How to setup wireguard site-to-site routing?

I would like to connect 2 private LAN's via wireguard.
The private LAN's are using ipv4 while the connection between wireguard has to be ipv6.
Both sites are using the same hardware.
The internet connection is established via a AVM DSL-Router. The OpenWrt Router (NanoPi's) are configured as IPv6 exposed hosts and they are the only devices connected to the AVM devices.

The connections are up and running. When I login via ssh to the NanoPi I can ping or ssh to all devices at the remote site.
So I can confirm the connection is established as expected.

When I set "route_allowed_ips=0" then I can't access remote devices anymore.

Configuration site A

network.wg0=interface                                                                                                                                                                           
network.wg0.proto='wireguard'                                                                                                                                                                   
network.wg0.public_key='XXX'                                                                                                                           
network.wg0.private_key='XXX'                                                                                                                          
network.wg0.listen_port='22222'                                                                                                                                                                 
network.wg0.addresses='172.16.0.20/32'                                                                                                                                                         
network.@wireguard_wg0[0]=wireguard_wg0                                                                                                                                                         
network.@wireguard_wg0[0].description='Site A'                                                                                                                                                 
network.@wireguard_wg0[0].public_key='XXX'                                                                                                             
network.@wireguard_wg0[0].private_key='XXX'                                                                                                            
network.@wireguard_wg0[0].endpoint_host='myipv6.dynv6.net'                                                                                                                                   
network.@wireguard_wg0[0].endpoint_port='22122'                                                                                                                                                 
network.@wireguard_wg0[0].persistent_keepalive='25'                                                                                                                                             
network.@wireguard_wg0[0].allowed_ips='172.16.0.10/32' '192.168.10.0/24'                                                                                                                      
network.@wireguard_wg0[0].route_allowed_ips='1'

But no device at the LAN site can access a device on the remote site. So I guess I had to add a (static) route rule to make this work.
But I can't figure out how to do this.

Found this, but with my limited knowledge and only a little english I did not understand what to do.

Specifies the logical interface name of the parent (or master) interface this route belongs to;

What interface I have to use?
LAN, as it is the LAN interface, used on both sites?
WG0, as it is the wireguard interface?

Ok "target" and "netmask" should be the values of the remote site.
i.e. 192.168.10.0 and 255.255.255.0

Network gateway. If omitted, the gateway from the parent interface is taken if any,

Hm, if omitted it's the gateway from the parent interface. But what is the parent interface? How to find out?
Is this the ip of the gateway defined for LAN? And if this is correct, why I have to specify?
Or should I use the ip of the wg0 interface here?

For the moment I have this. But I have testet dozens of combinations. But nothing worked.

network.@route[0].interface='lan'                                                                                                                                                               
network.@route[0].gateway='192.168.20.1'                                                                                                                                                       
network.@route[0].target='192.168.10.0'                                                                                                                                                        
network.@route[0].netmask='255.255.255.0' 

begging for help now....

Henning

Setting this to enabled is the equivelant of adding the route by your own

If you, for some reason, would like to add the routes manually you can do this.
Lets assume the two sites are built up like this:

site 1:
LAN: 192.168.10.0/24
Router IP (LAN): 192.168.10.1

site 2:
LAN: 192.168.20.0/24
Router IP (LAN): 192.168.20.1

VPN Network:
Subnet: 192.168.30.0/30 (NOTE: Only 2 usable IPs in this subnet)
Router 1 IP: 192.168.30.1
Router 2 IP: 192.168.30.2

Now your custom routes have the VPN IP of the other sites router as gateway.
Like this:

route on site 1 router:
interface: vpn
target: 192.168.20.0
netmask: 255.255.255.0
gateway: 192.168.30.2

route on site 2 router:
interface: vpn
target: 192.168.10.0
netmask: 255.255.255.0
gateway: 192.168.30.1

These routes are autmatically created when you have route_allowed_ips enabled. So there should be no need to create the routes manually

as i understand you correctly,
you are missing a static route in both dsl routers to point to the remote side via the nanopi's. since your devices use the dsl box as default route. or any single device has to have a static route to the remote side via the nanopi's .

