" = { host = "127.0.0.1" }
"default" = { to = ["8.8.8.8"] }

# Routing: Development related direct
[[proxy.rules]]
domain = "*.localhost"
direct = true

[[proxy.rules]]
domain = "*.local"
direct = true

[[proxy.rules]]
when = { port = "3000,3001,5173,8080-8999" }
direct = true

[[proxy.rules]]
when = { port = "22,3306,5432,6379" }
direct = true
*.ads.* tracking telemetry Content APIs DNS + Routing Layer Protection
Ad & Tracker Blocking Scenario C
Two-layer protection: DNS blocks ad domains, routing layer catches anything that gets through.
config.toml 
# DNS layer blocking
[dns.rules]
"@geosite:category-ads-all" = "reject"
"*.doubleclick.net" = "reject"
"*.adsrvr.org" = "reject"
"default" = { to = ["8.8.8.8"] }

# Routing layer fallback blocking
[[proxy.rules]]
geosite = "category-ads-all"
reject = true

[[proxy.rules]]
domain = "*.ads.example.com"
reject = true
Site A 192.168.1.x Site B 10.10.x.x O wg-site-a .site-a.internal wg-site-b .site-b.internal Auto-route based on location
Multi-Site Office Scenario D
Automatically route to correct site based on current network location. Direct when on-site, WireGuard when remote.
config.toml 
# Site A (192.168.1.x network)
[[proxy.rules]]
domain = "*.site-a.internal"
when = { src = "192.168.1.0/24" }
direct = true

[[proxy.rules]]
domain = "*.site-a.internal"
to = "wg-site-a"

# Site B (10.10.x.x network)
[[proxy.rules]]
domain = "*.site-b.internal"
when = { src = "10.10.0.0/16" }
direct = true

[[proxy.rules]]
domain = "*.site-b.internal"
to = "wg-site-b"

# Private IPs fallback direct
[[proxy.rules]]
geoip = "private"
direct = true

Routing Rules

Control how traffic is routed based on domain, IP, port, protocol, and network conditions.

Network Environment Awareness

Home LAN Direct Home
Access NAS, router, and other devices directly when at home
ip_cidr = "192.168.1.0/24" when = { src = "192.168.1.0/24" } direct = true
Remote Home Access WireGuard
Access home network via WireGuard tunnel when away
ip_cidr = "192.168.1.0/24" to = "wg-home"
Home Lab Domain Conditional
Direct when home, tunnel when outside
domain = "*.home.lab" when = { src = "192.168.1.0/24" } direct = true
Office Intranet Corporate
Direct access to internal resources when in office
domain = "*.internal.corp" when = { src = "10.0.0.0/8" } direct = true

Development Environment

Local Dev Domains
localhost, .local, .test domains connect directly
domain = "*.localhost" direct = true
Dev Server Ports
Common dev ports (3000, 5173, 8080-8999) direct
when = { port = "3000,5173,8080-8999" } direct = true
Database Ports
MySQL, PostgreSQL, Redis, MongoDB direct
when = { port = "3306,5432,6379,27017" } direct = true
SSH Direct
Prevent gateway interference with SSH connections
when = { port = "22" } direct = true

Ads & Privacy Protection

GeoSite Ad Block
Block ads using GeoSite dataset
geosite = "category-ads-all" reject = true
Wildcard Ad Block
Block specific ad domain patterns
domain = "*.ads.example.com" reject = true
Tracker Block
Block user tracking services
domain = "*.tracking.example.com" reject = true
Telemetry Block
Block app telemetry data collection
domain = "*.telemetry.example.com" reject = true

Port & Protocol Routing

HTTPS via Gateway
Route only port 443 traffic through gateway
domain = "*.example.com" when = { port = "443" } to = "gateway-1"
UDP Gaming Route
Route UDP traffic (games, video calls) via dedicated line
when = { inbound = "udp" } to = "gateway-game"
TUN Mode Only
Process only TUN-captured traffic
domain = "*.example.com" when = { inbound = "tun" } to = "gateway-1"
H2 Protocol Route
Route HTTP/2 traffic to specific gateway
domain = "*.api.example.com" when = { alpn = "h2" } to = "gateway-h2"

Domain Matching Patterns

Exact Match
Match only the specified domain
domain = "api.internal.corp" to = "wg-office"
Subdomain Only (+.)
Match all subdomains, not root domain
domain = "+.internal.corp" to = "wg-office"
Wildcard (*.)
Match domain and all subdomains
domain = "*.home.lab" to = "wg-home"
GeoSite Dataset
Match using GeoSite category for ad blocking
geosite = "category-ads-all" reject = true

DNS Rules

Configure DNS resolution behavior, upstream servers, and domain-based routing.

Basic Configuration

Specify Upstream DNS
Use specific DNS server for a domain
"example.com" = { to = ["8.8.8.8"] }
Concurrent DNS Queries
Query multiple DNS servers in parallel
"example.com" = { to = ["8.8.8.8", "1.1.1.1"] }
Default Upstream
Fallback DNS for unmatched domains
"default" = { to = ["8.8.8.8"] }

Hosts Mapping

Static IP Mapping
Return specific IP for a domain
"nas.home" = { host = "192.168.1.100" }
Shorthand Syntax
Simple hosts mapping format
"router.home" = "192.168.1.1"
Gateway Server IP
Prevent DNS circular dependency
"gateway.example.com" = { host = "203.0.113.10" }

Reject & Block

Reject (Shorthand)
Return NXDOMAIN for domain
"*.ads.example.com" = "reject"
Reject (Full Form)
Explicit reject configuration
"*.tracking.com" = { reject = true }
GeoSite Ad Block
Block ads using GeoSite dataset
"@geosite:category-ads-all" = "reject"

Conditional DNS

Source IP Condition
Different DNS for different networks
"*.internal" = { when = { src = "10.0.0.0/8" }, to = ["10.0.0.53"] }
Internal Only Resolution
Only internal network can resolve internal domains
"*.corp.local" = [ { when = { src = "10.0.0.0/8" }, to = ["10.0.0.53"] }, { when = { src = "!10.0.0.0/8" }, reject = true } ]
DNS over WireGuard
Query DNS through WireGuard tunnel
"*.home.lab" = { to = ["192.168.1.1"], via = "wg-home" }

Quick Reference

Condition Fields (when)

Field Description Examples
src
Source IP (CIDR), supports negation and multi-value
"192.168.1.0/24", "!10.0.0.0/8", "192.168.0.0/16,10.0.0.0/8"
port
Destination port, supports ranges and negation
"443", "80,443", "8000-9000", "!22"
inbound
Inbound type
"tcp", "udp", "tun", "mixed", "tcp,tun"
alpn
ALPN protocol
"h2", "http/1.1", "h3", "h2,http/1.1"

Rule Priority

Domain Rules

  • 1 "api.internal.corp" Exact match
  • 2 "+.internal.corp" Long suffix
  • 3 "*.internal.corp" Long suffix
  • 4 "*.corp" Short suffix

IP Rules

  • 1 "10.1.2.0/24" /24 most specific
  • 2 "10.1.0.0/16" /16
  • 3 "10.0.0.0/8" /8 least specific

Cross-Type Rules

  • Different rule types (domain vs geosite) follow config file order