Allow Forwarding from WAN with NAT disabled

Hey there,

I am struggeling to configure fw4 to let ipv4 acme-challenges on port 80 go through to my device, see complet firewall config file below. I added the following and similar approaches to rules without success so far:

config rule
	option target 'ACCEPT'
	option dest_port '80'
	option family 'ipv4'
	option name 'WAN Allow acme.sh SRV'
	list proto 'tcp'
	list proto 'udp'
	option src 'wan'
	option dest 'SRV'
	list dest_ip '10.1.3.10'

I have a setup where NAT is disabled on the OpenWRT device according to https://openwrt.org/docs/guide-user/network/switch_router_gateway_and_nat#device_as_router_with_disabled_nat_additional_routing_rules and where the OpenWRT device is behind an upstream router with NAT. See a network sketch below.

           +------------------+
           |                  |
           | Internet         |
           +--------+---------+
                    |
                    |
           +--------+---------+
           | Upstream Router  |
           |  10.1.1.1     |  NAT here + port 80 fowarded to 10.1.3.10
           +-------+----------+  Route 10.1.3.0/24 via 10.1.1.201
                   |
                   |
                   | net 10.1.1.0./24
                   |
           +-------+-------+
           | OpenWRT Device|
           | 10.1.1.201    |
           +---------------+
           |
           |
           |SRV net 10.1.3.0/24
           |
           |
           |
  +--------+--------+
  |ACME-Device      |
  |net SRV 10.1.3.10|
  +-----------------+

However, I still get connection refused if connecting to port 80 on the global IPv4 from the internet. See e.g. a tcpdump export on the WAN interface of the OpenWRT device below which indicates the request is reveived by the OpenWRT device.

 11:17:51.222916 IP xxx.44936 > 10.1.3.10.80: Flags [S], seq 2429472933, win 65535, options [mss 1452,sackOK,TS val 4086956839 ecr 0,nop,wscale 8], length 0
11:17:51.223236 IP 10.1.3.10.80 > xxx.44936: Flags [R.], seq 0, ack 2429472934, win 0, length 0

/etc/config/firewal

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'DROP'
	list network 'lan'
	list network 'LANvpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option dest_port '80'
	option family 'ipv4'
	option name 'WAN Allow acme.sh SRV'
	list proto 'tcp'
	list proto 'udp'
	option src 'wan'
	option dest 'SRV'
	list dest_ip '10.1.3.10'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'SRV'
	option forward 'REJECT'
	option output 'ACCEPT'
	list network 'SRV'
	option input 'DROP'

config forwarding
	option dest 'wan'
	option src 'SRV'

config rule
	option name 'SRV allow DNS Queries'
	option src 'SRV'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'SRV allow DHCP request'
	option src 'SRV'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'SRV allow DHCPv6'
	option src 'SRV'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv6'
	option src_port '546'
	option dest_port '547'

config rule
	option name 'SRV allow SLAAC'
	option target 'ACCEPT'
	option family 'ipv6'
	option src 'SRV'
	option proto 'icmp'
	list icmp_type 'router-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'neighbour-advertisement'
	list icmp_type '141'
	list icmp_type '142'
	list icmp_type '148'
	list icmp_type '149'

config rule
	option name 'lan allow DNS Queries'
	option src 'lan'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'lan allow DHCP request'
	option src 'lan'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'lan allow DHCPv6'
	option src 'lan'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv6'
	option src_port '546'
	option dest_port '547'

config rule
	option name 'lan allow SLAAC'
	option target 'ACCEPT'
	option family 'ipv6'
	option src 'lan'
	option proto 'icmp'
	list icmp_type 'router-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'neighbour-advertisement'
	list icmp_type '141'
	list icmp_type '142'
	list icmp_type '148'
	list icmp_type '149'

config redirect
	option name 'lan Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

config redirect
	option name 'lan Intercept-NTP'
	option src 'lan'
	option src_dport '123'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

config rule
	option name 'LAN4 Deny-DoH'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv4'
	option ipset 'doh dest'
	option target 'REJECT'

config rule
	option name 'LAN6 Deny-DoH'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv6'
	option ipset 'doh6 dest'
	option target 'REJECT'

config rule
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp udp'
	option target 'REJECT'
	option name 'IOT Deny-DoT'
	option src 'IOT'

config rule
	option name 'lan Deny-DoT'
	option src 'lan'
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp udp'
	option target 'REJECT'

The web server is rejecting the connection.
Most likely some host based firewall or some access list on the web server.

Sadly, this is not the case. If I run tcpdump on the server itself on port 80 I do not see any traffic while at the same time seeing traffic on the WAN interface of the OpenWRT device (if I query from the internet).