I recently setup a site-to-site WireGuard tunnel between OpenWrt on my home router, and OpenWrt on a remote Raspberry Pi. The goal was to get access to the remote LAN from my home LAN. I had trouble getting it to work, so this is the hacky solution I ended with:

Home LAN: 192.168.10.0/24
Remote LAN: 192.168.100.0/24
Home WireGuard IP: 10.10.10.100
Remote WireGuard IP: 10.10.10.50

On my home router, WireGuard setting for client (remote router):
Allowed IPs:
10.10.10.50/32
192.168.100.0/24
Route Allowed IPs checked

On my remote router, WireGuard setting for client (home router):
Allowed IPs:
10.10.10.0/24 (multiple devices are connecting to my home router)
Route Allowed IPs checked

On my home router I had this firewall NAT rule:
IPv4 from "any zone" to "any zone, IP 192.168.100.0/24" rewrite to source IP 10.10.10.100

On my remote router I had this firewall NAT rule:
IPv4 from "any zone, IP 10.10.10.100" to "any zone, IP 192.168.100.0/24" rewrite to source IP 192.168.100.1

This is what happens when I try to connect from home LAN to remote LAN:
package goes from home PC to home router -> package gets rewritten with source IP 10.10.10.100 -> package gets sent over WireGuard tunnel, since it's destination is in the 192.168.100.0/24 subnet -> remote router sees that the package is coming from 10.10.10.100 and accepts it -> remote router rewrites package with source IP 192.168.100.1 -> package gets sent out on the remote network.

With this setup it might not be possible to initiate a connection from the remote LAN to home LAN, but it works from home LAN to remote LAN. Packages also has to be rewritten twice, so it's not optimal if you have a lot of traffic.

And you can connect to a device on your remote site?

Also why are you rewriting your packets?

When I connect in my local lan via ssh to my OpenWrt router (NanoPi) I can then connect from the NanoPi via ssh to all devices at the remote site.

But if I try to connect from any other device in my local lan (i.e. my desktop pc with ip 192.168.20.22) I can't even ping a remote device (i.e. the remote NanoPi 192.168.10.1).

With route_allowed_ips=1 of course.

@ASFP
What do you mean with

Also why are you rewriting your packets?

Did not understand the question ...

I'm sorry I thought @Znerox 's post was from you.

Do you have route_allowed_ips enabled on both sites?

Configuration of your remote site would be helpfull

@g6094199
No, thats not my intention.
I will get a fiber line in the next weeks. And then there is no public ipv4 anymore. So the DSL Routers are only needed to convert DSL to Ethernet/ IPv6 until fiber is ready.
They are just like modem's for now.

@ASFP
Yes route_allowed_ips is enabled on both sites.

Site B

firewall.@zone[0].network='lan' 'wg0'                                                                                                                                                           
network.wg0=interface                                                                                                                                                                           
network.wg0.proto='wireguard'                                                                                                                                                                   
network.wg0.private_key='XXX'                                                                                                                          
network.wg0.public_key='XXX'                                                                                                                           
network.wg0.listen_port='22122'                                                                                                                                                                 
network.wg0.addresses='172.16.0.10/32'                                                                                                                                                         
network.@wireguard_wg0[0]=wireguard_wg0                                                                                                                                                         
network.@wireguard_wg0[0].description='Site B'                                                                                                                                              
network.@wireguard_wg0[0].public_key='XXX'
network.@wireguard_wg0[0].private_key='XXX'
network.@wireguard_wg0[0].endpoint_host='myremote-ipv6.dynv6.net'                                                                                                                                     
network.@wireguard_wg0[0].endpoint_port='22222'                                                                                                                                                 
network.@wireguard_wg0[0].route_allowed_ips='1'                                                                                                                                                 
network.@wireguard_wg0[0].allowed_ips='172.16.0.20/32' '192.168.20.0/24' 

Please run the following commands on both routers (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Ok,
hope that's it, and I have found all private data ...
But the body is to big for just 1 answer

DHCP Site A

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option local '/site-A.xa/'
	option domain 'site-A.xa'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '200'
	option limit '250'
	option leasetime '1h'
	option ra_management '1'
	list dhcp_option '42,192.168.20.1'
	list dhcp_option '60,6865i,AastraIPPhone6865i'
	list dhcp_option '6865i,66,https://Falcon/OpenWrt/mitel/'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Jail'
	option interface 'Jail'
	option start '200'
	option limit '250'
	option leasetime '1h'
	list dhcp_option '42,192.168.20.1'

config dhcp 'GP'
	option interface 'GP'
	option start '200'
	option limit '250'
	option leasetime '1h'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'VoIP'
	option interface 'VoIP'
	option leasetime '12h'
	option start '200'
	option limit '250'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

DHCP Site B

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option leasetime '1h'
	option start '200'
	option limit '250'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'Jail'
	option interface 'Jail'
	option leasetime '1h'
	list dhcp_option '42,192.168.10.1'
	option start '200'
	option limit '250'

config dhcp 'GP'
	option interface 'GP'
	option leasetime '1h'
	option start '200'
	option limit '250'

config dhcp 'VoIP'
	option interface 'VoIP'
	option leasetime '12h'
	option start '200'
	option limit '250'

