Firewall blocking IPv6 subnets/VLANs

korkosson · November 24, 2021, 9:25am

I have tried to solve this issue for several hours...
I have multi-vlan configuration on my home router, everything works fine with IPv4. I have tried to add IPv6 interface (HE.net tunnel) using the same firewall zones as for the IPv4, but traffic is completely blocked on all vlans except the "main" one (zone lan in configs).
I have also tried to create separate zone for IPv6 and enable forwarding for that zone separately - ignored. When I added traffic rule with forwarding enabled, it has no effect.
If I stop the firewall, I am able to ping between vlans and also to the internet. Is there any advice how to configure the multi-vlan on IPv6?
Also I am not sure if it is OK to have wan6 in the same FW zone with wan, as there is masquerading enabled for that zone...
Thanks for any clue

network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde0:987d:1ae1::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option ifname 'eth1.10'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option delegate '0'
	option peerdns '0'
	list dns '1.1.1.1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option ports '5 6t'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option ports '0t 1t'

config interface 'lan2'
	option ifname 'eth1.3'
	option proto 'static'
	option delegate '0'
	option netmask '255.255.255.0'
	option ipaddr '10.0.3.1'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option ports '0t 2t'
	option vid '8'

config interface 'dmz'
	option ifname 'eth1.8'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.0.8.1'
	option ip6assign '64'
	option ip6hint '8'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '5'
	option ports '0t 1t 2t'

config interface 'guest'
	option ifname 'eth1.5'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.0.5.1'
	option type 'bridge'
	option ip6assign '64'
	option ip6hint '5'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option ports '0t 2t'
	option vid '6'

config interface 'adguard'
	option ifname 'eth1.6'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.6.1'
	option ip6assign '64'
	option ip6hint '6'
	option delegate '0'

config interface 'lan_local'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '10.0.7.1'
	option type 'bridge'
	option ifname 'eth1.7'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '7'
	option ports '0t 2t 3'

config switch_vlan
	option device 'switch0'
	option vlan '10'
	option vid '10'
	option ports '0t 1t 2t 4'

config interface 'wan6'
	option proto '6in4'
	option username 'xxxx'
	option peeraddr 'x.x.x.x'
	list ip6prefix 'x:x:x::/48'
	option ip6addr 'x:x:x:x::2/64'
	option tunnelid 'x'
	option password 'x'

config route6
	option interface 'wan6'
	option target '::/0'
	option gateway 'x:x:x:x::1'

firewall


config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'
	option synflood_protect '1'
	option input 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option dest 'adguard'
	option src 'lan'
	option name 'test'
	option target 'ACCEPT'
	option family 'ipv6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'xDNS'
	option src 'x'
	option dest 'adguard'
	list dest_ip '10.0.6.10'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'xDHCP'
	option src 'x'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Guest DNS'
	option src 'guest'
	option dest 'adguard'
	list dest_ip '10.0.6.10'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'Guest DHCP'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'DMZ DNS'
	option src 'dmz'
	option dest 'adguard'
	list dest_ip '10.0.6.10'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'DMZ DHCP'
	option src 'dmz'

config rule
	option src 'guest'
	option name 'guest-coturn'
	option dest 'dmz'
	list dest_ip '10.0.8.10'
	option target 'ACCEPT'
	option dest_port '3478'

config rule
	option dest_port '67-68'
	option src 'lan_local'
	option name 'LAN_LOCAL dhcp'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option src 'lan_local'
	option name 'LAN_LOCAL dns'
	option target 'ACCEPT'
	option dest_port '53 123'

config rule
	option src 'guest'
	option name 'guest-nc-http'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '80 443'

config rule
	option src 'x'
	option name 'x-nc-http'
	option dest 'dmz'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '80 443'

config redirect
	option dest_port '44444'
	option src 'wan'
	option name 'Torrent'
	option src_dport '44444'
	option target 'DNAT'
	option dest_ip '10.0.0.50'
	option dest 'lan'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'nc-http'
	option src_dport '80'
	option target 'DNAT'
	option dest 'dmz'
	list proto 'tcp'
	option dest_ip '10.0.8.10'
	option reflection '0'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'nc-https'
	option src_dport '443'
	option target 'DNAT'
	option dest 'dmz'
	list proto 'tcp'
	option dest_ip '10.0.8.10'
	option reflection '0'