If I run "curl 10.1.3.10" on the OpenWRT device, I see traffic in the tcpdump of the acme server:

/ # tcpdump port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:36:43.871472 IP OpenWRTDevice.55700 > acmedevice.80: Flags [S], seq 310008417, win 64240, options [mss 1460,sackOK,TS val 1176207117 ecr 0,nop,wscale 5], length 0
12:36:43.871558 IP acmedevice.80 > OpenWRTDevice.55700: Flags [S.], seq 3834379374, ack 310008418, win 65160, options [mss 1460,sackOK,TS val 2648298721 ecr 1176207117,nop,wscale 7], length 0
12:36:43.872231 IP OpenWRTDevice.55700 > acmedevice.80: Flags [.], ack 1, win 2008, options [nop,nop,TS val 1176207118 ecr 2648298721], length 0
12:36:43.872560 IP OpenWRTDevice.55700 > acmedevice.80: Flags [P.], seq 1:74, ack 1, win 2008, options [nop,nop,TS val 1176207118 ecr 2648298721], length 73: HTTP: GET / HTTP/1.1
12:36:43.872590 IP acmedevice.80 > OpenWRTDevice.55700: Flags [.], ack 74, win 509, options [nop,nop,TS val 2648298722 ecr 1176207118], length 0
12:36:43.872699 IP acmedevice.80 > OpenWRTDevice.55700: Flags [F.], seq 1, ack 74, win 509, options [nop,nop,TS val 2648298722 ecr 1176207118], length 0
12:36:43.873329 IP OpenWRTDevice.55700 > acmedevice.80: Flags [F.], seq 74, ack 2, win 2008, options [nop,nop,TS val 1176207119 ecr 2648298722], length 0
12:36:43.873374 IP acmedevice.80 > OpenWRTDevice.55700: Flags [.], ack 75, win 509, options [nop,nop,TS val 2648298723 ecr 1176207119], length 0

Run the tcpdump on the SRV interface and verify that the packets egress OpenWrt.

If I run curl on the OpenWRT device, I get the following tcpdump on the SRV-interface:

# tcpdump -i vlan.3 host 10.1.3.10
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan.3, link-type EN10MB (Ethernet), capture size 262144 bytes
13:24:21.883990 IP 10.1.3.1.36028 > 10.1.3.10.80: Flags [S], seq 3818486847, win 64240, options [mss 1460,sackOK,TS val 1179065131 ecr 0,nop,wscale 5], length 0
13:24:21.884657 IP 10.1.3.10.80 > 10.1.3.1.36028: Flags [S.], seq 2201474963, ack 3818486848, win 65160, options [mss 1460,sackOK,TS val 2651156735 ecr 1179065131,nop,wscale 7], length 0
13:24:21.885096 IP 10.1.3.1.36028 > 10.1.3.10.80: Flags [.], ack 1, win 2008, options [nop,nop,TS val 1179065132 ecr 2651156735], length 0
13:24:21.885568 IP 10.1.3.1.36028 > 10.1.3.10.80: Flags [P.], seq 1:74, ack 1, win 2008, options [nop,nop,TS val 1179065133 ecr 2651156735], length 73: HTTP: GET / HTTP/1.1
13:24:21.885924 IP 10.1.3.10.80 > 10.1.3.1.36028: Flags [.], ack 74, win 509, options [nop,nop,TS val 2651156737 ecr 1179065133], length 0
13:24:21.886127 IP 10.1.3.10.80 > 10.1.3.1.36028: Flags [F.], seq 1, ack 74, win 509, options [nop,nop,TS val 2651156737 ecr 1179065133], length 0
13:24:21.886471 IP 10.1.3.1.36028 > 10.1.3.10.80: Flags [F.], seq 74, ack 2, win 2008, options [nop,nop,TS val 1179065134 ecr 2651156737], length 0
13:24:21.886836 IP 10.1.3.10.80 > 10.1.3.1.36028: Flags [.], ack 75, win 509, options [nop,nop,TS val 2651156737 ecr 1179065134], length 0

If I run curl from the internet: nothing on the SRV-interface.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Thanks a lot for your effort! I am running 22.0.3 so the iptables command was not working. Here is the output. I had to split it into two parts to not reach the body limit of the post.

{
	"kernel": "5.10.161",
	"hostname": "OpenWRTDevice",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Ubiquiti EdgeRouter X",
	"board_name": "ubnt,edgerouter-x",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd01::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option device 'vlan.10'
	option ip6hint '2'
	option ipaddr '10.1.2.1'
	option ip6assign '64'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr '10.1.1.201'
	option netmask '255.255.255.0'
	option gateway '10.1.1.1'
	option broadcast '10.1.1.255'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix '58'

config device
	option type 'bridge'
	option name 'vlan'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config bridge-vlan
	option device 'vlan'
	option vlan '80'
	list ports 'eth4'

config interface 'MGT'
	option proto 'static'
	option device 'vlan.80'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '80'
	list ip6class 'local'
	option ipaddr '10.1.80.1'

