Hello,
I submit my configuration to you for verification.
This new topic is a continuation of this topic:
So I changed operator, Orange livebox4 and I have a dynamic public IPv4 address 92.144.xxx.xx or 83.203.xx.xxx and IPv6
My setup
ISP: Livebox4 Orange in DMZ for the OpenWrt router.
The Archer C7 V4 21.02.2-ath79, IP 192.168.2.1 router is operational with DynDNS, Wireguard server and DNSCrypt-proxy2 installed.
A Windows 10 laptop with WireGuard client, Firefox.
The other operational wireguard clients: a 2nd laptop, two smartphones and two tablets.
In livebox4, the Bridge option does not exist, there is only the DMZ option. so I assigned a static DHCP and DMZ address 192.168.1.11 for the OpenWrt router along with its MAC address.
Livebox DMZ installation tutorial I used
Are my rules added, in OpenWrt router firewall, security compliant with DMZ option.
In orange livebox4, IP 192.168.1.1, I enabled DynDNS (No-IP) as well as port forwarding for WireGuard (UDP) in NAT/PAT.
Therefore in OpenWrt the wan address that is displayed is the IP of the livebox 192.168.1.1 and in Dynamic DNS it is the dynamic public IP assigned to me.
With my Windows computer, Wireguard in normal operation Alloweds IP: 0.0.0.0/0, ::/0 but I don't have access to the router.
I can manage the router locally with WireGuard enabled, Alloweds IP: 10.0.5.0/24, 192.168.2.0/24 (thanks forum). However, I do not have access to my printer locally.
I haven't chosen a commercial VPN yet, certainly ProtonVPN when it takes OpenWrt into account.
In the future, I would like to connect remotely to OpenWrt for administration and have access to my network. For the network, it is only a project.
My requests are multiple but I hope that the clarifications will be beneficial to other novices like me.
Thank you in advance for any help you would like to give me.
I enclose my order outputs and remain at your disposal for further information.
ubus call system board
{
"kernel": "5.4.179",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v4",
"board_name": "tplink,archer-c7-v4",
"release": {
"distribution": "OpenWrt",
"version": "21.02.2",
"revision": "r16495-bf0c965af0",
"target": "ath79/generic",
"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
}
}
uci export network
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd79:ae24:aead::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
config device
option name 'eth0.2'
option macaddr '50:c7:bf:fe:ae:b6'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '10.0.5.1'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '10.0.5.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'wg_lan'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxx'
option listen_port '51820'
option mtu '1420'
list addresses '10.0.5.1/24'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxxxxx'
option description 'Portable_Voyoi7'
list allowed_ips '10.0.5.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxx'
option description 'Portable_Asus'
list allowed_ips '10.0.5.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxx'
option description 'BV9500Pro'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.0.5.4/32'
config wireguard_wg_lan
option public_key 'xxxxxxxxxxxxxxxxx'
option description 'BV9000Pro'
list allowed_ips '10.0.5.5/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option persistent_keepalive '25'
option public_key 'xxxxxxxxxxxxxxxxxxxx'
option description 'Tablette_AlldoCube'
list allowed_ips '10.0.5.6/32'
option route_allowed_ips '1'
config wireguard_wg_lan
option persistent_keepalive '25'
option public_key 'xxxxxxxxxxxxxxxxx'
option description 'Tablette_Voyoi8'
list allowed_ips '10.0.5.7/32'
option route_allowed_ips '1'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config interface 'guest'
option proto 'static'
option device 'br-guest'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
uci export dhcp
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option noresolv '1'
option localuse '1'
option boguspriv '0'
option cachesize '0'
option allservers '1'
list server '10.0.5.1'
list server '127.0.0.53'
list server '127.0.0.1#5353'
list server '127.0.0.1#5454'
list server '/pool.ntp.org/8.8.8.8'
list server '/pool.ntp.org/208.67.220.220'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '12h'
list ra_flags 'none'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option force '1'
option leasetime '1h'
list ra_flags 'none'
uci export firewall
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config zone
option name 'wg_lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'wg_lan'
config forwarding
option src 'wg_lan'
option dest 'lan'
config forwarding
option src 'wg_lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard-lan'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone 'guest'
option name 'guest'
option network 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config rule 'guest_dns'
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'guest_dhcp'
option name 'Allow-DHCP-Guest'
option src 'guest'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config rule 'guest_fwd'
option name 'Allow-Guest-Forward'
option src 'guest'
option dest 'wan'
option dest_ip '!192.168.8.159/24'
option proto 'all'