Network Site A

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc0:a6:c6::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.20.1'

config device 'lan_eth1_dev'
	option name 'eth1'
	option macaddr '32:e4:ce:51:0a:a5'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config interface 'Jail'
	option type 'bridge'
	option ifname 'eth1.3'
	option proto 'static'
	option ipaddr '192.168.23.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'VoIP'
	option type 'bridge'
	option ifname 'eth1.7'
	option proto 'static'
	option ipaddr '192.168.27.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config interface 'wg0'
	option proto 'wireguard'
	option public_key 'XXX'
	option private_key 'XXX'
	option listen_port '22222'
	list addresses '172.16.0.20/32'

config wireguard_wg0
	option description 'Site-B'
	option public_key 'XXX'
	option private_key 'XXX'
	option endpoint_host 'site-b-ipv6.dynv6.net'
	option endpoint_port '22122'
	option persistent_keepalive '25'
	list allowed_ips '172.16.0.10/32'
	list allowed_ips '192.168.10.0/24'
	option route_allowed_ips '1'

Network Site B

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd32:2759:ebd5::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.10.1'
	option ip6assign '64'

config device 'lan_eth1_dev'
	option name 'eth1'
	option macaddr '96:2e:c3:8b:10:fb'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config device 'wan_eth0_dev'
	option name 'eth0'
	option macaddr '96:2e:c3:8b:10:fa'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config interface 'Jail'
	option type 'bridge'
	option ifname 'eth1.3'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.13.1'

config interface 'GP'
	option type 'bridge'
	option ifname 'eth1.6'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.16.1'

config interface 'VoIP'
	option type 'bridge'
	option ifname 'eth1.7'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ipaddr '192.168.17.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	option public_key 'XXX'
	option listen_port '22122'
	list addresses '172.16.0.10/32'

config wireguard_wg0
	option description 'Site-A'
	option public_key 'XXX'
	option private_key 'XXX'
	option endpoint_host 'site-a-ipv6.dynv6.net'
	option endpoint_port '22222'
	option route_allowed_ips '1'
	list allowed_ips '172.16.0.20/32'

Firewall Site A

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option name 'Allow-ICMPv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-Wireguard-Input'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '22122'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Jail'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Jail'

config forwarding
	option src 'lan'
	option dest 'Jail'

config zone
	option name 'GP'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'VoIP'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VoIP'

config forwarding
	option src 'lan'
	option dest 'VoIP'

config rule
	option name 'Reject NTP to WAN'
	option src 'lan'
	option dest 'wan'
	option dest_port '123'
	option target 'REJECT'

config rule
	option name 'Drop SMB Stuff'
	option src 'lan'
	option dest 'wan'
	option dest_port '137-139 445'
	option target 'DROP'

config rule
	option name 'Allow Mail 2 Goneo'
	list proto 'tcp'
	option src 'Jail'
	option dest 'wan'
	list dest_ip '82.100.220.166'
	list dest_ip '2001:1640:5::2:166'
	option dest_port '495'
	option target 'ACCEPT'

config rule
	option name 'Drop Jail 2 WAN'
	option src 'Jail'
	option dest 'wan'
	option target 'DROP'

Firewall Site B

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option src 'wan'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	option name 'Allow-ICMPv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-Wireguard-Input'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '22122'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'Jail'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Jail'

config forwarding
	option src 'lan'
	option dest 'Jail'

config zone
	option name 'GP'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'VoIP'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'VoIP'

config forwarding
	option src 'lan'
	option dest 'VoIP'

config rule
	option name 'Reject NTP to WAN'
	option src 'lan'
	option dest 'wan'
	option dest_port '123'
	option target 'REJECT'

config rule
	option name 'Drop SMB Stuff'
	option src 'lan'
	option dest 'wan'
	option dest_port '137-139 445'
	option target 'DROP'

config rule
	option name 'Allow Mail 2 Goneo'
	list proto 'tcp'
	option src 'Jail'
	option dest 'wan'
	list dest_ip '82.100.220.166'
	list dest_ip '2001:1640:5::2:166'
	option dest_port '495'
	option target 'ACCEPT'

config rule
	option name 'Drop Jail 2 WAN'
	option src 'Jail'
	option dest 'wan'
	option target 'DROP'

Part 2 ....

