IPv6 connectivity stopped to work in LAN, ok on router

Hi all

I have ran in a strange issue with my IPv6 (6in4) setup.
I have been using it for a while going through different Openwrt update with no issue. My ISP provide IPv6 via 6in4 tunnel with (I know, I know...) a /64 network.
As said it worked, since I have noticed some strange slowdown in opening some website and my Xbox does not give my ipv6 connectivity.

I have tested it, and the issue is general in my LAN, where only my router can access IPv6 sites, while all the other device in LAN cannot.

I have really changed nothing (I have also compared configuration from a backup 2 months old), device in LAN can pick correctly DHCP and SLAAC address, but the result is:

on Router:

root@MenionRouter:~# traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2a00:1450:4002:806::200e) from 2001:xxx:yyyy:d3e3::1, 30 hops max, 24 byte packets
 1  2001:b00:1:1:3::b1 (2001:b00:1:1:3::b1)  6.867 ms * *
 2  * * *
 3  * * *
 4  2001:4860:1:1::472 (2001:4860:1:1::472)  6.435 ms  5.48 ms  5.749 ms
 5  2001:4860:0:2c::1 (2001:4860:0:2c::1)  6.458 ms  6.182 ms  5.968 ms
 6  2001:4860:0:1::1e5d (2001:4860:0:1::1e5d)  6.654 ms  6.118 ms  5.795 ms
 7  mil04s24-in-x0e.1e100.net (2a00:1450:4002:806::200e)  5.907 ms  5.68 ms  5.59 ms

on LAN device

root@AccessPointP1:~# /usr/bin/traceroute6 ipv6.google.com
traceroute to ipv6.l.google.com (2a00:1450:4002:806::200e) from 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c, 30 hops max, 16 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *

It seems that on LAN traffic can go out from the router. I have already tried to force advice of default gateway in my router with no success.

relevant config

config interface 'WAN6'
        option proto '6in4'
        option peeraddr '81.208.50.214'
        option ip6addr '2001:xxx:yyyy:d3e3::2/64'
        list ip6prefix '2001:xxx:yyyy:d3e3::/64'
        option auto '0'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option ra 'server'
        option dhcpv6 'server'
        option ndp 'hybrid'
        option ra_management '1'
        option start '50'
        option limit '200'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

I have the same issue also with an Hurricane tunnel that was working as well
The WAN6 interface are of course started even if I have for the moment disabled them at boot (it does not matter though)
I run vpn-policy-based to route a VLAN over VPN but I have since a while and it was working with IPv6 (and IPv6 is disabled in it)
The problem is that I am very bad in troubleshooting IPv6, so any help is appreciated

I made some tcpdump and it seems that the ping arrives on WAN but does not make the way in LAN:

root@MenionRouter:~# tcpdump -i 6in4-WAN6 "icmp6 && ( ip6[40] == 128 || ip6[40] == 129)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 6in4-WAN6, link-type RAW (Raw IP), capture size 262144 bytes
11:49:13.657790 IP6 2001:xxx:yyyy:d3e3::1 > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 64
11:49:13.664296 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3::1: ICMP6, echo reply, seq 1, length 64
11:49:14.659125 IP6 2001:xxx:yyyy:d3e3::1 > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 2, length 64
11:49:14.664169 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3::1: ICMP6, echo reply, seq 2, length 64
11:49:15.661017 IP6 2001:xxx:yyyy:d3e3::1 > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 3, length 64
11:49:15.665892 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3::1: ICMP6, echo reply, seq 3, length 64
11:49:16.662738 IP6 2001:xxx:yyyy:d3e3::1 > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 4, length 64
11:49:16.667392 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3::1: ICMP6, echo reply, seq 4, length 64
11:49:17.664345 IP6 2001:xxx:yyyy:d3e3::1 > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 5, length 64
11:49:17.669144 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3::1: ICMP6, echo reply, seq 5, length 64
11:49:18.665989 IP6 2001:xxx:yyyy:d3e3::1 > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 6, length 64
11:49:18.670659 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3::1: ICMP6, echo reply, seq 6, length 64
11:49:25.116494 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 0, length 64
11:49:25.122884 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 0, length 64
11:49:25.122962 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 0, length 64
11:49:26.116781 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 64
11:49:26.121391 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 1, length 64
11:49:26.121448 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 1, length 64
11:49:27.117115 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 2, length 64
11:49:27.121627 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 2, length 64
11:49:27.121687 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 2, length 64
11:49:28.117443 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 3, length 64
11:49:28.122415 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 3, length 64
11:49:28.122485 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 3, length 64
11:49:29.117772 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 4, length 64
11:49:29.122408 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 4, length 64
11:49:29.122479 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 4, length 64
11:49:30.118101 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 5, length 64
11:49:30.123148 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 5, length 64
11:49:30.123206 IP6 mil04s24-in-x0e.1e100.net > 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c: ICMP6, echo reply, seq 5, length 64
^C
30 packets captured
30 packets received by filter
0 packets dropped by kernel

The first block is ping from the rounter (which works) the second is from a LAN device. You can see that ECHO-REPLY arrivers, but it is duplicated.

