Help setting up Wireguard on a VLAN with MWAN3

Hello all. Im setting up Mullvad VPN on my router but am stuck on the VLAN configuration. The official guide only provides for a setup involving the entire network.

Ive looked around and cant seem to find anything relevant to my situation. I want to use one of the APs in my WLAN to create a second wifi network that would use the Mullvad tunnel. The Unifi controller definitely supports this.

My OpenWrt device has five physical interfaces, eth3 is connected to a 802.1q-aware PoE switch that runs the APs. However, when following the steps from that guide I see no option to bridge the LAN interface.

Ive set up a 802.1q device on eth3, created an interface on eth3.2 and created a peer with the right settings, which i created a firewall zone for.

What do i do next? I dont want my entire network to use Mullvad's DNS. I am forcing all clients to use third party servers.

Please have a look at my configuration (let me know what to provide) and help figure out what im to do next.

Or point me to a good guide. Thank you in advance.

PS - could this have something to do with MWAN3? Its running in failover mode with a LTE router connected via ethernet.

PPS - is the ive downloaded a .conf file from the mullvad site, but what am i supposed to do with it?

  • Instead of wiro, use your Mullvad tunnel
  • Use the addresses for your desired VLAN
1 Like

This has not helped. In fact after using that as a guideline i lost internet access until i deleted the interface and firewall zone...

At one point with those settings the network showed as connected but nothing would open.

Any logs i can provide that would be helpful?

Also, i just thought, could this have something to do with MWAN3? Its running in failover mode with a LTE router connected via ethernet.

:man_facepalming: yea, it could. I'm not familiar with using certain apps (e.g. mwan3, PBR, etc.) that also manipulate routes and rules too (I configure that as in the post).

I'm also unsure how that works with 2 Internet connections (with mwan3).

I just started from scratch, set everything up as before but now also added a gateway metric. For some reason im now getting internet from the failover ISP instead of the tunnel.

Since you are using mwan3, first of all you need to configure different metrics to all wan interfaces, including the tunnel.
Then you need to configure mwan3 interfaces and setup a policy to reach the mulvad dns over the mulvad tunnel for the desired source addresses.

Use it to setup the openvpn tunnel.

1 Like

I did have the tunnel at 3 (wan and wanb are 1 and 2 respectively).

I dont understand how to do this. The Policy section seems to have no way to do this...\

Yeah, i figured it out finally:)

Sorry for the confusion, I got it mixed up with PBR. I meant rule.

1 Like

I have since installed PBR but am not sure how to use it. Also after starting from scratch again and giving each of the the interfaces a metric and adding the text suggested by lleachii I seem to have been able to actually connect to the tunnel, the luci-wireguard status says there was a handshake with the VPN for WAN.

But damned if i know how to make the resulting wireless connection have internet...

Im not sure what exactly theyre supposed to look like these rules...

Here are some outputs:

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'
        list network 'wanb'
        list network 'VPN'
        list network 'VPNB'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'torrents'
        option src 'wan'
        option src_dport '52321'
        option dest_ip '192.168.1.10'
        option dest_port '52321'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Forced DNS'
        option src_dport '53'
        option dest_port '53'
        option src 'lan'
        option src_dip '192.168.1.1'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'torrents lab'
        option src 'wan'
        option src_dport '25271'
        option dest_ip '192.168.1.12'
        option dest_port '25271'

config zone
        option name 'vpn'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipv6 '0'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns 'XX.XX.XXX.XXX'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option ipv6 '0'
        option metric '1'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns 'XX.XX.XXX.XXX'
      
config interface 'wanb'
        option proto 'dhcp'
        option device 'eth4'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns 'XX.XX.XXX.XXX'
        option metric '2'

config interface 'VPN'
        option proto 'wireguard'
        option private_key 'gIkLrrme9P3CAFcJJKa+rEsFV7DuiUjg0snR6LtZz2U='
        list addresses '10.67.182.48/32'
        option peerdns '0'
        list dns '100.64.0.7'
        option metric '3'

config interface 'VPNB'
        option proto 'wireguard'
        option private_key 'gIkLrrme9P3CAFcJJKa+rEsFV7DuiUjg0snR6LtZz2U='
        list addresses '10.67.182.48/32'
        option peerdns '0'
        list dns '100.64.0.7'
        option metric '4'