ip -4 ro Site A

default via 192.168.2.1 dev eth0  src 192.168.2.10 
172.16.0.10 dev wg0 scope link 
172.16.0.21 dev wg0 scope link 
172.16.0.22 dev wg0 scope link 
172.16.0.25 dev wg0 scope link 
192.168.2.0/24 dev eth0 scope link  src 192.168.2.10 
192.168.10.0/24 dev wg0 scope link 
192.168.20.0/24 dev br-lan scope link  src 192.168.20.1 
192.168.23.0/24 dev br-Jail scope link  src 192.168.23.1 
192.168.27.0/24 dev br-VoIP scope link  src 192.168.27.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 172.16.0.20 dev wg0 table local scope host  src 172.16.0.20 
broadcast 192.168.2.0 dev eth0 table local scope link  src 192.168.2.10 
local 192.168.2.10 dev eth0 table local scope host  src 192.168.2.10 
broadcast 192.168.2.255 dev eth0 table local scope link  src 192.168.2.10 
broadcast 192.168.20.0 dev br-lan table local scope link  src 192.168.20.1 
local 192.168.20.1 dev br-lan table local scope host  src 192.168.20.1 
broadcast 192.168.20.255 dev br-lan table local scope link  src 192.168.20.1 
broadcast 192.168.23.0 dev br-Jail table local scope link  src 192.168.23.1 
local 192.168.23.1 dev br-Jail table local scope host  src 192.168.23.1 
broadcast 192.168.23.255 dev br-Jail table local scope link  src 192.168.23.1 
broadcast 192.168.27.0 dev br-VoIP table local scope link  src 192.168.27.1 
local 192.168.27.1 dev br-VoIP table local scope host  src 192.168.27.1 
broadcast 192.168.27.255 dev br-VoIP table local scope link  src 192.168.27.1 ```

ip -4 ro site B

default via 192.168.11 .1 dev eth0  src 192.168.11 .2 
172.16.0.20 dev wg0 scope link 
172.16.0.21 dev wg0 scope link 
172.16.0.22 dev wg0 scope link 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
192.168.11.0/24 dev eth0 scope link  src 192.168.11 .2 
192.168.13.0/24 dev br-Jail scope link  src 192.168.13.1 
192.168.16.0/24 dev br-GP scope link  src 192.168.16.1 
192.168.17.0/24 dev br-VoIP scope link  src 192.168.17.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
local 172.16.0.10 dev wg0 table local scope host  src 172.16.0.10 
broadcast 192.168.10.0 dev br-lan table local scope link  src 192.168.10.1 
local 192.168.10.1 dev br-lan table local scope host  src 192.168.10.1 
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.1 
broadcast 192.168.11 .0 dev eth0 table local scope link  src 192.168.11 .2 
local 192.168.11 .2 dev eth0 table local scope host  src 192.168.11 .2 
broadcast 192.168.11 .255 dev eth0 table local scope link  src 192.168.11 .2 
broadcast 192.168.13.0 dev br-Jail table local scope link  src 192.168.13.1 
local 192.168.13.1 dev br-Jail table local scope host  src 192.168.13.1 
broadcast 192.168.13.255 dev br-Jail table local scope link  src 192.168.13.1 
broadcast 192.168.16.0 dev br-GP table local scope link  src 192.168.16.1 
local 192.168.16.1 dev br-GP table local scope host  src 192.168.16.1 
broadcast 192.168.16.255 dev br-GP table local scope link  src 192.168.16.1 
broadcast 192.168.17.0 dev br-VoIP table local scope link  src 192.168.17.1 
local 192.168.17.1 dev br-VoIP table local scope host  src 192.168.17.1 
broadcast 192.168.17.255 dev br-VoIP table local scope link  src 192.168.17.1 

ip -4 ro ... site A

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

ip -4 ro ... site B

0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

ipv4 site A

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.2.10/24 brd 192.168.2.255 scope global eth0
       valid_lft forever preferred_lft forever
4: br-Jail: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.23.1/24 brd 192.168.23.255 scope global br-Jail
       valid_lft forever preferred_lft forever
6: br-VoIP: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.27.1/24 brd 192.168.27.255 scope global br-VoIP
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.20.1/24 brd 192.168.20.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 172.16.0.20/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever

ipv4 site B

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet 192.168.11 .2/24 brd 192.168.11 .255 scope global eth0
       valid_lft forever preferred_lft forever
4: br-GP: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.16.1/24 brd 192.168.16.255 scope global br-GP
       valid_lft forever preferred_lft forever
6: br-Jail: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.13.1/24 brd 192.168.13.255 scope global br-Jail
       valid_lft forever preferred_lft forever
8: br-VoIP: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.17.1/24 brd 192.168.17.255 scope global br-VoIP
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 172.16.0.10/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever

Part 3

iptables Site A

# Generated by iptables-save v1.8.7 on Fri May  7 23:36:54 2021
*nat
:PREROUTING ACCEPT [1211:384060]
:INPUT ACCEPT [588:38334]
:OUTPUT ACCEPT [250:17631]
:POSTROUTING ACCEPT [58:4083]
:postrouting_GP_rule - [0:0]
:postrouting_Jail_rule - [0:0]
:postrouting_VoIP_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_GP_rule - [0:0]
:prerouting_Jail_rule - [0:0]
:prerouting_VoIP_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_GP_postrouting - [0:0]
:zone_GP_prerouting - [0:0]
:zone_Jail_postrouting - [0:0]
:zone_Jail_prerouting - [0:0]
:zone_VoIP_postrouting - [0:0]
:zone_VoIP_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1211:384060] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[647:44331] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[20:1319] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[544:338410] -A PREROUTING -i br-Jail -m comment --comment "!fw3" -j zone_Jail_prerouting
[0:0] -A PREROUTING -i br-VoIP -m comment --comment "!fw3" -j zone_VoIP_prerouting
[297:22783] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3:24] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[239:18700] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-Jail -m comment --comment "!fw3" -j zone_Jail_postrouting
[0:0] -A POSTROUTING -o br-VoIP -m comment --comment "!fw3" -j zone_VoIP_postrouting
[0:0] -A zone_GP_postrouting -m comment --comment "!fw3: Custom GP postrouting rule chain" -j postrouting_GP_rule
[0:0] -A zone_GP_prerouting -m comment --comment "!fw3: Custom GP prerouting rule chain" -j prerouting_GP_rule
[0:0] -A zone_Jail_postrouting -m comment --comment "!fw3: Custom Jail postrouting rule chain" -j postrouting_Jail_rule
[544:338410] -A zone_Jail_prerouting -m comment --comment "!fw3: Custom Jail prerouting rule chain" -j prerouting_Jail_rule
[0:0] -A zone_VoIP_postrouting -m comment --comment "!fw3: Custom VoIP postrouting rule chain" -j postrouting_VoIP_rule
[0:0] -A zone_VoIP_prerouting -m comment --comment "!fw3: Custom VoIP prerouting rule chain" -j prerouting_VoIP_rule
[3:24] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[647:44331] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[239:18700] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[239:18700] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[20:1319] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri May  7 23:36:54 2021
# Generated by iptables-save v1.8.7 on Fri May  7 23:36:54 2021
*mangle
:PREROUTING ACCEPT [12393:3092625]
:INPUT ACCEPT [9524:2009942]
:FORWARD ACCEPT [2446:760236]
:OUTPUT ACCEPT [8197:1637012]
:POSTROUTING ACCEPT [10479:2378439]
[34:2040] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[35:2092] -A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May  7 23:36:54 2021
# Generated by iptables-save v1.8.7 on Fri May  7 23:36:54 2021
*filter
:INPUT ACCEPT [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_GP_rule - [0:0]
:forwarding_Jail_rule - [0:0]
:forwarding_VoIP_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_GP_rule - [0:0]
:input_Jail_rule - [0:0]
:input_VoIP_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_GP_rule - [0:0]
:output_Jail_rule - [0:0]
:output_VoIP_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_GP_dest_ACCEPT - [0:0]
:zone_GP_dest_REJECT - [0:0]
:zone_GP_forward - [0:0]
:zone_GP_input - [0:0]
:zone_GP_output - [0:0]
:zone_GP_src_ACCEPT - [0:0]
:zone_Jail_dest_ACCEPT - [0:0]
:zone_Jail_dest_REJECT - [0:0]
:zone_Jail_forward - [0:0]
:zone_Jail_input - [0:0]
:zone_Jail_output - [0:0]
:zone_Jail_src_ACCEPT - [0:0]
:zone_VoIP_dest_ACCEPT - [0:0]
:zone_VoIP_dest_REJECT - [0:0]
:zone_VoIP_forward - [0:0]
:zone_VoIP_input - [0:0]
:zone_VoIP_output - [0:0]
:zone_VoIP_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1110:93495] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[8414:1916447] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6997:1820011] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[14:844] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1174:87538] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[1:52] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[27:1575] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[215:7271] -A INPUT -i br-Jail -m comment --comment "!fw3" -j zone_Jail_input
[0:0] -A INPUT -i br-VoIP -m comment --comment "!fw3" -j zone_VoIP_input
[2446:760236] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[2234:736179] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[95:8613] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[117:15444] -A FORWARD -i br-Jail -m comment --comment "!fw3" -j zone_Jail_forward
[0:0] -A FORWARD -i br-VoIP -m comment --comment "!fw3" -j zone_VoIP_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1110:93495] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[7087:1543517] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6891:1529725] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[3:160] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[193:13632] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-Jail -m comment --comment "!fw3" -j zone_Jail_output
[0:0] -A OUTPUT -o br-VoIP -m comment --comment "!fw3" -j zone_VoIP_output