While on LAN:

root@MenionRouter:~# tcpdump -i br-lan "icmp6 && ( ip6[40] == 128 || ip6[40] == 129)"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
11:50:14.892234 IP6 fdb5:24dd:30d::3c2 > fe80::1:c8ff:feec:fc1c: ICMP6, echo request, seq 0, length 12
11:50:14.892381 IP6 fe80::1:c8ff:feec:fc1c > fdb5:24dd:30d::3c2: ICMP6, echo reply, seq 0, length 12
11:50:17.546342 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 0, length 64
11:50:18.546676 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 1, length 64
11:50:19.547006 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 2, length 64
11:50:20.547336 IP6 2001:xxx:yyyy:d3e3:c66e:1fff:fe08:9d0c > mil04s24-in-x0e.1e100.net: ICMP6, echo request, seq 3, length 64
11:50:20.928859 IP6 fdb5:24dd:30d::3c2 > fe80::1:c8ff:feec:fc1c: ICMP6, echo request, seq 0, length 12
11:50:20.928979 IP6 fe80::1:c8ff:feec:fc1c > fdb5:24dd:30d::3c2: ICMP6, echo reply, seq 0, length 12
11:50:26.967157 IP6 fdb5:24dd:30d::3c2 > fe80::1:c8ff:feec:fc1c: ICMP6, echo request, seq 0, length 12
11:50:26.967292 IP6 fe80::1:c8ff:feec:fc1c > fdb5:24dd:30d::3c2: ICMP6, echo reply, seq 0, length 12
11:50:33.002839 IP6 fdb5:24dd:30d::3c2 > fe80::1:c8ff:feec:fc1c: ICMP6, echo request, seq 0, length 12
11:50:33.002966 IP6 fe80::1:c8ff:feec:fc1c > fdb5:24dd:30d::3c2: ICMP6, echo reply, seq 0, length 12

you can see that there is no reply. Firewall rules for ICMP6 are set as default.

My guess is that capital letters in WAN6 interface are not working properly in the firewall.
Do a fw3 restart and post here the output.

root@MenionRouter:~# fw3 restart
Warning: Section @zone[0] (lan) cannot resolve device of network 'nat64'
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Section @zone[1] (wan) cannot resolve device of network 'henet'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'IPCAM Cucina no Internet'
   * Rule 'IPCAM Sala no Internet'
   * Rule 'IPCAM Taverna no Internet'
   * Rule 'IPCAM Letto no Internet'
   * Redirect 'Allarme'
   * Redirect 'aMule TCP'
   * Redirect 'aMule UDP'
   * Redirect 'Torrent first'
   * Redirect 'Torrent second'
   * Redirect 'OpenVPN TCP'
   * Redirect 'OpenVPN UDP'
   * Redirect 'qBitTorrent'
   * Redirect 'OpenVPN backup TCP'
   * Redirect 'OpenVPN backup UDP'
   * Redirect 'OpenVPN TCP P0'
   * Redirect 'OpenVPN UDP P0'
   * Redirect 'OpenVPN TCP P1'
   * Redirect 'OpenVPN UDP P1'
   * Forward 'vpn' -> 'lan'
   * Forward 'vpn' -> 'wan'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'lan' -> 'vpn'
   * Forward 'lan' -> 'wan'
   * Forward 'lan_vpn_usa' -> 'vpn_usa'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv4 nat table
   * Redirect 'Allarme'
   * Redirect 'aMule TCP'
   * Redirect 'aMule UDP'
   * Redirect 'Torrent first'
   * Redirect 'Torrent second'
   * Redirect 'OpenVPN TCP'
   * Redirect 'OpenVPN UDP'
   * Redirect 'qBitTorrent'
   * Redirect 'OpenVPN backup TCP'
   * Redirect 'OpenVPN backup UDP'
   * Redirect 'OpenVPN TCP P0'
   * Redirect 'OpenVPN UDP P0'
   * Redirect 'OpenVPN TCP P1'
   * Redirect 'OpenVPN UDP P1'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow DHCPv6 Relay'
   * Rule 'Allow-OpenVPN-Inbound'
   * Rule 'IPCAM Cucina no Internet'
   * Rule 'IPCAM Sala no Internet'
   * Rule 'IPCAM Taverna no Internet'
   * Rule 'IPCAM Letto no Internet'
   * Forward 'vpn' -> 'lan'
   * Forward 'vpn' -> 'wan'
   * Forward 'wan' -> 'lan'
   * Forward 'wan' -> 'vpn'
   * Forward 'lan' -> 'vpn'
   * Forward 'lan' -> 'wan'
   * Forward 'lan_vpn_usa' -> 'vpn_usa'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'vpn'
   * Zone 'vpn_usa'
   * Zone 'lan_vpn_usa'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
 * Running script '/usr/share/miniupnpd/firewall.include'

Here it is. Actually there are some warning at the beginning.