config wireguard_VPN
        option description 'de-dus-wg-001.conf'
        option public_key 'ku1NYeOAGbY65YL/JKZhrqVzDJKXQiVj9USXbfkOBA0='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '185.254.75.3'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config wireguard_VPNB
        option description 'de-dus-wg-001.conf'
        option public_key 'ku1NYeOAGbY65YL/JKZhrqVzDJKXQiVj9USXbfkOBA0='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '185.254.75.3'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config device
        option name 'VPN'
        option ipv6 '0'

config device
        option name 'VPNB'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option name 'eth0.2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'eth3'
        option vid '2'
        option name 'eth3.2'
        option ipv6 '0'

config route
        option interface 'VPN'
        option target '0.0.0.0/0'
        option table '1'
        option gateway '192.168.1.1'
        option metric '3'

config rule
        option dest '192.168.1.0/24'
        option priority '1'
        option lookup 'main'

config rule
        option src '192.168.1.0/24'
        option dest '0.0.0.0/0'
        option priority '2'
        option lookup '1'

/etc/config/mwan3

config globals 'globals'
        option mmx_mask '0x3F00'
        option logging '1'
        option loglevel 'notice'
        list rt_table_lookup '220'
        option local_source 'lan'

config interface 'wan'
        option enabled '1'
        option family 'ipv4'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option timeout '4'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'
        option interval '30'
        option reliability '1'
        option max_ttl '70'
        list track_ip '1.0.0.1'
        list track_ip '81.17.144.170'

config interface 'wanb'
        option family 'ipv4'
        option reliability '1'
        option enabled '1'
        option initial_state 'online'
        option track_method 'ping'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'
        option interval '30'
        list track_ip '1.0.0.1'
        list track_ip '81.17.144.170'

config policy 'wan_only'
        list use_member 'wan_m1_w1'
        option last_resort 'unreachable'

config policy 'wanb_only'
        list use_member 'wanb_m2_w2'
        option last_resort 'unreachable'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'
        option family 'ipv4'

config rule 'default_rule_v6'
        option dest_ip '::/0'
        option use_policy 'balanced'
        option family 'ipv6'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '1'

config member 'wanb_m2'
        option interface 'wanb'
        option metric '2'
        option weight '3'

config policy 'wans'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m2'
        option last_resort 'unreachable'

config interface 'VPN'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        option track_method 'ping'
        option reliability '1'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'

config interface 'VPNB'
        option enabled '1'
        option initial_state 'online'
        option family 'ipv4'
        option track_method 'ping'
        option reliability '1'
        option count '1'
        option size '56'
        option max_ttl '60'
        option timeout '4'
        option interval '10'
        option failure_interval '5'
        option recovery_interval '5'
        option down '5'
        option up '5'

config member 'vpn_m3'
        option interface 'wan'
        option metric '3'
        option weight '1'

config member 'vpnb_m4'
        option interface 'wan'
        option metric '4'
        option weight '3'

ip route show


default via 100.64.149.1 dev eth0 proto static src 100.64.149.129 metric 1
default via 192.168.8.1 dev eth4 proto static src 192.168.8.100 metric 2
100.64.149.0/24 dev eth0 proto static scope link metric 1
XXX.XXX.XX.X via 100.64.149.1 dev eth0 proto static metric 1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.8.0/24 dev eth4 proto static scope link metric 2

Output of "ip -4 a show"
-------------------------------------------------
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth0@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 100.64.149.129/24 brd 100.64.149.255 scope global eth0
       valid_lft forever preferred_lft forever
7: eth4@dsa: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.100/24 brd 192.168.8.255 scope global eth4
       valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
16: VPNB: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.67.182.48/32 brd 255.255.255.255 scope global VPNB
       valid_lft forever preferred_lft forever
17: VPN: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.67.182.48/32 brd 255.255.255.255 scope global VPN
       valid_lft forever preferred_lft forever