config redirect
	option src 'wan'
	option name 'coTURN'
	option target 'DNAT'
	option dest 'dmz'
	option dest_ip '10.0.8.10'
	option dest_port '3478'
	option src_dport '3478'

config zone
	option network 'lan2'
	option forward 'REJECT'
	option name 'x'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'x'

config forwarding
	option dest 'x'
	option src 'lan'

config zone
	option network 'dmz'
	option forward 'REJECT'
	option name 'dmz'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'dmz'
	option src 'lan'

config zone
	option network 'guest'
	option forward 'REJECT'
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'

config zone
	option network 'lan_local'
	option forward 'REJECT'
	option name 'lan_local'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'lan_local'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'dmz'

config zone
	option network 'adguard'
	option forward 'REJECT'
	option name 'adguard'
	option output 'ACCEPT'
	option input 'REJECT'

config forwarding
	option dest 'adguard'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'adguard'

config rule
	option src 'adguard'
	option name 'rDNS - Adguard'
	option target 'ACCEPT'
	option dest_port '1053 53'

dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '1'
	option rebind_protection '0'
	option port '53'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '30m'
	list dhcp_option '6,10.0.6.10'
	list dhcp_option '042,10.0.0.1'
	option ra 'server'
	option ra_management '1'
	option dhcpv6 'server'
	list dns '2001:470:5873:6::10'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan2'
	option start '100'
	option limit '150'
	option interface 'lan2'
	list dhcp_option '6,10.0.6.10'
	option leasetime '10m'

config dhcp 'dmz'
	option interface 'dmz'
	option ignore '1'
	option ra_management '1'
	option ra 'server'
	option dhcpv6 'server'

config dhcp 'guest'
	option start '100'
	option limit '150'
	option interface 'guest'
	list dhcp_option '6,10.0.6.10'
	option leasetime '10m'
	option dhcpv6 'server'
	option ra 'server'
	list dns '2001:470:5873:6::10'
	option ra_management '1'

config dhcp 'lan_local'
	option start '100'
	option limit '150'
	option interface 'lan_local'
	list dhcp_option '6,10.0.6.10'
	option leasetime '10m'

config dhcp 'adguard'
	option interface 'adguard'
	option ignore '1'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

trendy · November 24, 2021, 12:20pm

not needed

The same way with IPv4.

It is not a problem.

Post also the following:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
ip6tables-save -c; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