@trendy so I have actually renamed the WAN6 to wan6, I do not get firewall error anymore but it is still not woking.

So I made some more test: I cannot even ping LAN devices from the router, and I cannot ping router from LAN devices, but I can ping among LAN devices! And the reason is that if i ping router -> LAN device, or LAN devices -> router the ping are sent out on WAN interface...

Also the reason why the tcpdump on WAN interface shows double ECHO-REPLY is because actually the ECHO-REPLY is sent back to the WAN!

And also the Windows 10 PC from which I was writing this post passed the ipv6 test, but after a reboot it does not work anymore, and it is in the same LAN of my other linux devices

It is like the NDP or something is completely screwed on the router, but I do not understand what, it was working before

Can be this the issue?

https://git.openwrt.org/?p=project/odhcpd.git;a=commit;h=5ce077026b991f49d96464587386f93d92f56385

Which warning was keeping all the ipv6 wan interfaces out of the firewall zone wan.

Please copy the output of the following commands.
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

@trendy Here you have it (I have removed some static DHCP lease), split data in four blocks

BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07-SNAPSHOT, r10779+142-d2d12346e8
 -----------------------------------------------------
root@MenionRouter:~# uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*> iptables-save -c; ip6tables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb5:24dd:030d::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.182.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option ifname 'eth0.2'
        option type 'bridge'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.3'
        option type 'bridge'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

config interface 'vpn1'
        option ifname 'tun1'
        option proto 'none'
        option auto '1'

config route
        option interface 'lan'
        option target '10.10.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config route
        option interface 'lan'
        option target '10.11.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config route
        option interface 'lan'
        option target '10.12.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.10'

config route
        option interface 'lan'
        option target '10.13.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.10'

config route
        option interface 'lan'
        option target '10.14.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.11'

config route
        option interface 'lan'
        option target '10.15.0.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.11'

config interface 'wan6'
        option proto '6in4'
        option peeraddr '81.208.50.214'
        option ip6addr '2001:xxx:yyyy:d3e3::2/64'
        list ip6prefix '2001:xxx:yyyy:d3e3::/64'
        option auto '0'

config interface 'henet'
        option proto '6in4'
        option peeraddr '216.66.80.98'
        option ip6addr '2001:ttt:25:3b5::2/64'
        option tunnelid '355738'
        option username 'xxxxx'
        option password 'xxxxx'
        list ip6prefix '2001:ttt:pppp::/48'
        option auto '0'

config interface 'nat64'
        option proto 'tayga'
        option ipv4_addr '192.0.2.1'
        option ipv6_addr '2001:ttt:pppp:0201::1'
        option prefix '2001:ttt:pppp:ffff::/96'
        option dynamic_pool '192.0.2.0/24'
        option accept_ra '0'
        option send_rs '0'
        option auto '0'

config route
        option interface 'lan'
        option target '192.168.183.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.135'

config route
        option interface 'lan'
        option target '192.168.56.0'
        option netmask '255.255.255.0'
        option gateway '192.168.182.192'

config interface 'VPN_USA'
        option proto 'none'
        option ifname 'tun2'