config bridge-vlan
	option device 'vlan'
	option vlan '3'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth4:t'

config bridge-vlan
	option device 'vlan'
	option vlan '5'
	list ports 'eth2:t'
	list ports 'eth3'
	list ports 'eth4:t'

config bridge-vlan
	option device 'vlan'
	option vlan '10'
	list ports 'eth2:t'
	list ports 'eth4:t'

config interface 'SRV'
	option proto 'static'
	option device 'vlan.3'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '3'
	option ipaddr '10.1.3.1'

config bridge-vlan
	option device 'vlan'
	option vlan '6'
	list ports 'eth2:t'
	list ports 'eth4:t'

config interface 'IOT'
	option proto 'static'
	option device 'vlan.6'
	option ipaddr '10.1.6.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '6'

config interface 'LANvpn'
	option proto 'static'
	option ip6hint '102'
	option ip6assign '64'
	option device 'tun1'

config interface 'MGTvpn'
	option proto 'static'
	option device 'tun0'
	option ip6hint '180'
	option ip6assign '64'

package dhcp

config dnsmasq
	option boguspriv '1'
	option filterwin2k '0'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option strictorder '1'
	option local '/local.family.de/'
	option domain 'local.family.de'
	option ednspacket_max '1232'
	option resolvfile '/etc/resolvdefault.conf'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'MGT'
	option interface 'MGT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'SRV'
	option interface 'SRV'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	option dhcpv6 'server'

config host
	option ip '10.1.3.125'
	option mac 'XX'

config host
	option ip '10.1.3.182'
	option mac 'XX'

config ipset 'doh'
	option instance 'doh'
	list name 'doh'
	list name 'doh6'
	list domain '1a.ns.ozer.im'
	list domain '1dot1dot1dot1.cloudflare-dns.com'
	list domain '8888.google'
## shortend to not reach body imimit of post
	list domain 'zrh1-ns01.monzoon.net'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	list network 'wan'
	list network 'wan6'
	option input 'DROP'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'DROP'
	list network 'lan'
	list network 'LANvpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option dest_port '80'
	option family 'ipv4'
	option name 'WAN Allow acme.sh SRV'
	list proto 'tcp'
	list proto 'udp'
	option src 'wan'
	option dest 'SRV'
	list dest_ip '10.1.3.10'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'MGT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'MGT'
	list network 'MGTvpn'

config forwarding
	option dest 'lan'
	option src 'MGT'

config forwarding
	option dest 'wan'
	option src 'MGT'

config zone
	option name 'SRV'
	option forward 'REJECT'
	option output 'ACCEPT'
	list network 'SRV'
	option input 'DROP'

config forwarding
	option dest 'wan'
	option src 'SRV'

config forwarding
	option dest 'SRV'
	option src 'MGT'

config rule
	option name 'SRV block FB IPv6'
	option src 'SRV'
	option dest 'wan'
	option proto 'tcp udp'
	option dest_ip '::xxx/::ffff:ffff:ffff:ffff'
	option family 'ipv6'
	option target 'REJECT'

config rule
	option src 'SRV'
	option name 'SRV block FB IPv6 ULA net'
	option family 'ipv6'
	option dest 'wan'
	list dest_ip 'fd01::1/64'
	option target 'REJECT'
	list proto 'all'

config rule
	option name 'SRV block FB IPv4 net'
	option src 'SRV'
	option target 'REJECT'
	option dest 'wan'
	option family 'ipv4'
	list proto 'all'
	option dest_ip '10.1.1.0/24'
	option enabled '0'

config rule
	option name 'SRV allow DNS Queries'
	option src 'SRV'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'SRV allow DHCP request'
	option src 'SRV'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'SRV allow DHCPv6'
	option src 'SRV'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv6'
	option src_port '546'
	option dest_port '547'

config rule
	option name 'SRV allow SLAAC'
	option target 'ACCEPT'
	option family 'ipv6'
	option src 'SRV'
	option proto 'icmp'
	list icmp_type 'router-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'neighbour-advertisement'
	list icmp_type '141'
	list icmp_type '142'
	list icmp_type '148'
	list icmp_type '149'

config rule
	option name 'lan block FB IPv6'
	option src 'lan'
	option dest 'wan'
	option proto 'tcp udp'
	option dest_ip '::xx/::ffff:ffff:ffff:ffff'
	option family 'ipv6'
	option target 'REJECT'

config rule
	option src 'lan'
	option name 'lan block FB IPv6 ULA net'
	option family 'ipv6'
	option dest 'wan'
	list dest_ip 'fd01::1/64'
	option target 'REJECT'
	list proto 'all'

config rule
	option name 'lan allow FB IPv4 FON'
	option src 'lan'
	option target 'ACCEPT'
	option dest 'wan'
	option family 'ipv4'
	option dest_port '5060 5061 7077-7110'
	list proto 'all'
	option dest_ip '10.1.1.1'