korkosson · November 24, 2021, 1:04pm

{
        "kernel": "4.14.241",
        "hostname": "router",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "TP-Link TL-WR1043ND v3",
        "board_name": "tplink,tl-wr1043nd-v3",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.8",
                "revision": "r11364-ef56c85848",
                "target": "ath79/generic",
                "description": "OpenWrt 19.07.8 r11364-ef56c85848"
        }
}
# Generated by ip6tables-save v1.8.3 on Wed Nov 24 13:56:28 2021
*mangle
:PREROUTING ACCEPT [441:56608]
:INPUT ACCEPT [374:46253]
:FORWARD ACCEPT [21:1768]
:OUTPUT ACCEPT [560:296150]
:POSTROUTING ACCEPT [541:293140]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov 24 13:56:28 2021
# Generated by ip6tables-save v1.8.3 on Wed Nov 24 13:56:28 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_adguard6_rule - [0:0]
:forwarding_adguard_rule - [0:0]
:forwarding_dmz_rule - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_xxx_rule - [0:0]
:forwarding_lan6_rule - [0:0]
:forwarding_lan_local_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan6_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_adguard6_rule - [0:0]
:input_adguard_rule - [0:0]
:input_dmz_rule - [0:0]
:input_guest_rule - [0:0]
:input_xxx_rule - [0:0]
:input_lan6_rule - [0:0]
:input_lan_local_rule - [0:0]
:input_rule - [0:0]
:input_wan6_rule - [0:0]
:input_wan_rule - [0:0]
:output_adguard6_rule - [0:0]
:output_adguard_rule - [0:0]
:output_dmz_rule - [0:0]
:output_guest_rule - [0:0]
:output_xxx_rule - [0:0]
:output_lan6_rule - [0:0]
:output_lan_local_rule - [0:0]
:output_rule - [0:0]
:output_wan6_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_adguard6_forward - [0:0]
:zone_adguard6_input - [0:0]
:zone_adguard6_output - [0:0]
:zone_adguard_dest_ACCEPT - [0:0]
:zone_adguard_dest_REJECT - [0:0]
:zone_adguard_forward - [0:0]
:zone_adguard_input - [0:0]
:zone_adguard_output - [0:0]
:zone_adguard_src_REJECT - [0:0]
:zone_dmz_dest_ACCEPT - [0:0]
:zone_dmz_dest_REJECT - [0:0]
:zone_dmz_forward - [0:0]
:zone_dmz_input - [0:0]
:zone_dmz_output - [0:0]
:zone_dmz_src_REJECT - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_xxx_dest_ACCEPT - [0:0]
:zone_xxx_dest_REJECT - [0:0]
:zone_xxx_forward - [0:0]
:zone_xxx_input - [0:0]
:zone_xxx_output - [0:0]
:zone_xxx_src_REJECT - [0:0]
:zone_lan6_forward - [0:0]
:zone_lan6_input - [0:0]
:zone_lan6_output - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_local_dest_ACCEPT - [0:0]
:zone_lan_local_dest_REJECT - [0:0]
:zone_lan_local_forward - [0:0]
:zone_lan_local_input - [0:0]
:zone_lan_local_output - [0:0]
:zone_lan_local_src_REJECT - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan6_forward - [0:0]
:zone_wan6_input - [0:0]
:zone_wan6_output - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[374:46253] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[302:41073] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[3:204] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
[9:644] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth1.3 -m comment --comment "!fw3" -j zone_xxx_input
[0:0] -A INPUT -i eth1.8 -m comment --comment "!fw3" -j zone_dmz_input
[13:936] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[0:0] -A INPUT -i br-lan_local -m comment --comment "!fw3" -j zone_lan_local_input
[50:3600] -A INPUT -i eth1.6 -m comment --comment "!fw3" -j zone_adguard_input
[0:0] -A INPUT -m comment --comment "!fw3" -j reject
[21:1768] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[7:560] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[13:1110] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.3 -m comment --comment "!fw3" -j zone_xxx_forward
[0:0] -A FORWARD -i eth1.8 -m comment --comment "!fw3" -j zone_dmz_forward
[1:98] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -i br-lan_local -m comment --comment "!fw3" -j zone_lan_local_forward
[0:0] -A FORWARD -i eth1.6 -m comment --comment "!fw3" -j zone_adguard_forward
[1:98] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[560:296150] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[494:289398] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[39:4680] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
[5:344] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1.3 -m comment --comment "!fw3" -j zone_xxx_output
[0:0] -A OUTPUT -o eth1.8 -m comment --comment "!fw3" -j zone_dmz_output
[4:432] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[0:0] -A OUTPUT -o br-lan_local -m comment --comment "!fw3" -j zone_lan_local_output
[18:1296] -A OUTPUT -o eth1.6 -m comment --comment "!fw3" -j zone_adguard_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[64:4634] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[3:204] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[30:2326] -A zone_adguard_dest_ACCEPT -o eth1.6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_adguard_dest_REJECT -o eth1.6 -m comment --comment "!fw3" -j reject
[0:0] -A zone_adguard_forward -m comment --comment "!fw3: Custom adguard forwarding rule chain" -j forwarding_adguard_rule
