Configuration verification of the Archer c7 V4 with dynamic public IP in DMZ in the Orange Livebox4

Hello,

I submit my configuration to you for verification.

This new topic is a continuation of this topic:

So I changed operator, Orange livebox4 and I have a dynamic public IPv4 address 92.144.xxx.xx or 83.203.xx.xxx and IPv6

My setup

ISP: Livebox4 Orange in DMZ for the OpenWrt router.

The Archer C7 V4 21.02.2-ath79, IP 192.168.2.1 router is operational with DynDNS, Wireguard server and DNSCrypt-proxy2 installed.

A Windows 10 laptop with WireGuard client, Firefox.
The other operational wireguard clients: a 2nd laptop, two smartphones and two tablets.

In livebox4, the Bridge option does not exist, there is only the DMZ option. so I assigned a static DHCP and DMZ address 192.168.1.11 for the OpenWrt router along with its MAC address.

Livebox DMZ installation tutorial I used

Are my rules added, in OpenWrt router firewall, security compliant with DMZ option.

In orange livebox4, IP 192.168.1.1, I enabled DynDNS (No-IP) as well as port forwarding for WireGuard (UDP) in NAT/PAT.

Therefore in OpenWrt the wan address that is displayed is the IP of the livebox 192.168.1.1 and in Dynamic DNS it is the dynamic public IP assigned to me.

With my Windows computer, Wireguard in normal operation Alloweds IP: 0.0.0.0/0, ::/0 but I don't have access to the router.

I can manage the router locally with WireGuard enabled, Alloweds IP: 10.0.5.0/24, 192.168.2.0/24 (thanks forum). However, I do not have access to my printer locally.

I haven't chosen a commercial VPN yet, certainly ProtonVPN when it takes OpenWrt into account.

In the future, I would like to connect remotely to OpenWrt for administration and have access to my network. For the network, it is only a project.

My requests are multiple but I hope that the clarifications will be beneficial to other novices like me.

Thank you in advance for any help you would like to give me.

I enclose my order outputs and remain at your disposal for further information.

ubus call system board
{
        "kernel": "5.4.179",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v4",
        "board_name": "tplink,archer-c7-v4",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.2",
                "revision": "r16495-bf0c965af0",
                "target": "ath79/generic",
                "description": "OpenWrt 21.02.2 r16495-bf0c965af0"
        }
}


uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:ae24:aead::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config device
        option name 'eth0.2'
        option macaddr '50:c7:bf:fe:ae:b6'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.0.5.1'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '10.0.5.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxx'
        option listen_port '51820'
        option mtu '1420'
        list addresses '10.0.5.1/24'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxxxxxxxx'
        option description 'Portable_Voyoi7'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxxx'
        option description 'Portable_Asus'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxxxxx'
        option description 'BV9500Pro'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.0.5.4/32'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxxxxxx'
        option description 'BV9000Pro'
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxxxxxxx'
        option description 'Tablette_AlldoCube'
        list allowed_ips '10.0.5.6/32'
        option route_allowed_ips '1'

config wireguard_wg_lan
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxxxx'
        option description 'Tablette_Voyoi8'
        list allowed_ips '10.0.5.7/32'
        option route_allowed_ips '1'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'


uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option noresolv '1'
        option localuse '1'
        option boguspriv '0'
        option cachesize '0'
        option allservers '1'
        list server '10.0.5.1'
        list server '127.0.0.53'
        list server '127.0.0.1#5353'
        list server '127.0.0.1#5454'
        list server '/pool.ntp.org/8.8.8.8'
        list server '/pool.ntp.org/208.67.220.220'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option force '1'
        option leasetime '1h'
        list ra_flags 'none'


uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wg_lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg_lan'

config forwarding
        option src 'wg_lan'
        option dest 'lan'

config forwarding
        option src 'wg_lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule 'guest_fwd'
        option name 'Allow-Guest-Forward'
        option src 'guest'
        option dest 'wan'
        option dest_ip '!192.168.8.159/24'
        option proto 'all'
        option target 'ACCEPT'

config redirect
        option name 'Divert-DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config rule
        option name 'Reject-DoT, port 853'
        option src 'lan'
        option dest 'wan'
        list proto 'tcp udp'
        option dest_port '853'
        option target 'REJECT'

config redirect
        option name 'Divert-DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'


head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.