[4:811] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[36:2032] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[14:844] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_GP_forward -m comment --comment "!fw3: Custom GP forwarding rule chain" -j forwarding_GP_rule
[0:0] -A zone_GP_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GP_forward -m comment --comment "!fw3" -j zone_GP_dest_REJECT
[0:0] -A zone_GP_input -m comment --comment "!fw3: Custom GP input rule chain" -j input_GP_rule
[0:0] -A zone_GP_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GP_input -m comment --comment "!fw3" -j zone_GP_src_ACCEPT
[0:0] -A zone_GP_output -m comment --comment "!fw3: Custom GP output rule chain" -j output_GP_rule
[0:0] -A zone_GP_output -m comment --comment "!fw3" -j zone_GP_dest_ACCEPT
[0:0] -A zone_Jail_dest_ACCEPT -o br-Jail -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Jail_dest_REJECT -o br-Jail -m comment --comment "!fw3" -j reject
[117:15444] -A zone_Jail_forward -m comment --comment "!fw3: Custom Jail forwarding rule chain" -j forwarding_Jail_rule
[0:0] -A zone_Jail_forward -d 82.100.220.166/32 -p tcp -m tcp --dport 495 -m comment --comment "!fw3: Allow Mail 2 Goneo" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Jail_forward -s 192.168.23.115/32 -p tcp -m comment --comment "!fw3: Landroid" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Jail_forward -p tcp -m comment --comment "!fw3: Drop Jail 2 WAN" -j zone_wan_dest_DROP
[117:15444] -A zone_Jail_forward -p udp -m comment --comment "!fw3: Drop Jail 2 WAN" -j zone_wan_dest_DROP
[0:0] -A zone_Jail_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Jail_forward -m comment --comment "!fw3" -j zone_Jail_dest_REJECT
[215:7271] -A zone_Jail_input -m comment --comment "!fw3: Custom Jail input rule chain" -j input_Jail_rule
[0:0] -A zone_Jail_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[215:7271] -A zone_Jail_input -m comment --comment "!fw3" -j zone_Jail_src_ACCEPT
[0:0] -A zone_Jail_output -m comment --comment "!fw3: Custom Jail output rule chain" -j output_Jail_rule
[0:0] -A zone_Jail_output -m comment --comment "!fw3" -j zone_Jail_dest_ACCEPT
[215:7271] -A zone_Jail_src_ACCEPT -i br-Jail -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VoIP_dest_ACCEPT -o br-VoIP -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VoIP_dest_REJECT -o br-VoIP -m comment --comment "!fw3" -j reject
[0:0] -A zone_VoIP_forward -m comment --comment "!fw3: Custom VoIP forwarding rule chain" -j forwarding_VoIP_rule
[0:0] -A zone_VoIP_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_VoIP_forward -m comment --comment "!fw3" -j zone_VoIP_dest_REJECT
[0:0] -A zone_VoIP_input -m comment --comment "!fw3: Custom VoIP input rule chain" -j input_VoIP_rule
[0:0] -A zone_VoIP_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_VoIP_input -m comment --comment "!fw3" -j zone_VoIP_src_ACCEPT
[0:0] -A zone_VoIP_output -m comment --comment "!fw3: Custom VoIP output rule chain" -j output_VoIP_rule
[0:0] -A zone_VoIP_output -m comment --comment "!fw3" -j zone_VoIP_dest_ACCEPT
[0:0] -A zone_VoIP_src_ACCEPT -i br-VoIP -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[5:328] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[95:8613] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 123 -m comment --comment "!fw3: Reject NTP to WAN" -j zone_wan_dest_REJECT
[20:1520] -A zone_lan_forward -p udp -m udp --dport 123 -m comment --comment "!fw3: Reject NTP to WAN" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 137:139 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 445 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m udp --dport 137:139 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m udp --dport 445 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[75:7093] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[2:168] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Jail forwarding policy" -j zone_Jail_dest_ACCEPT
[2:168] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VoIP forwarding policy" -j zone_VoIP_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[2:168] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1175:87590] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1175:87590] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3:160] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[3:160] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1174:87538] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[27:1845] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[239:18712] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[117:15444] -A zone_wan_dest_DROP -o eth0 -m comment --comment "!fw3" -j DROP
[20:1520] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[27:1575] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-ICMPv4" -j ACCEPT
[7:252] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 22222 -m comment --comment "!fw3: Allow-Wireguard-Input" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[20:1323] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[193:13632] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[193:13632] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[20:1323] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May  7 23:36:54 2021