[0:0] -A zone_adguard_forward -m comment --comment "!fw3: Zone adguard to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_adguard_forward -m comment --comment "!fw3" -j zone_adguard_dest_REJECT
[50:3600] -A zone_adguard_input -m comment --comment "!fw3: Custom adguard input rule chain" -j input_adguard_rule
[0:0] -A zone_adguard_input -p tcp -m tcp --dport 1053 -m comment --comment "!fw3: rDNS - Adguard" -j ACCEPT
[0:0] -A zone_adguard_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: rDNS - Adguard" -j ACCEPT
[0:0] -A zone_adguard_input -p udp -m udp --dport 1053 -m comment --comment "!fw3: rDNS - Adguard" -j ACCEPT
[0:0] -A zone_adguard_input -p udp -m udp --dport 53 -m comment --comment "!fw3: rDNS - Adguard" -j ACCEPT
[50:3600] -A zone_adguard_input -m comment --comment "!fw3" -j zone_adguard_src_REJECT
[18:1296] -A zone_adguard_output -m comment --comment "!fw3: Custom adguard output rule chain" -j output_adguard_rule
[18:1296] -A zone_adguard_output -m comment --comment "!fw3" -j zone_adguard_dest_ACCEPT
[50:3600] -A zone_adguard_src_REJECT -i eth1.6 -m comment --comment "!fw3" -j reject
[0:0] -A zone_dmz_dest_ACCEPT -o eth1.8 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_dmz_dest_REJECT -o eth1.8 -m comment --comment "!fw3" -j reject
[0:0] -A zone_dmz_forward -m comment --comment "!fw3: Custom dmz forwarding rule chain" -j forwarding_dmz_rule
[0:0] -A zone_dmz_forward -m comment --comment "!fw3: Zone dmz to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_dmz_forward -m comment --comment "!fw3" -j zone_dmz_dest_REJECT
[0:0] -A zone_dmz_input -m comment --comment "!fw3: Custom dmz input rule chain" -j input_dmz_rule
[0:0] -A zone_dmz_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: DMZ DHCP" -j ACCEPT
[0:0] -A zone_dmz_input -m comment --comment "!fw3" -j zone_dmz_src_REJECT
[0:0] -A zone_dmz_output -m comment --comment "!fw3: Custom dmz output rule chain" -j output_dmz_rule
[0:0] -A zone_dmz_output -m comment --comment "!fw3" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_dmz_src_REJECT -i eth1.8 -m comment --comment "!fw3" -j reject
[4:432] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[1:98] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: guest-nc-http" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_guest_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: guest-nc-http" -j zone_dmz_dest_ACCEPT
[1:98] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[1:98] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[13:936] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
[13:936] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[4:432] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[4:432] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[13:936] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_xxx_dest_ACCEPT -o eth1.3 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_xxx_dest_REJECT -o eth1.3 -m comment --comment "!fw3" -j reject
[0:0] -A zone_xxx_forward -m comment --comment "!fw3: Custom xxx forwarding rule chain" -j forwarding_xxx_rule
[0:0] -A zone_xxx_forward -p tcp -m tcp --dport 80 -m comment --comment "!fw3: xxx-nc-http" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_xxx_forward -p tcp -m tcp --dport 443 -m comment --comment "!fw3: xxx-nc-http" -j zone_dmz_dest_ACCEPT
[0:0] -A zone_xxx_forward -m comment --comment "!fw3: Zone xxx to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_xxx_forward -m comment --comment "!fw3" -j zone_xxx_dest_REJECT
[0:0] -A zone_xxx_input -m comment --comment "!fw3: Custom xxx input rule chain" -j input_xxx_rule
[0:0] -A zone_xxx_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: xxx DHCP" -j ACCEPT
[0:0] -A zone_xxx_input -m comment --comment "!fw3" -j zone_xxx_src_REJECT
[0:0] -A zone_xxx_output -m comment --comment "!fw3: Custom xxx output rule chain" -j output_xxx_rule
[0:0] -A zone_xxx_output -m comment --comment "!fw3" -j zone_xxx_dest_ACCEPT
[0:0] -A zone_xxx_src_REJECT -i eth1.3 -m comment --comment "!fw3" -j reject
[5:344] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[13:1110] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[12:1030] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to xxx forwarding policy" -j zone_xxx_dest_ACCEPT
[12:1030] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to dmz forwarding policy" -j zone_dmz_dest_ACCEPT
[12:1030] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to lan_local forwarding policy" -j zone_lan_local_dest_ACCEPT
[12:1030] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to adguard forwarding policy" -j zone_adguard_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[9:644] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_local_dest_ACCEPT -o br-lan_local -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_local_dest_REJECT -o br-lan_local -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_local_forward -m comment --comment "!fw3: Custom lan_local forwarding rule chain" -j forwarding_lan_local_rule