config rule
	option name 'lan block FB IPv4 net'
	option src 'lan'
	option dest 'wan'
	option family 'ipv4'
	list proto 'all'
	list dest_ip '10.1.1.0/24'
	option target 'DROP'

config rule
	option name 'lan allow DNS Queries'
	option src 'lan'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'lan allow DHCP request'
	option src 'lan'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'lan allow DHCPv6'
	option src 'lan'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv6'
	option src_port '546'
	option dest_port '547'

config rule
	option name 'lan allow SLAAC'
	option target 'ACCEPT'
	option family 'ipv6'
	option src 'lan'
	option proto 'icmp'
	list icmp_type 'router-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'neighbour-advertisement'
	list icmp_type '141'
	list icmp_type '142'
	list icmp_type '148'
	list icmp_type '149'

config zone
	option name 'IOT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'
	option input 'DROP'

config forwarding
	option src 'IOT'
	option dest 'wan'

config forwarding
	option src 'MGT'
	option dest 'IOT'

config rule
	option name 'LAN allow local nginx'
	option family 'ipv4'
	list proto 'tcp'
	option src 'lan'
	option dest 'SRV'
	list dest_ip '10.1.3.2'
	option dest_port '80 443'
	option target 'ACCEPT'

config rule
	option name 'IOT block FB IPv6'
	option src 'IOT'
	option dest 'wan'
	list proto 'all'
	option dest_ip '::xxx/::ffff:ffff:ffff:ffff'
	option family 'ipv6'
	option target 'REJECT'

config rule
	option src 'IOT'
	option name 'IOT block FB IPv6 ULA net'
	option family 'ipv6'
	option dest 'wan'
	list dest_ip 'fd01::1/64'
	option target 'REJECT'
	list proto 'all'

config rule
	option name 'IOT block FB IPv4 net'
	option src 'IOT'
	option target 'REJECT'
	option dest 'wan'
	option family 'ipv4'
	list proto 'all'
	option dest_ip '10.1.1.0/24'

config rule
	option name 'IOT allow DNS Queries'
	option src 'IOT'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule
	option name 'IOT allow DHCP request'
	option src 'IOT'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IOT allow DHCPv6'
	option src 'IOT'
	option target 'ACCEPT'
	option proto 'udp'
	option family 'ipv6'
	option src_port '546'
	option dest_port '547'

config rule
	option name 'IOT allow SLAAC'
	option target 'ACCEPT'
	option family 'ipv6'
	option src 'IOT'
	option proto 'icmp'
	list icmp_type 'router-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'neighbour-advertisement'
	list icmp_type '141'
	list icmp_type '142'
	list icmp_type '148'
	list icmp_type '149'

config rule
	option name 'IOT allow OpenVPN MGT'
	list proto 'udp'
	option src 'IOT'
	option dest_port 'xx'
	option target 'ACCEPT'

config rule 'LANvpn'
	option name 'Allow-OpenVPN-LAN'
	option src 'wan'
	option dest_port 'xx'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'MGTvpn'
	option name 'Allow-OpenVPN-MGT'
	option src 'wan'
	option dest_port 'xx'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option dest_port 'xx'
	option src 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'lan Allow OpenVPN lan'

config rule
	option dest_port 'xx'
	option src 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	option name 'lan Allow OpenVPN MGT'

config redirect
	option name 'lan Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

config redirect
	option name 'IOT Intercept-DNS'
	option src 'IOT'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

config redirect
	option name 'lan Intercept-NTP'
	option src 'lan'
	option src_dport '123'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

config redirect
	option name 'IOT Intercept-NTP'
	option src 'IOT'
	option src_dport '123'
	option proto 'tcp udp'
	option target 'DNAT'
	option family 'any'

config rule
	option name 'LAN4 Deny-DoH'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv4'
	option ipset 'doh dest'
	option target 'REJECT'

config rule
	option name 'LAN6 Deny-DoH'
	option src 'lan'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv6'
	option ipset 'doh6 dest'
	option target 'REJECT'

config rule
	option name 'IOT4 Deny-DoH'
	option src 'IOT'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv4'
	option ipset 'doh dest'
	option target 'REJECT'

config rule
	option name 'IOT6 Deny-DoH'
	option src 'IOT'
	option dest 'wan'
	option dest_port '443'
	option proto 'tcp udp'
	option family 'ipv6'
	option ipset 'doh6 dest'
	option target 'REJECT'

config ipset 'doh'
	option name 'doh'
	option family 'ipv4'
	option match 'net'
	list entry '130.61.0.178'
## shortend to not reach body imimit of post
	list entry '80.254.79.157'

config ipset 'doh6'
	option name 'doh6'
	option family 'ipv6'
	option match 'net'
	list entry '2003:180:2:7000:0:4:0:53'
## shortend to not reach body imimit of post
	list entry '2a02:200:1:11::100'