iptables Site B

# Generated by iptables-save v1.8.7 on Fri May  7 23:35:30 2021
*nat
:PREROUTING ACCEPT [1592:243774]
:INPUT ACCEPT [567:40377]
:OUTPUT ACCEPT [370:25389]
:POSTROUTING ACCEPT [12:730]
:postrouting_GP_rule - [0:0]
:postrouting_Jail_rule - [0:0]
:postrouting_VoIP_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_GP_rule - [0:0]
:prerouting_Jail_rule - [0:0]
:prerouting_VoIP_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_GP_postrouting - [0:0]
:zone_GP_prerouting - [0:0]
:zone_Jail_postrouting - [0:0]
:zone_Jail_prerouting - [0:0]
:zone_VoIP_postrouting - [0:0]
:zone_VoIP_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1592:243774] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1583:242995] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[2:120] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[7:659] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-Jail -m comment --comment "!fw3" -j zone_Jail_prerouting
[0:0] -A PREROUTING -i br-VoIP -m comment --comment "!fw3" -j zone_VoIP_prerouting
[511:39662] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[499:38932] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-Jail -m comment --comment "!fw3" -j zone_Jail_postrouting
[0:0] -A POSTROUTING -o br-VoIP -m comment --comment "!fw3" -j zone_VoIP_postrouting
[0:0] -A zone_GP_postrouting -m comment --comment "!fw3: Custom GP postrouting rule chain" -j postrouting_GP_rule
[0:0] -A zone_GP_prerouting -m comment --comment "!fw3: Custom GP prerouting rule chain" -j prerouting_GP_rule
[0:0] -A zone_Jail_postrouting -m comment --comment "!fw3: Custom Jail postrouting rule chain" -j postrouting_Jail_rule
[0:0] -A zone_Jail_prerouting -m comment --comment "!fw3: Custom Jail prerouting rule chain" -j prerouting_Jail_rule
[0:0] -A zone_VoIP_postrouting -m comment --comment "!fw3: Custom VoIP postrouting rule chain" -j postrouting_VoIP_rule
[0:0] -A zone_VoIP_prerouting -m comment --comment "!fw3: Custom VoIP prerouting rule chain" -j prerouting_VoIP_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1585:243115] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[499:38932] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[499:38932] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[7:659] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri May  7 23:35:30 2021
# Generated by iptables-save v1.8.7 on Fri May  7 23:35:30 2021
*mangle
:PREROUTING ACCEPT [8130:3656690]
:INPUT ACCEPT [2628:1363031]
:FORWARD ACCEPT [4964:2131106]
:OUTPUT ACCEPT [2548:255487]
:POSTROUTING ACCEPT [7148:2359553]
[198:10488] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[92:4964] -A FORWARD -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri May  7 23:35:30 2021
# Generated by iptables-save v1.8.7 on Fri May  7 23:35:30 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_GP_rule - [0:0]
:forwarding_Jail_rule - [0:0]
:forwarding_VoIP_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_GP_rule - [0:0]
:input_Jail_rule - [0:0]
:input_VoIP_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_GP_rule - [0:0]
:output_Jail_rule - [0:0]
:output_VoIP_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_GP_dest_ACCEPT - [0:0]
:zone_GP_dest_REJECT - [0:0]
:zone_GP_forward - [0:0]
:zone_GP_input - [0:0]
:zone_GP_output - [0:0]
:zone_GP_src_ACCEPT - [0:0]
:zone_Jail_dest_ACCEPT - [0:0]
:zone_Jail_dest_REJECT - [0:0]
:zone_Jail_forward - [0:0]
:zone_Jail_input - [0:0]
:zone_Jail_output - [0:0]
:zone_Jail_src_ACCEPT - [0:0]
:zone_VoIP_dest_ACCEPT - [0:0]
:zone_VoIP_dest_REJECT - [0:0]
:zone_VoIP_forward - [0:0]
:zone_VoIP_input - [0:0]
:zone_VoIP_output - [0:0]
:zone_VoIP_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[48:3776] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2580:1359255] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1600:1289763] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[4:240] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[945:67589] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2:120] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[33:1783] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-Jail -m comment --comment "!fw3" -j zone_Jail_input
[0:0] -A INPUT -i br-VoIP -m comment --comment "!fw3" -j zone_VoIP_input
[4964:2131106] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[4380:2085541] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[584:45565] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-Jail -m comment --comment "!fw3" -j zone_Jail_forward
[0:0] -A FORWARD -i br-VoIP -m comment --comment "!fw3" -j zone_VoIP_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[155:12336] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2393:243151] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2025:218092] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[368:25059] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-Jail -m comment --comment "!fw3" -j zone_Jail_output
[0:0] -A OUTPUT -o br-VoIP -m comment --comment "!fw3" -j zone_VoIP_output
[20:1011] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[346:26480] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[4:240] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_GP_forward -m comment --comment "!fw3: Custom GP forwarding rule chain" -j forwarding_GP_rule