iptables-save -c
# Generated by iptables-save v1.8.7 on Sat Mar 12 20:40:19 2022
*nat
:PREROUTING ACCEPT [66687:8169643]
:INPUT ACCEPT [46512:3970650]
:OUTPUT ACCEPT [14974:1060078]
:POSTROUTING ACCEPT [14877:1029295]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_lan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_lan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_lan_postrouting - [0:0]
:zone_wg_lan_prerouting - [0:0]
[66687:8169643] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[7505:1727395] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[5079:472176] -A PREROUTING -i wg_lan -m comment --comment "!fw3" -j zone_lan_prerouting
[54103:5970072] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[21001:1674690] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[187:20911] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[8:504] -A POSTROUTING -o wg_lan -m comment --comment "!fw3" -j zone_lan_postrouting
[6126:645703] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[195:21415] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[12584:2199571] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[6126:645703] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[6126:645703] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[54103:5970072] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wg_lan_postrouting -m comment --comment "!fw3: Custom wg_lan postrouting rule chain" -j postrouting_wg_lan_rule
[0:0] -A zone_wg_lan_prerouting -m comment --comment "!fw3: Custom wg_lan prerouting rule chain" -j prerouting_wg_lan_rule
COMMIT
# Completed on Sat Mar 12 20:40:19 2022
# Generated by iptables-save v1.8.7 on Sat Mar 12 20:40:19 2022
*mangle
:PREROUTING ACCEPT [1497535:1109250999]
:INPUT ACCEPT [437296:357279432]
:FORWARD ACCEPT [1048103:748496744]
:OUTPUT ACCEPT [548611:274173048]
:POSTROUTING ACCEPT [1596458:1022656341]
[2935:162108] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[3296:180944] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Mar 12 20:40:19 2022
# Generated by iptables-save v1.8.7 on Sat Mar 12 20:40:19 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_lan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_lan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_lan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_lan_dest_ACCEPT - [0:0]
:zone_wg_lan_dest_REJECT - [0:0]
:zone_wg_lan_forward - [0:0]
:zone_wg_lan_input - [0:0]
:zone_wg_lan_output - [0:0]
:zone_wg_lan_src_ACCEPT - [0:0]
[31910:3312785] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[405406:353968311] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[353369:349720432] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1946:82148] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1941:468195] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[4550:296434] -A INPUT -i wg_lan -m comment --comment "!fw3" -j zone_lan_input
[45546:3483250] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[1048119:748511081] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1041698:747706913] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4412:501959] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[2009:302209] -A FORWARD -i wg_lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[31912:3313121] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[516745:270881531] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[514845:270559989] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1418:252754] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3:344] -A OUTPUT -o wg_lan -m comment --comment "!fw3" -j zone_lan_output
[479:68444] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[1943:82054] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[2015:112308] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1946:82148] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward ! -d 192.168.8.0/24 -m comment --comment "!fw3: Allow-Guest-Forward" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[1927:285829] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[26:1628] -A zone_lan_dest_ACCEPT -o wg_lan -m comment --comment "!fw3" -j ACCEPT
[6421:804168] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[6421:804168] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[532:34359] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg_lan forwarding policy" -j zone_wg_lan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[532:34359] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6491:764629] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6491:764629] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1421:253098] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1421:253098] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1941:468195] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4550:296434] -A zone_lan_src_ACCEPT -i wg_lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[257:13779] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[6111:824474] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[45546:3483250] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[40750:3262072] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[838:26816] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard-lan" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3958:194362] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[479:68444] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[479:68444] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3958:194362] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Custom wg_lan forwarding rule chain" -j forwarding_wg_lan_rule
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Zone wg_lan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Zone wg_lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3" -j zone_wg_lan_dest_REJECT
[0:0] -A zone_wg_lan_input -m comment --comment "!fw3: Custom wg_lan input rule chain" -j input_wg_lan_rule
[0:0] -A zone_wg_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg_lan_input -m comment --comment "!fw3" -j zone_wg_lan_src_ACCEPT
[0:0] -A zone_wg_lan_output -m comment --comment "!fw3: Custom wg_lan output rule chain" -j output_wg_lan_rule
[0:0] -A zone_wg_lan_output -m comment --comment "!fw3" -j zone_wg_lan_dest_ACCEPT
COMMIT
# Completed on Sat Mar 12 20:40:19 2022