config rule
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp udp'
	option target 'REJECT'
	option name 'IOT Deny-DoT'
	option src 'IOT'

config rule
	option name 'lan Deny-DoT'
	option src 'lan'
	option dest 'wan'
	option dest_port '853'
	option proto 'tcp udp'
	option target 'REJECT'

table inet fw4 {
	ct helper amanda {
		type "amanda" protocol udp
		l3proto inet
	}

	ct helper RAS {
		type "RAS" protocol udp
		l3proto inet
	}

	ct helper Q.931 {
		type "Q.931" protocol tcp
		l3proto inet
	}

	ct helper irc {
		type "irc" protocol tcp
		l3proto ip
	}

	ct helper pptp {
		type "pptp" protocol tcp
		l3proto ip
	}

	ct helper sip {
		type "sip" protocol udp
		l3proto inet
	}

	ct helper snmp {
		type "snmp" protocol udp
		l3proto ip
	}

	ct helper tftp {
		type "tftp" protocol udp
		l3proto inet
	}

	set doh {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 1.0.0.1-1.0.0.3, 1.1.1.1-1.1.1.3,
			     3.0.86.126, 3.1.94.218,
## shortend to not reach body imimit of post
			     221.228.217.28, 223.5.5.5,
			     223.6.6.6 }
	}

	set doh6 {
		type ipv6_addr
		flags interval
		auto-merge
		elements = { 2001:300::5-2001:300::6,
			     2001:470:1c:76d::53,
			     2001:470:20::2,
			     2001:470:26:7c:b26e:bfff:fe1d:e19b,
## shortend to not reach body imimit of post
			     2a11:3::66 }
	}

	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname { "tun1", "vlan.10" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname { "tun0", "vlan.80" } jump input_MGT comment "!fw4: Handle MGT IPv4/IPv6 input traffic"
		iifname "vlan.3" jump input_SRV comment "!fw4: Handle SRV IPv4/IPv6 input traffic"
		iifname "vlan.6" jump input_IOT comment "!fw4: Handle IOT IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname { "tun1", "vlan.10" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname { "tun0", "vlan.80" } jump forward_MGT comment "!fw4: Handle MGT IPv4/IPv6 forward traffic"
		iifname "vlan.3" jump forward_SRV comment "!fw4: Handle SRV IPv4/IPv6 forward traffic"
		iifname "vlan.6" jump forward_IOT comment "!fw4: Handle IOT IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname { "tun1", "vlan.10" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname { "tun0", "vlan.80" } jump output_MGT comment "!fw4: Handle MGT IPv4/IPv6 output traffic"
		oifname "vlan.3" jump output_SRV comment "!fw4: Handle SRV IPv4/IPv6 output traffic"
		oifname "vlan.6" jump output_IOT comment "!fw4: Handle IOT IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname { "tun1", "vlan.10" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		iifname "eth0" jump helper_wan comment "!fw4: Handle wan IPv4/IPv6 helper assignment"
		iifname { "tun0", "vlan.80" } jump helper_MGT comment "!fw4: Handle MGT IPv4/IPv6 helper assignment"
		iifname "vlan.3" jump helper_SRV comment "!fw4: Handle SRV IPv4/IPv6 helper assignment"
		iifname "vlan.6" jump helper_IOT comment "!fw4: Handle IOT IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		tcp dport 53 counter packets 3 bytes 204 accept comment "!fw4: lan allow DNS Queries"
		udp dport 53 counter packets 598656 bytes 49206520 accept comment "!fw4: lan allow DNS Queries"
		udp sport 67-68 udp dport 67-68 counter packets 1398 bytes 471841 accept comment "!fw4: lan allow DHCP request"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 87 bytes 14442 accept comment "!fw4: lan allow DHCPv6"
		icmpv6 type { nd-router-solicit, nd-router-advert, ind-neighbor-solicit, ind-neighbor-advert, 148, 149 } counter packets 616 bytes 33200 accept comment "!fw4: lan allow SLAAC"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } counter packets 168137 bytes 12018232 accept comment "!fw4: lan allow SLAAC"
		udp dport xx counter packets 3 bytes 246 accept comment "!fw4: lan Allow OpenVPN lan"
		udp dport xx counter packets 36 bytes 3072 accept comment "!fw4: lan Allow OpenVPN MGT"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump drop_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		meta l4proto tcp ip6 daddr & ::ffff:ffff:ffff:ffff == ::xx counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: lan block FB IPv6"
		meta l4proto udp ip6 daddr & ::ffff:ffff:ffff:ffff == ::xx counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: lan block FB IPv6"
		ip6 daddr xx::/64 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: lan Block FB IPv6 GUA net"
		ip6 daddr fd01::/64 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: lan block FB IPv6 ULA net"
		ip daddr 10.1.1.1 counter packets 841 bytes 315749 jump accept_to_wan comment "!fw4: lan allow FB IPv4 FON"
		ip daddr 10.1.1.0/24 counter packets 0 bytes 0 jump drop_to_wan comment "!fw4: lan block FB IPv4 net"
		ip daddr 10.1.3.2 tcp dport { 80, 443 } counter packets 8256 bytes 485354 jump accept_to_SRV comment "!fw4: LAN allow local nginx"
		tcp dport 443 ip daddr @doh counter packets 356 bytes 20832 jump reject_to_wan comment "!fw4: LAN4 Deny-DoH"
		udp dport 443 ip daddr @doh counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: LAN4 Deny-DoH"
		tcp dport 443 ip6 daddr @doh6 counter packets 346 bytes 27680 jump reject_to_wan comment "!fw4: LAN6 Deny-DoH"
		udp dport 443 ip6 daddr @doh6 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: LAN6 Deny-DoH"
		tcp dport 853 counter packets 22 bytes 1408 jump reject_to_wan comment "!fw4: lan Deny-DoT"
		udp dport 853 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: lan Deny-DoT"
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_lan
	}