Output of "ip -4 rule show"
-------------------------------------------------

0:	from all lookup local
1:	from all to 192.168.1.0/24 lookup main
2:	from 192.168.1.0/24 lookup 1
1001:	from all iif eth0 lookup 1
1002:	from all iif eth4 lookup 2
1003:	from all iif VPN lookup 3
1004:	from all iif VPNB lookup 4
2001:	from all fwmark 0x100/0x3f00 lookup 1
2002:	from all fwmark 0x200/0x3f00 lookup 2
2003:	from all fwmark 0x300/0x3f00 lookup 3
2004:	from all fwmark 0x400/0x3f00 lookup 4
2061:	from all fwmark 0x3d00/0x3f00 blackhole
2062:	from all fwmark 0x3e00/0x3f00 unreachable
3001:	from all fwmark 0x100/0x3f00 unreachable
3002:	from all fwmark 0x200/0x3f00 unreachable
3003:	from all fwmark 0x300/0x3f00 unreachable
3004:	from all fwmark 0x400/0x3f00 unreachable
30001:	from all fwmark 0x20000/0xff0000 lookup pbr_wanb
30003:	from all fwmark 0x40000/0xff0000 lookup pbr_VPNB
32766:	from all lookup main
32767:	from all lookup default

Output of "ip -4 route list table 1-250"
-------------------------------------------------
Routing table 1:
default via 100.64.149.1 dev eth0 proto static src 100.64.149.129 metric 1 
100.64.149.0/24 dev eth0 proto static scope link metric 1 
XXX.XXX.XX.X via 100.64.149.1 dev eth0 proto static metric 1 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 

Routing table 2:
default via 192.168.8.1 dev eth4 proto static src 192.168.8.100 metric 2 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.8.0/24 dev eth4 proto static scope link metric 2 

Routing table 3:
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 

Routing table 4:
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 

Output of "iptables -t mangle -w -L -v -n"
-------------------------------------------------
Chain PREROUTING (policy ACCEPT 83922 packets, 55M bytes)
 pkts bytes target     prot opt in     out     source               destination         
85840   56M mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 1218 packets, 129K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 82502 packets, 55M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1221 packets, 1153K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1334 1306K mwan3_hook  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 83723 packets, 56M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain mwan3_connected_ipv4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 2927 1464K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 dst MARK or 0x3f00

Chain mwan3_custom_ipv4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 dst MARK or 0x3f00

Chain mwan3_dynamic_ipv4 (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 dst MARK or 0x3f00

Chain mwan3_hook (2 references)
 pkts bytes target     prot opt in     out     source               destination         
87124   57M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 CONNMARK restore mask 0x3f00
 1639  216K mwan3_ifaces_in  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
 1087  153K mwan3_custom_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
 1087  153K mwan3_connected_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  918  124K mwan3_dynamic_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  918  124K mwan3_rules  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
87174   57M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save mask 0x3f00
 6592 2431K mwan3_custom_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00
 6592 2431K mwan3_connected_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00
 3834  996K mwan3_dynamic_ipv4  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match ! 0x3f00/0x3f00

Chain mwan3_iface_in_VPN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  VPN    *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  VPN    *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  VPN    *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  VPN    *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* VPN */ MARK xset 0x300/0x3f00

Chain mwan3_iface_in_VPNB (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  VPNB   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  VPNB   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  VPNB   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  VPNB   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* VPNB */ MARK xset 0x400/0x3f00

Chain mwan3_iface_in_wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    1    56 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
  551 62146 MARK       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan */ MARK xset 0x100/0x3f00

Chain mwan3_iface_in_wanb (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  eth4   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_custom_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth4   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_connected_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth4   *       0.0.0.0/0            0.0.0.0/0            match-set mwan3_dynamic_ipv4 src mark match 0x0/0x3f00 /* default */ MARK or 0x3f00
    0     0 MARK       all  --  eth4   *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wanb */ MARK xset 0x200/0x3f00

Chain mwan3_ifaces_in (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1455  189K mwan3_iface_in_wan  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  897  125K mwan3_iface_in_wanb  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  897  125K mwan3_iface_in_VPN  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00
  875  121K mwan3_iface_in_VPNB  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00

Chain mwan3_policy_wan_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* unreachable */ MARK xset 0x3e00/0x3f00

Chain mwan3_policy_wanb_only (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* unreachable */ MARK xset 0x3e00/0x3f00

Chain mwan3_policy_wans (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x0/0x3f00 /* wan 1 1 */ MARK xset 0x100/0x3f00

Chain mwan3_rules (1 references)
 pkts bytes target     prot opt in     out     source               destination