ip -4 addr; ip -4 ro li tab all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
9: wg_lan: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.0.5.1/24 brd 10.0.5.255 scope global wg_lan
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.11
10.0.5.0/24 dev wg_lan scope link  src 10.0.5.1
10.0.5.2 dev wg_lan scope link
10.0.5.3 dev wg_lan scope link
10.0.5.4 dev wg_lan scope link
10.0.5.5 dev wg_lan scope link
10.0.5.6 dev wg_lan scope link
10.0.5.7 dev wg_lan scope link
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.11
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
broadcast 10.0.5.0 dev wg_lan table local scope link  src 10.0.5.1
local 10.0.5.1 dev wg_lan table local scope host  src 10.0.5.1
broadcast 10.0.5.255 dev wg_lan table local scope link  src 10.0.5.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.11
local 192.168.1.11 dev eth0.2 table local scope host  src 192.168.1.11
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.11
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default


wg
interface: wg_lan
  public key: xxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxxxxxxxxxxx
  endpoint: 192.168.2.143:53002
  allowed ips: 10.0.5.7/32
  latest handshake: 7 seconds ago
  transfer: 4.96 MiB received, 235.15 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxx
  endpoint: 192.168.2.163:49668
  allowed ips: 10.0.5.2/32
  latest handshake: 19 seconds ago
  transfer: 46.97 MiB received, 485.47 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxx
  endpoint: 192.168.2.221:48079
  allowed ips: 10.0.5.5/32
  latest handshake: 28 seconds ago
  transfer: 75.18 KiB received, 111.81 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxx
  endpoint: 192.168.2.235:57590
  allowed ips: 10.0.5.3/32
  latest handshake: 42 seconds ago
  transfer: 3.32 MiB received, 2.88 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxxxxx
  endpoint: 192.168.2.159:40643
  allowed ips: 10.0.5.4/32
  latest handshake: 48 seconds ago
  transfer: 742.60 MiB received, 688.41 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxxxx
  endpoint: 192.168.2.165:46997
  allowed ips: 10.0.5.6/32
  latest handshake: 1 minute, 51 seconds ago
  transfer: 253.23 KiB received, 294.93 KiB sent
  persistent keepalive: every 25 seconds


Configuration of my remote devices:

Voyoi7 Laptop

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxeE8=
Address = 10.0.5.2/32
DNS = 10.0.5.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxx4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820

Asus Laptop

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxXXY=
Address = 10.0.5.3/32
DNS = 10.0.5.1

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxDx4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820


Smartphone BV9500 

[Interface]
Address = 10.0.5.4/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxZkY=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxDx4=


Smartphone BV9000 Pro 

[Interface]
Address = 10.0.5.5/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxK0w=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxxxxxx75xDx4=


AlldoCube tablet

[Interface]
Address = 10.0.5.6/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxx3Ww=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxx75xDx4=


Voyoi8 tablet 

[Interface]
Address = 10.0.5.7/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxblw=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxx5xDx4=

For the record, my configuration works with adblock, DynDNS, WireGuard, DNSCrypt-proxy2.

Everything works, with some modifications, following research on the forum.

With WireGuard installed, everything works, ethernet and Wi-Fi.
Smartphone in 4G and my domain name, connection to the operational router.

What I have done

Removal of WireGuard port forwarding in LiveBox 4 in DMZ

In firewall config
Added port forwarding for WireGuard

Removed this rule because I don't have a commercial vpn and I have a doubt about security. VPN Goal: ProtonVpn.

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '51820'
        option name 'Allow-Wireguard-Inbound'

I deleted this rule, which corresponded to an old rule with the Box SFR 4G

config rule 'guest_fwd'
        option name 'Allow-Guest-Forward'
        option src 'guest'
        option dest 'wan'
        option dest_ip '!192.168.8.159/24'
        option proto 'all'
        option target 'ACCEPT'

Removal of these rules, because I was hoping to have access to my printer locally (smiling is forbidden). To access it, I have to disable WireGuard.

config forwarding
        option src 'lan'
        option dest 'wg_lan'

config forwarding
        option src 'wg_lan'
        option dest 'lan'

config forwarding
        option src 'wg_lan'
        option dest 'wan'

For information (do not copy my configuration), below is my operational configuration, as an example.