[0:0] -A zone_lan_local_forward -m comment --comment "!fw3" -j zone_lan_local_dest_REJECT
[0:0] -A zone_lan_local_input -m comment --comment "!fw3: Custom lan_local input rule chain" -j input_lan_local_rule
[0:0] -A zone_lan_local_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: LAN_LOCAL dhcp" -j ACCEPT
[0:0] -A zone_lan_local_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: LAN_LOCAL dns" -j ACCEPT
[0:0] -A zone_lan_local_input -p tcp -m tcp --dport 123 -m comment --comment "!fw3: LAN_LOCAL dns" -j ACCEPT
[0:0] -A zone_lan_local_input -p udp -m udp --dport 53 -m comment --comment "!fw3: LAN_LOCAL dns" -j ACCEPT
[0:0] -A zone_lan_local_input -p udp -m udp --dport 123 -m comment --comment "!fw3: LAN_LOCAL dns" -j ACCEPT
[0:0] -A zone_lan_local_input -m comment --comment "!fw3" -j zone_lan_local_src_REJECT
[0:0] -A zone_lan_local_output -m comment --comment "!fw3: Custom lan_local output rule chain" -j output_lan_local_rule
[0:0] -A zone_lan_local_output -m comment --comment "!fw3" -j zone_lan_local_dest_ACCEPT
[0:0] -A zone_lan_local_src_REJECT -i br-lan_local -m comment --comment "!fw3" -j reject
[5:344] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[9:644] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1:80] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov 24 13:56:28 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:fe85:b9ad/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
7: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fde0:987d:1ae1:5::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 xxx:xxx:xxx:5::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxx:xxx:xxx:10::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fde0:987d:1ae1:10::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
11: br-lan_local: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
13: eth1.6@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxx:xxx:xxx:6::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fde0:987d:1ae1:6::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
14: eth1.8@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxx:xxx:xxx:8::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fde0:987d:1ae1:8::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
15: eth1.3@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
16: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:fe85:b9ad/64 scope link
       valid_lft forever preferred_lft forever
17: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f6f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
18: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 1000
    inet6 yyy:yyy:yyy:yyy::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::59be:2e82/64 scope link
       valid_lft forever preferred_lft forever
19: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f4f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
20: wlan0-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::f0f2:6dff:fe85:b9ac/64 scope link
       valid_lft forever preferred_lft forever
default from yyy:yyy:yyy:yyy::/64 dev 6in4-wan6 proto static metric 1024 pref medium
default from xxx:xxx:xxx::/48 dev 6in4-wan6 proto static metric 1024 pref medium
yyy:yyy:yyy:yyy::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
xxx:xxx:xxx:5::/64 dev br-guest proto static metric 1024 pref medium
xxx:xxx:xxx:6::/64 dev eth1.6 proto static metric 1024 pref medium
xxx:xxx:xxx:8::/64 dev eth1.8 proto static metric 1024 pref medium
xxx:xxx:xxx:10::/64 dev br-lan proto static metric 1024 pref medium
unreachable xxx:xxx:xxx::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fde0:987d:1ae1:5::/64 dev br-guest proto static metric 1024 pref medium
fde0:987d:1ae1:6::/64 dev eth1.6 proto static metric 1024 pref medium
fde0:987d:1ae1:8::/64 dev eth1.8 proto static metric 1024 pref medium
fde0:987d:1ae1:10::/64 dev br-lan proto static metric 1024 pref medium
unreachable fde0:987d:1ae1::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-lan_local proto kernel metric 256 pref medium
fe80::/64 dev eth1.6 proto kernel metric 256 pref medium
fe80::/64 dev eth1.8 proto kernel metric 256 pref medium
fe80::/64 dev eth1.3 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0-1 proto kernel metric 256 pref medium
fe80::/64 dev wlan0-2 proto kernel metric 256 pref medium
default via yyy:yyy:yyy:yyy::1 dev 6in4-wan6 proto static metric 1024 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast yyy:yyy:yyy:yyy:: dev 6in4-wan6 table local proto kernel metric 0 pref medium
local yyy:yyy:yyy:yyy::2 dev 6in4-wan6 table local proto kernel metric 0 pref medium
anycast xxx:xxx:xxx:5:: dev br-guest table local proto kernel metric 0 pref medium
local xxx:xxx:xxx:5::1 dev br-guest table local proto kernel metric 0 pref medium
anycast xxx:xxx:xxx:6:: dev eth1.6 table local proto kernel metric 0 pref medium
local xxx:xxx:xxx:6::1 dev eth1.6 table local proto kernel metric 0 pref medium
anycast xxx:xxx:xxx:8:: dev eth1.8 table local proto kernel metric 0 pref medium
local xxx:xxx:xxx:8::1 dev eth1.8 table local proto kernel metric 0 pref medium