option target 'ACCEPT'
config redirect
option name 'Divert-DNS, port 53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config rule
option name 'Reject-DoT, port 853'
option src 'lan'
option dest 'wan'
list proto 'tcp udp'
option dest_port '853'
option target 'REJECT'
config redirect
option name 'Divert-DNS, port 5353'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables-save -c
# Generated by iptables-save v1.8.7 on Sat Mar 12 20:40:19 2022
*nat
:PREROUTING ACCEPT [66687:8169643]
:INPUT ACCEPT [46512:3970650]
:OUTPUT ACCEPT [14974:1060078]
:POSTROUTING ACCEPT [14877:1029295]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_lan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_lan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_lan_postrouting - [0:0]
:zone_wg_lan_prerouting - [0:0]
[66687:8169643] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[7505:1727395] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[5079:472176] -A PREROUTING -i wg_lan -m comment --comment "!fw3" -j zone_lan_prerouting
[54103:5970072] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[21001:1674690] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[187:20911] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[8:504] -A POSTROUTING -o wg_lan -m comment --comment "!fw3" -j zone_lan_postrouting
[6126:645703] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[195:21415] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[12584:2199571] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[6126:645703] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[6126:645703] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[54103:5970072] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wg_lan_postrouting -m comment --comment "!fw3: Custom wg_lan postrouting rule chain" -j postrouting_wg_lan_rule
[0:0] -A zone_wg_lan_prerouting -m comment --comment "!fw3: Custom wg_lan prerouting rule chain" -j prerouting_wg_lan_rule
COMMIT
# Completed on Sat Mar 12 20:40:19 2022
# Generated by iptables-save v1.8.7 on Sat Mar 12 20:40:19 2022
*mangle
:PREROUTING ACCEPT [1497535:1109250999]
:INPUT ACCEPT [437296:357279432]
:FORWARD ACCEPT [1048103:748496744]
:OUTPUT ACCEPT [548611:274173048]
:POSTROUTING ACCEPT [1596458:1022656341]
[2935:162108] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[3296:180944] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Mar 12 20:40:19 2022
# Generated by iptables-save v1.8.7 on Sat Mar 12 20:40:19 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_lan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_lan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_lan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_lan_dest_ACCEPT - [0:0]
:zone_wg_lan_dest_REJECT - [0:0]
:zone_wg_lan_forward - [0:0]
:zone_wg_lan_input - [0:0]
:zone_wg_lan_output - [0:0]
:zone_wg_lan_src_ACCEPT - [0:0]
[31910:3312785] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[405406:353968311] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[353369:349720432] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1946:82148] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1941:468195] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[4550:296434] -A INPUT -i wg_lan -m comment --comment "!fw3" -j zone_lan_input
[45546:3483250] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[1048119:748511081] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1041698:747706913] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4412:501959] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[2009:302209] -A FORWARD -i wg_lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[31912:3313121] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[516745:270881531] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[514845:270559989] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1418:252754] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3:344] -A OUTPUT -o wg_lan -m comment --comment "!fw3" -j zone_lan_output
[479:68444] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[1943:82054] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[2015:112308] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1946:82148] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward ! -d 192.168.8.0/24 -m comment --comment "!fw3: Allow-Guest-Forward" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[1927:285829] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[26:1628] -A zone_lan_dest_ACCEPT -o wg_lan -m comment --comment "!fw3" -j ACCEPT