{
        "kernel": "5.4.188",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v4",
        "board_name": "tplink,archer-c7-v4",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.3",
                "revision": "r16554-1d4dea6d4f",
                "target": "ath79/generic",
                "description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:ae24:aead::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config device
        option name 'eth0.2'
        option macaddr '50:c7:bf:fe:ae:b6'

config interface 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '10.0.5.1'
        option device 'eth0.2'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '10.0.5.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port '51820'
        option mtu '1420'
        list addresses '10.0.5.1/24'

config wireguard_wg_lan
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'Portable_Dere'
        option public_key 'xxxxxxxxxxxxxx'

config wireguard_wg_lan
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'Portable_Voyoi7'
        option public_key 'xxxxxxxxxxxxx'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxxxxxxxx'
        option description 'BV9500Pro'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.0.5.4/32'
        option preshared_key 'xxxxxxxxxxxxxxxxx'

config wireguard_wg_lan
        option public_key 'xxxxxxxxxxxxxxxx'
        option description 'BV9000Pro'
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option preshared_key 'xxxxxxxxxxxxxxxxxxx'

config wireguard_wg_lan
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxx'
        option description 'Tablette_AlldoCube'
        list allowed_ips '10.0.5.6/32'
        option route_allowed_ips '1'

config wireguard_wg_lan
        option persistent_keepalive '25'
        option public_key 'xxxxxxxxxxxxxxxx'
        option description 'Tablette_Voyoi8'
        list allowed_ips '10.0.5.7/32'
        option route_allowed_ips '1'

config wireguard_wg_lan
        list allowed_ips '10.0.5.8/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option description 'Portable_Asus'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxx'

config device 'guest_dev'
        option type 'bridge'
        option name 'br-guest'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        option noresolv '1'
        option localuse '1'
        option boguspriv '0'
        option cachesize '0'
        option allservers '1'
        list server '10.0.5.1'
        list server '127.0.0.53'
        list server '127.0.0.1#5353'
        list server '127.0.0.1#5454'
        list server '/pool.ntp.org/8.8.8.8'
        list server '/pool.ntp.org/208.67.220.220'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option force '1'
        option leasetime '1h'
        list ra_flags 'none'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wg_lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'WireGuard VPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest 'lan'
        option dest_ip '192.168.2.1'
        option dest_port '51820'

config redirect
        option name 'Divert-DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config rule
        option name 'Reject-DoT, port 853'
        option src 'lan'
        option dest 'wan'
        list proto 'tcp udp'
        option dest_port '853'
        option target 'REJECT'