anycast xxx:xxx:xxx:10:: dev br-lan table local proto kernel metric 0 pref medium
local xxx:xxx:xxx:10::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fde0:987d:1ae1:5:: dev br-guest table local proto kernel metric 0 pref medium
local fde0:987d:1ae1:5::1 dev br-guest table local proto kernel metric 0 pref medium
anycast fde0:987d:1ae1:6:: dev eth1.6 table local proto kernel metric 0 pref medium
local fde0:987d:1ae1:6::1 dev eth1.6 table local proto kernel metric 0 pref medium
anycast fde0:987d:1ae1:8:: dev eth1.8 table local proto kernel metric 0 pref medium
local fde0:987d:1ae1:8::1 dev eth1.8 table local proto kernel metric 0 pref medium
anycast fde0:987d:1ae1:10:: dev br-lan table local proto kernel metric 0 pref medium
local fde0:987d:1ae1:10::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1.8 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan_local table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1.3 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1.6 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev 6in4-wan6 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0-1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0-2 table local proto kernel metric 0 pref medium
local fe80::59be:2e82 dev 6in4-wan6 table local proto kernel metric 0 pref medium
local fe80::f0f2:6dff:fe85:b9ac dev wlan0-2 table local proto kernel metric 0 pref medium
local fe80::f4f2:6dff:fe85:b9ac dev wlan0-1 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev eth1 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev eth1.8 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev br-lan table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev br-guest table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev br-lan_local table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev eth1.3 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev eth1.6 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ac dev wlan0 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ad dev eth0 table local proto kernel metric 0 pref medium
local fe80::f6f2:6dff:fe85:b9ad dev eth0.2 table local proto kernel metric 0 pref medium
ff00::/8 dev eth1 table local proto kernel metric 256 pref medium
ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
ff00::/8 dev br-lan_local table local proto kernel metric 256 pref medium
ff00::/8 dev eth1.6 table local proto kernel metric 256 pref medium
ff00::/8 dev eth1.8 table local proto kernel metric 256 pref medium
ff00::/8 dev eth1.3 table local proto kernel metric 256 pref medium
ff00::/8 dev br-guest table local proto kernel metric 256 pref medium
ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
ff00::/8 dev eth0.2 table local proto kernel metric 256 pref medium
ff00::/8 dev 6in4-wan6 table local proto kernel metric 256 pref medium
ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
ff00::/8 dev wlan0-1 table local proto kernel metric 256 pref medium
ff00::/8 dev wlan0-2 table local proto kernel metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000000:     from xxx:xxx:xxx:5::1/64 iif br-guest unreachable
4200000000:     from xxx:xxx:xxx:6::1/64 iif eth1.6 unreachable
4200000000:     from xxx:xxx:xxx:8::1/64 iif eth1.8 unreachable
4200000000:     from xxx:xxx:xxx:10::1/64 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000007:     from all iif br-guest failed_policy
4200000009:     from all iif br-lan failed_policy
4200000011:     from all iif br-lan_local failed_policy
4200000013:     from all iif eth1.6 failed_policy
4200000014:     from all iif eth1.8 failed_policy
4200000015:     from all iif eth1.3 failed_policy
4200000016:     from all iif eth0.2 failed_policy
4200000018:     from all iif 6in4-wan6 failed_policy

trendy · November 24, 2021, 1:43pm

From what I can see you allow forwarding from lan to all other zones. But all other zones are allowed to forward only to wan zone. Could you mention an example of what is not working when firewall is activated?

korkosson · November 24, 2021, 1:50pm

The problem is that just zone lan has access to wan (I am able to ping google server by IP address). But no other connection works - between any other zones (lan->adguard, adguard->wan). For example - I have no access from lan to adguard zone. Once I stop the firewall service, connection between zones/subnets is working normally (ping, http, wan access...).

trendy · November 24, 2021, 3:00pm

What is the error when you ping from lan to adguard?
Enable logging on lan and adguard zones. Follow the logs: logread -f and try again.

korkosson · November 24, 2021, 6:08pm

Thanks a lot for the advice! The root cause was that firewall was blocking ICMPv6 ( Type 135 - Neighbor Solicitation). I've updated the firewall rule to allow incoming ICMP from any zone and everything works now.

config rule
	option name 'Allow-ICMPv6-Input'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	option src '*'

system · December 4, 2021, 6:09pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.