[0:0] -A zone_GP_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GP_forward -m comment --comment "!fw3" -j zone_GP_dest_REJECT
[0:0] -A zone_GP_input -m comment --comment "!fw3: Custom GP input rule chain" -j input_GP_rule
[0:0] -A zone_GP_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GP_input -m comment --comment "!fw3" -j zone_GP_src_ACCEPT
[0:0] -A zone_GP_output -m comment --comment "!fw3: Custom GP output rule chain" -j output_GP_rule
[0:0] -A zone_GP_output -m comment --comment "!fw3" -j zone_GP_dest_ACCEPT
[0:0] -A zone_Jail_dest_ACCEPT -o br-Jail -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_Jail_dest_REJECT -o br-Jail -m comment --comment "!fw3" -j reject
[0:0] -A zone_Jail_forward -m comment --comment "!fw3: Custom Jail forwarding rule chain" -j forwarding_Jail_rule
[0:0] -A zone_Jail_forward -d 82.100.220.166/32 -p tcp -m tcp --dport 495 -m comment --comment "!fw3: Allow Mail 2 Goneo" -j zone_wan_dest_ACCEPT
[0:0] -A zone_Jail_forward -p tcp -m comment --comment "!fw3: Drop Jail 2 WAN" -j zone_wan_dest_DROP
[0:0] -A zone_Jail_forward -p udp -m comment --comment "!fw3: Drop Jail 2 WAN" -j zone_wan_dest_DROP
[0:0] -A zone_Jail_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_Jail_forward -m comment --comment "!fw3" -j zone_Jail_dest_REJECT
[0:0] -A zone_Jail_input -m comment --comment "!fw3: Custom Jail input rule chain" -j input_Jail_rule
[0:0] -A zone_Jail_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_Jail_input -m comment --comment "!fw3" -j zone_Jail_src_ACCEPT
[0:0] -A zone_Jail_output -m comment --comment "!fw3: Custom Jail output rule chain" -j output_Jail_rule
[0:0] -A zone_Jail_output -m comment --comment "!fw3" -j zone_Jail_dest_ACCEPT
[0:0] -A zone_Jail_src_ACCEPT -i br-Jail -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VoIP_dest_ACCEPT -o br-VoIP -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VoIP_dest_REJECT -o br-VoIP -m comment --comment "!fw3" -j reject
[0:0] -A zone_VoIP_forward -m comment --comment "!fw3: Custom VoIP forwarding rule chain" -j forwarding_VoIP_rule
[0:0] -A zone_VoIP_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_VoIP_forward -m comment --comment "!fw3" -j zone_VoIP_dest_REJECT
[0:0] -A zone_VoIP_input -m comment --comment "!fw3: Custom VoIP input rule chain" -j input_VoIP_rule
[0:0] -A zone_VoIP_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_VoIP_input -m comment --comment "!fw3" -j zone_VoIP_src_ACCEPT
[0:0] -A zone_VoIP_output -m comment --comment "!fw3: Custom VoIP output rule chain" -j output_VoIP_rule
[0:0] -A zone_VoIP_output -m comment --comment "!fw3" -j zone_VoIP_dest_ACCEPT
[0:0] -A zone_VoIP_src_ACCEPT -i br-VoIP -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[584:45565] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 123 -m comment --comment "!fw3: Reject NTP to WAN" -j zone_wan_dest_REJECT
[343:26068] -A zone_lan_forward -p udp -m udp --dport 123 -m comment --comment "!fw3: Reject NTP to WAN" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 137:139 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m tcp --dport 445 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m udp --dport 137:139 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m udp --dport 445 -m comment --comment "!fw3: Drop SMB Stuff" -j zone_wan_dest_DROP
[241:19497] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to Jail forwarding policy" -j zone_Jail_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to VoIP forwarding policy" -j zone_VoIP_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[947:67709] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[947:67709] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[945:67589] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[2:120] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[21:972] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[588:43584] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o eth0 -m comment --comment "!fw3" -j DROP
[343:26068] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[33:1783] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-ICMPv4" -j ACCEPT
[10:360] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 22122 -m comment --comment "!fw3: Allow-Wireguard-Input" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[23:1423] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[368:25059] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[368:25059] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[23:1423] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri May  7 23:35:30 2021

On site B router add list allowed_ips '192.168.20.0/24' to the peer config for site A. Restart the interface and test again.

Oh my god, how could I be so stupid ....

I'm 100% sure I did add the allowed_ips today morning. And to be really sure there are no side effects I did a reboot afterwards.
But as you can see, I obviously forgot the "uci commit"

Glad to hear it's working. If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

@krazeh
Thank you for your excellent help.

I finish for today and treat me another mojito.
Tomorrow I will check everything again and close the thread if everything remains ok.

Perhaps a good feature request would be to include UCI change count in the shell prompt (or at least provide some kind of indicator).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.