I have a router with wireguard VPN running so everything connects to it would go through VPN.

What I am hoping though is to NOT have everything runs through VPN but devices that are attached to a subnet (VLAN and/or a single router Port). See diagram below, I would like Port 4 and related SSID to be the only network going through VPN tunnel.

What I have done so far:

Within LuCi, I created a new interface called "VPN", it has its own subnet (xxx.xxx.4.1). I also attached ‘Port 4’ of the router to this network, and finally created a new dedicated SSID (HomeVPNWIFI) and firewall. This btw works as expected.

My goal is to isolate the use of VPN on just the new network (VLAN) I created, and NOT on the rest of LAN. Within the router’s web admin page, I see that you can set the vpn policy ‘Based on the VLAN’, but it only gives us Private (xxx.xxx.8.1) and Guest (xxx.xxx.9.1) option and not the custom network I created.

Any idea how I can make this work?

Thanks.