config redirect
        option name 'Divert-DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.7 on Sat Apr 23 13:38:12 2022
*nat
:PREROUTING ACCEPT [5094:954115]
:INPUT ACCEPT [1277:304109]
:OUTPUT ACCEPT [1154:80892]
:POSTROUTING ACCEPT [1144:80210]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_lan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_lan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_lan_postrouting - [0:0]
:zone_wg_lan_prerouting - [0:0]
[5094:954115] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[3331:737098] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1110:87533] -A PREROUTING -i wg_lan -m comment --comment "!fw3" -j zone_lan_prerouting
[653:129484] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[1589:113086] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:52] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg_lan -m comment --comment "!fw3" -j zone_lan_postrouting
[445:32876] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[1:52] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[4441:824631] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[445:32876] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[445:32876] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[653:129484] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wg_lan_postrouting -m comment --comment "!fw3: Custom wg_lan postrouting rule chain" -j postrouting_wg_lan_rule
[0:0] -A zone_wg_lan_prerouting -m comment --comment "!fw3: Custom wg_lan prerouting rule chain" -j prerouting_wg_lan_rule
COMMIT
# Completed on Sat Apr 23 13:38:12 2022
# Generated by iptables-save v1.8.7 on Sat Apr 23 13:38:12 2022
*mangle
:PREROUTING ACCEPT [110279:27814574]
:INPUT ACCEPT [39648:5453850]
:FORWARD ACCEPT [67436:21751478]
:OUTPUT ACCEPT [40781:22001108]
:POSTROUTING ACCEPT [108204:43752030]
[346:19080] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[263:14060] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Apr 23 13:38:12 2022
# Generated by iptables-save v1.8.7 on Sat Apr 23 13:38:12 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_lan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_lan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_lan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_lan_dest_ACCEPT - [0:0]
:zone_wg_lan_dest_REJECT - [0:0]
:zone_wg_lan_forward - [0:0]
:zone_wg_lan_input - [0:0]
:zone_wg_lan_output - [0:0]
:zone_wg_lan_src_ACCEPT - [0:0]
[2115:219367] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[37539:5234927] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[35927:4915444] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[84:3600] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[670:271677] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[640:34852] -A INPUT -i wg_lan -m comment --comment "!fw3" -j zone_lan_input
[302:12954] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[67436:21751478] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[66889:21709563] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[323:17455] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[224:24460] -A FORWARD -i wg_lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[2115:219367] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[38676:21784273] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[38655:21782821] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2:134] -A OUTPUT -o wg_lan -m comment --comment "!fw3" -j zone_lan_output
[19:1318] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[75:3132] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[187:8434] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[84:3600] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[5:260] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[2:134] -A zone_lan_dest_ACCEPT -o wg_lan -m comment --comment "!fw3" -j ACCEPT
[547:41915] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[547:41915] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[5:260] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1310:306529] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1310:306529] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:134] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:134] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[670:271677] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[640:34852] -A zone_lan_src_ACCEPT -i wg_lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[13:556] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[548:42417] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[302:12954] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[3:204] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[37:1184] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard-lan" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[262:11566] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[19:1318] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[19:1318] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[262:11566] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Custom wg_lan forwarding rule chain" -j forwarding_wg_lan_rule
[0:0] -A zone_wg_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3" -j zone_wg_lan_dest_REJECT
[0:0] -A zone_wg_lan_input -m comment --comment "!fw3: Custom wg_lan input rule chain" -j input_wg_lan_rule
[0:0] -A zone_wg_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg_lan_input -m comment --comment "!fw3" -j zone_wg_lan_src_ACCEPT
[0:0] -A zone_wg_lan_output -m comment --comment "!fw3: Custom wg_lan output rule chain" -j output_wg_lan_rule
[0:0] -A zone_wg_lan_output -m comment --comment "!fw3" -j zone_wg_lan_dest_ACCEPT
COMMIT
# Completed on Sat Apr 23 13:38:12 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
15: wg_lan: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.0.5.1/24 brd 10.0.5.255 scope global wg_lan
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2  src 192.168.1.11
10.0.5.0/24 dev wg_lan scope link  src 10.0.5.1
10.0.5.2 dev wg_lan scope link
10.0.5.3 dev wg_lan scope link
10.0.5.4 dev wg_lan scope link
10.0.5.5 dev wg_lan scope link
10.0.5.6 dev wg_lan scope link
10.0.5.7 dev wg_lan scope link
10.0.5.8 dev wg_lan scope link
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.11
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
broadcast 10.0.5.0 dev wg_lan table local scope link  src 10.0.5.1
local 10.0.5.1 dev wg_lan table local scope host  src 10.0.5.1
broadcast 10.0.5.255 dev wg_lan table local scope link  src 10.0.5.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.11
local 192.168.1.11 dev eth0.2 table local scope host  src 192.168.1.11
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.11
broadcast 192.168.2.0 dev br-lan table local scope link  src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
interface: wg_lan
  public key: xxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxxxxxxxxxxxxxxxx
  endpoint: 192.168.2.199:54555
  allowed ips: 10.0.5.2/32
  latest handshake: 2 seconds ago
  transfer: 286.59 KiB received, 807.88 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxxxxxx
  preshared key: (hidden)
  endpoint: 192.168.2.160:47203
  allowed ips: 10.0.5.4/32
  latest handshake: 10 seconds ago
  transfer: 2.65 MiB received, 16.44 MiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxxxxx
  endpoint: 192.168.2.163:61550
  allowed ips: 10.0.5.3/32
  latest handshake: 19 seconds ago
  transfer: 185.29 KiB received, 818.59 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxxxx
  preshared key: (hidden)
  endpoint: 192.168.2.220:53175
  allowed ips: 10.0.5.5/32
  latest handshake: 31 seconds ago
  transfer: 42.19 KiB received, 43.58 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxx
  endpoint: 192.168.2.143:58391
  allowed ips: 10.0.5.7/32
  latest handshake: 1 minute, 5 seconds ago
  transfer: 59.69 KiB received, 77.31 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxxxx
  endpoint: 192.168.2.164:45250
  allowed ips: 10.0.5.6/32
  latest handshake: 1 minute, 19 seconds ago
  transfer: 18.04 KiB received, 10.82 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxxxxxxxxxxx
  endpoint: 192.168.2.235:61868
  allowed ips: 10.0.5.8/32
  latest handshake: 1 minute, 38 seconds ago
  transfer: 75.93 KiB received, 551.17 KiB sent
  persistent keepalive: every 25 seconds

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.