[6421:804168] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[6421:804168] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[532:34359] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg_lan forwarding policy" -j zone_wg_lan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[532:34359] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6491:764629] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6491:764629] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1421:253098] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1421:253098] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1941:468195] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[4550:296434] -A zone_lan_src_ACCEPT -i wg_lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[257:13779] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[6111:824474] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[45546:3483250] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[40750:3262072] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[838:26816] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard-lan" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[3958:194362] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[479:68444] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[479:68444] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[3958:194362] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Custom wg_lan forwarding rule chain" -j forwarding_wg_lan_rule
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Zone wg_lan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3: Zone wg_lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg_lan_forward -m comment --comment "!fw3" -j zone_wg_lan_dest_REJECT
[0:0] -A zone_wg_lan_input -m comment --comment "!fw3: Custom wg_lan input rule chain" -j input_wg_lan_rule
[0:0] -A zone_wg_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg_lan_input -m comment --comment "!fw3" -j zone_wg_lan_src_ACCEPT
[0:0] -A zone_wg_lan_output -m comment --comment "!fw3: Custom wg_lan output rule chain" -j output_wg_lan_rule
[0:0] -A zone_wg_lan_output -m comment --comment "!fw3" -j zone_wg_lan_dest_ACCEPT
COMMIT
# Completed on Sat Mar 12 20:40:19 2022
ip -4 addr; ip -4 ro li tab all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.11/24 brd 192.168.1.255 scope global eth0.2
valid_lft forever preferred_lft forever
9: wg_lan: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 10.0.5.1/24 brd 10.0.5.255 scope global wg_lan
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 src 192.168.1.11
10.0.5.0/24 dev wg_lan scope link src 10.0.5.1
10.0.5.2 dev wg_lan scope link
10.0.5.3 dev wg_lan scope link
10.0.5.4 dev wg_lan scope link
10.0.5.5 dev wg_lan scope link
10.0.5.6 dev wg_lan scope link
10.0.5.7 dev wg_lan scope link
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.11
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
broadcast 10.0.5.0 dev wg_lan table local scope link src 10.0.5.1
local 10.0.5.1 dev wg_lan table local scope host src 10.0.5.1
broadcast 10.0.5.255 dev wg_lan table local scope link src 10.0.5.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0.2 table local scope link src 192.168.1.11
local 192.168.1.11 dev eth0.2 table local scope host src 192.168.1.11
broadcast 192.168.1.255 dev eth0.2 table local scope link src 192.168.1.11
broadcast 192.168.2.0 dev br-lan table local scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
wg
interface: wg_lan
public key: xxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 51820
peer: xxxxxxxxxxxxxxx
endpoint: 192.168.2.143:53002
allowed ips: 10.0.5.7/32
latest handshake: 7 seconds ago
transfer: 4.96 MiB received, 235.15 MiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxxxxx
endpoint: 192.168.2.163:49668
allowed ips: 10.0.5.2/32
latest handshake: 19 seconds ago
transfer: 46.97 MiB received, 485.47 MiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxxxxxx
endpoint: 192.168.2.221:48079
allowed ips: 10.0.5.5/32
latest handshake: 28 seconds ago
transfer: 75.18 KiB received, 111.81 KiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxxxxx
endpoint: 192.168.2.235:57590
allowed ips: 10.0.5.3/32
latest handshake: 42 seconds ago
transfer: 3.32 MiB received, 2.88 MiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxxxxxxxxx
endpoint: 192.168.2.159:40643
allowed ips: 10.0.5.4/32
latest handshake: 48 seconds ago
transfer: 742.60 MiB received, 688.41 MiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxxxxxxxxxxx
endpoint: 192.168.2.165:46997
allowed ips: 10.0.5.6/32
latest handshake: 1 minute, 51 seconds ago
transfer: 253.23 KiB received, 294.93 KiB sent
persistent keepalive: every 25 seconds
Configuration of my remote devices:
Voyoi7 Laptop
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxeE8=
Address = 10.0.5.2/32
DNS = 10.0.5.1
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxx4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
Asus Laptop
[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxXXY=
Address = 10.0.5.3/32
DNS = 10.0.5.1
[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxDx4=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
Smartphone BV9500
[Interface]
Address = 10.0.5.4/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxZkY=
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxDx4=
Smartphone BV9000 Pro
[Interface]
Address = 10.0.5.5/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxK0w=
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxxxxxx75xDx4=
AlldoCube tablet
[Interface]
Address = 10.0.5.6/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxx3Ww=
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxx75xDx4=
Voyoi8 tablet
[Interface]
Address = 10.0.5.7/32
DNS = 10.0.5.1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxblw=
[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.0.5.1:51820
PersistentKeepalive = 25
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxx5xDx4=