	chain helper_lan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_to_lan {
		oifname { "tun1", "vlan.10" } counter packets 304293 bytes 25343109 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain reject_to_lan {
		oifname { "tun1", "vlan.10" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject lan IPv4/IPv6 traffic"
	}

	chain drop_from_lan {
		iifname { "tun1", "vlan.10" } counter packets 23430 bytes 1794411 drop comment "!fw4: drop lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 9 bytes 5184 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 28917 bytes 1041012 accept comment "!fw4: Allow-IGMP"
		ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 2105 bytes 493929 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 7405 bytes 1501704 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 52562 bytes 3377928 accept comment "!fw4: Allow-ICMPv6-Input"
		udp dport xx counter packets 1 bytes 102 accept comment "!fw4: Allow-OpenVPN-LAN"
		udp dport xx counter packets 82 bytes 7492 accept comment "!fw4: Allow-OpenVPN-MGT"
		jump drop_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		ip daddr 10.1.3.2 tcp dport 8082 counter packets 0 bytes 0 jump accept_to_SRV comment "!fw4: SRV Allow acme.sh"
		jump reject_to_wan
	}

	chain helper_wan {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_to_wan {
		oifname "eth0" counter packets 1354207 bytes 250032459 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname "eth0" counter packets 5937 bytes 947598 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain drop_from_wan {
		iifname "eth0" counter packets 35987 bytes 2567988 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
	}

	chain drop_to_wan {
		oifname "eth0" counter packets 0 bytes 0 drop comment "!fw4: drop wan IPv4/IPv6 traffic"
	}

	chain input_MGT {
		jump accept_from_MGT
	}

	chain output_MGT {
		jump accept_to_MGT
	}

	chain forward_MGT {
		jump accept_to_lan comment "!fw4: Accept MGT to lan forwarding"
		jump accept_to_wan comment "!fw4: Accept MGT to wan forwarding"
		jump accept_to_SRV comment "!fw4: Accept MGT to SRV forwarding"
		jump accept_to_IOT comment "!fw4: Accept MGT to IOT forwarding"
		jump accept_to_MGT
	}

	chain helper_MGT {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_from_MGT {
		iifname { "tun0", "vlan.80" } counter packets 12538 bytes 971651 accept comment "!fw4: accept MGT IPv4/IPv6 traffic"
	}

	chain accept_to_MGT {
		oifname { "tun0", "vlan.80" } counter packets 27759 bytes 2880039 accept comment "!fw4: accept MGT IPv4/IPv6 traffic"
	}

	chain input_SRV {
		tcp dport 53 counter packets 0 bytes 0 accept comment "!fw4: SRV allow DNS Queries"
		udp dport 53 counter packets 34961 bytes 2522182 accept comment "!fw4: SRV allow DNS Queries"
		udp sport 67-68 udp dport 67-68 counter packets 581 bytes 190568 accept comment "!fw4: SRV allow DHCP request"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 5 bytes 846 accept comment "!fw4: SRV allow DHCPv6"
		icmpv6 type { nd-router-solicit, nd-router-advert, ind-neighbor-solicit, ind-neighbor-advert, 148, 149 } counter packets 2038 bytes 114128 accept comment "!fw4: SRV allow SLAAC"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } counter packets 4578 bytes 312296 accept comment "!fw4: SRV allow SLAAC"
		jump drop_from_SRV
	}

	chain output_SRV {
		jump accept_to_SRV
	}

	chain forward_SRV {
		meta l4proto tcp ip6 daddr & ::ffff:ffff:ffff:ffff == ::xx counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: SRV block FB IPv6"
		meta l4proto udp ip6 daddr & ::ffff:ffff:ffff:ffff == ::xx counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: SRV block FB IPv6"
		ip6 daddr xx::/64 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: SRV Block FB IPv6 GUA net"
		ip6 daddr fd01::/64 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: SRV block FB IPv6 ULA net"
		ip daddr 10.1.1.0/24 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: SRV block FB IPv4 net"
		jump accept_to_wan comment "!fw4: Accept SRV to wan forwarding"
		jump reject_to_SRV
	}

	chain helper_SRV {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_to_SRV {
		oifname "vlan.3" counter packets 650827 bytes 49742464 accept comment "!fw4: accept SRV IPv4/IPv6 traffic"
	}

	chain reject_to_SRV {
		oifname "vlan.3" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject SRV IPv4/IPv6 traffic"
	}

	chain drop_from_SRV {
		iifname "vlan.3" counter packets 657 bytes 238138 drop comment "!fw4: drop SRV IPv4/IPv6 traffic"
	}

	chain input_IOT {
		tcp dport 53 counter packets 60 bytes 3600 accept comment "!fw4: IOT allow DNS Queries"
		udp dport 53 counter packets 129498 bytes 8784036 accept comment "!fw4: IOT allow DNS Queries"
		udp sport 67-68 udp dport 67-68 counter packets 848 bytes 287362 accept comment "!fw4: IOT allow DHCP request"
		meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 547 bytes 44854 accept comment "!fw4: IOT allow DHCPv6"
		icmpv6 type { nd-router-solicit, nd-router-advert, ind-neighbor-solicit, ind-neighbor-advert, 148, 149 } counter packets 683 bytes 33888 accept comment "!fw4: IOT allow SLAAC"
		icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } counter packets 22084 bytes 1513640 accept comment "!fw4: IOT allow SLAAC"
		udp dport 56075 counter packets 0 bytes 0 accept comment "!fw4: IOT allow OpenVPN MGT"
		ct status dnat accept comment "!fw4: Accept port redirections"
		jump drop_from_IOT
	}

	chain output_IOT {
		jump accept_to_IOT
	}

	chain forward_IOT {
		ip6 daddr & ::ffff:ffff:ffff:ffff == ::xx counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: IOT block FB IPv6"
		ip6 daddr fd01::/64 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: IOT block FB IPv6 ULA net"
		ip6 daddr xx::/64 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: IOT Block FB IPv6 GUA net"
		ip daddr 10.1.1.0/24 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: IOT block FB IPv4 net"
		tcp dport 443 ip daddr @doh counter packets 1269 bytes 81216 jump reject_to_wan comment "!fw4: IOT4 Deny-DoH"
		udp dport 443 ip daddr @doh counter packets 145 bytes 199810 jump reject_to_wan comment "!fw4: IOT4 Deny-DoH"
		tcp dport 443 ip6 daddr @doh6 counter packets 2816 bytes 235872 jump reject_to_wan comment "!fw4: IOT6 Deny-DoH"
		udp dport 443 ip6 daddr @doh6 counter packets 230 bytes 321540 jump reject_to_wan comment "!fw4: IOT6 Deny-DoH"
		tcp dport 853 counter packets 753 bytes 59240 jump reject_to_wan comment "!fw4: IOT Deny-DoT"
		udp dport 853 counter packets 0 bytes 0 jump reject_to_wan comment "!fw4: IOT Deny-DoT"
		jump accept_to_wan comment "!fw4: Accept IOT to wan forwarding"
		ct status dnat accept comment "!fw4: Accept port forwards"
		jump reject_to_IOT
	}

	chain helper_IOT {
		udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
		udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
		tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
		meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
		meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
		udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
		meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
		udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
	}

	chain accept_to_IOT {
		oifname "vlan.6" counter packets 71167 bytes 8834174 accept comment "!fw4: accept IOT IPv4/IPv6 traffic"
	}

	chain reject_to_IOT {
		oifname "vlan.6" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject IOT IPv4/IPv6 traffic"
	}

	chain drop_from_IOT {
		iifname "vlan.6" counter packets 328 bytes 117408 drop comment "!fw4: drop IOT IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
		iifname { "tun1", "vlan.10" } jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
		iifname "vlan.6" jump dstnat_IOT comment "!fw4: Handle IOT IPv4/IPv6 dstnat traffic"
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}

	chain dstnat_lan {
		tcp dport 53 counter packets 3 bytes 204 redirect to :53 comment "!fw4: lan Intercept-DNS"
		udp dport 53 counter packets 593797 bytes 48850024 redirect to :53 comment "!fw4: lan Intercept-DNS"
		tcp dport 123 counter packets 0 bytes 0 redirect to :123 comment "!fw4: lan Intercept-NTP"
		udp dport 123 counter packets 773 bytes 62628 redirect to :123 comment "!fw4: lan Intercept-NTP"
	}

	chain dstnat_IOT {
		tcp dport 53 counter packets 60 bytes 3600 redirect to :53 comment "!fw4: IOT Intercept-DNS"
		udp dport 53 counter packets 127106 bytes 8617554 redirect to :53 comment "!fw4: IOT Intercept-DNS"
		tcp dport 123 counter packets 0 bytes 0 redirect to :123 comment "!fw4: IOT Intercept-NTP"
		udp dport 123 counter packets 10961 bytes 1026136 redirect to :123 comment "!fw4: IOT Intercept-NTP"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth0@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.1.201/24 brd 10.1.1.255 scope global eth0
       valid_lft forever preferred_lft forever
10: vlan.80@vlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.80.1/24 brd 10.1.80.255 scope global vlan.80
       valid_lft forever preferred_lft forever
11: vlan.3@vlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.3.1/24 brd 10.1.3.255 scope global vlan.3
       valid_lft forever preferred_lft forever
12: vlan.6@vlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.6.1/24 brd 10.1.6.255 scope global vlan.6
       valid_lft forever preferred_lft forever
46: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.1.180.1/24 scope global tun0
       valid_lft forever preferred_lft forever
48: vlan.10@vlan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.2.1/24 brd 10.1.2.255 scope global vlan.10
       valid_lft forever preferred_lft forever
65: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    inet 10.1.102.1/24 scope global tun1
       valid_lft forever preferred_lft forever
default via 10.1.1.1 dev eth0 
10.1.1.0/24 dev eth0 scope link  src 10.1.1.201 
10.1.2.0/24 dev vlan.10 scope link  src 10.1.2.1 
10.1.3.0/24 dev vlan.3 scope link  src 10.1.3.1 
10.1.6.0/24 dev vlan.6 scope link  src 10.1.6.1 
10.1.80.0/24 dev vlan.80 scope link  src 10.1.80.1 
10.1.102.0/24 dev tun1 scope link  src 10.1.102.1 
10.1.180.0/24 dev tun0 scope link  src 10.1.180.1 
broadcast 10.1.1.0 dev eth0 table local scope link  src 10.1.1.201 
local 10.1.1.201 dev eth0 table local scope host  src 10.1.1.201 
broadcast 10.1.1.255 dev eth0 table local scope link  src 10.1.1.201 
broadcast 10.1.2.0 dev vlan.10 table local scope link  src 10.1.2.1 
local 10.1.2.1 dev vlan.10 table local scope host  src 10.1.2.1 
broadcast 10.1.2.255 dev vlan.10 table local scope link  src 10.1.2.1 
broadcast 10.1.3.0 dev vlan.3 table local scope link  src 10.1.3.1 
local 10.1.3.1 dev vlan.3 table local scope host  src 10.1.3.1 
broadcast 10.1.3.255 dev vlan.3 table local scope link  src 10.1.3.1 
broadcast 10.1.6.0 dev vlan.6 table local scope link  src 10.1.6.1 
local 10.1.6.1 dev vlan.6 table local scope host  src 10.1.6.1 
broadcast 10.1.6.255 dev vlan.6 table local scope link  src 10.1.6.1 
broadcast 10.1.80.0 dev vlan.80 table local scope link  src 10.1.80.1 
local 10.1.80.1 dev vlan.80 table local scope host  src 10.1.80.1 
broadcast 10.1.80.255 dev vlan.80 table local scope link  src 10.1.80.1 
broadcast 10.1.102.0 dev tun1 table local scope link  src 10.1.102.1 
local 10.1.102.1 dev tun1 table local scope host  src 10.1.102.1 
broadcast 10.1.102.255 dev tun1 table local scope link  src 10.1.102.1 
broadcast 10.1.180.0 dev tun0 table local scope link  src 10.1.180.1 
local 10.1.180.1 dev tun0 table local scope host  src 10.1.180.1 
broadcast 10.1.180.255 dev tun0 table local scope link  src 10.1.180.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

The 'WAN Allow acme.sh SRV' is not evident in the running firewall configuration. There is only this:

ip daddr 10.1.3.2 tcp dport 8082 counter packets 0 bytes 0 jump accept_to_SRV comment "!fw4: SRV Allow acme.sh"

Which is not found anywhere in the firewall configuration.
There seem to be mismatches betweem the firewall configuration and the runtime.
Do a /etc/init.d/firewall restart and paste the output here.

.. ah this seems like a trace. If I restart the firewall there is a error message.
Seems like somthing is messed up with the doh blocking.

/dev/stdin:46:6-8: Error: Could not process rule: File exists
	set doh {
	    ^^^

Thanks really a lot.. too obvious in the end.. removed the doh set config section, restartet fw, readded the section, restarted fw again and now also the forwarding is working as expected!

I'm glad we sorted it out and it was easy to spot.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.