config interface 'LAN_VPN_USA'
        option proto 'static'
        option ifname 'eth0.10'
        option netmask '255.255.255.0'
        option dns '8.8.8.8 4.4.4.4'
        option metric '10'
        option ipaddr '192.168.180.1'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/1c1c000.usb/usb4/4-1/4-1:1.0'
        option hwmode '11a'
        option htmode 'HT40'
        option country 'IT'
        option txpower '20'
        option channel '44'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/soc/1c1b000.usb/usb3/3-1/3-1:1.0'
        option htmode 'HT40'
        option country '00'
        option txpower '20'
        option channel '2'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'MenionP0'
        option encryption 'psk2'
        option key 'pppppppppp'
        option ieee80211r '1'
        option nasid '24050FDDAABB'
        option mobility_domain '5566'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option pmk_r1_push '1'
        option network 'lan'
        option r1_key_holder '24050FDDAABB'
        list r0kh '24:05:0F:DD:AA:BB,24050FDDAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh '48:5D:60:1F:AA:BB,485D601FAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'A4:2B:B0:D9:AA:BB,A42BB0D9AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'A4:2B:B0:D9:AA:BB,A42BB0D9AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'C4:6E:1F:08:AA:BB,C46E1F08AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'C4:6E:1F:08:AA:BB,C46E1F08AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'DC:39:6F:0F:AA:BB,DC396F0FAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'DC:39:6F:0F:AA:BB,DC396F0FAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh '24:05:0F:DD:AA:BB,24:05:0F:DD:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh '48:5D:60:1F:AA:BB,48:5D:60:1F:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'A4:2B:B0:D9:AA:BB,A4:2B:B0:D9:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'A4:2B:B0:D9:AA:BB,A4:2B:B0:D9:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'C4:6E:1F:08:AA:BB,C4:6E:1F:08:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'C4:6E:1F:08:AA:BB,C4:6E:1F:08:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'DC:39:6F:0F:AA:BB,DC:39:6F:0F:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'DC:39:6F:0F:AA:BB,DC:39:6F:0F:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'MenionP0'
        option encryption 'psk2'
        option key 'pppppppppp'
        option network 'lan'
        option ieee80211r '1'
        option nasid '485D601FAABB'
        option mobility_domain '5566'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option r1_key_holder '485D601FAABB'
        option pmk_r1_push '1'
        list r0kh '24:05:0F:DD:AA:BB,24050FDDAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh '48:5D:60:1F:AA:BB,485D601FAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'A4:2B:B0:D9:AA:BB,A42BB0D9AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'A4:2B:B0:D9:AA:BB,A42BB0D9AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'C4:6E:1F:08:AA:BB,C46E1F08AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'C4:6E:1F:08:AA:BB,C46E1F08AABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'DC:39:6F:0F:AA:BB,DC396F0FAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r0kh 'DC:39:6F:0F:AA:BB,DC396F0FAABB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh '24:05:0F:DD:AA:BB,24:05:0F:DD:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh '48:5D:60:1F:AA:BB,48:5D:60:1F:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'A4:2B:B0:D9:AA:BB,A4:2B:B0:D9:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'A4:2B:B0:D9:AA:BB,A4:2B:B0:D9:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'C4:6E:1F:08:AA:BB,C4:6E:1F:08:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'C4:6E:1F:08:AA:BB,C4:6E:1F:08:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'DC:39:6F:0F:AA:BB,DC:39:6F:0F:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list r1kh 'DC:39:6F:0F:AA:BB,DC:39:6F:0F:AA:BB,xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '0'
        option enable_tftp '1'
        list server '8.8.8.8'
        list server '8.8.4.4'
        option serversfile '/tmp/adb_list.overall'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option start '50'
        option limit '200'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option dhcpv6 'server'
        option ra_management '1'
        option ra 'server'
        option ra_default '1'
        option ndp 'hybrid'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'menionbananapi'
        option ip '192.168.182.192'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan nat64'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 henet'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option name 'Allow DHCPv6 Relay'
        option family 'ipv6'
        option src_port '547'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '10001'
        option dest_ip '192.168.182.18'
        option dest_port '10001'
        option name 'Allarme'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1028'
        option dest_port '1028'
        option name 'Webcam Cameretta'
        option dest_ip '192.168.182.216'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '1030'
        option dest_port '1030'
        option name 'Webcam Taverna'
        option dest_ip '192.168.182.239'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1027'
        option dest_ip '192.168.182.22'
        option dest_port '1027'
        option name 'Webcam Camera'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5144'
        option dest_ip '192.168.182.192'
        option dest_port '5144'
        option name 'aMule TCP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '5134'
        option dest_ip '192.168.182.192'
        option dest_port '5134'
        option name 'aMule UDP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6881'
        option dest_ip '192.168.182.192'
        option dest_port '6881'
        option name 'Torrent first'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6882'
        option dest_ip '192.168.182.192'
        option dest_port '6882'
        option name 'Torrent second'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1032'
        option dest_ip '192.168.182.25'
        option name 'WebCam Sala 720p'
        option dest_port '1032'
        option enabled '0'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcp'
        option dest_port '443'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn0 vpn1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option name 'OpenVPN TCP'
        option src_dport '443'
        option dest_ip '192.168.182.1'
        option dest_port '8094'

config rule
        option name 'Allow-OpenVPN-UDP-InBound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1195'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1195'
        option dest_ip '192.168.182.1'
        option dest_port '1195'
        option name 'OpenVPN UDP'

config forwarding
        option dest 'lan'
        option src 'vpn'

config forwarding
        option dest 'wan'
        option src 'vpn'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'vpn'
        option src 'wan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '5201'
        option dest_ip '192.168.182.1'
        option dest_port '5201'
        option name 'Iperf3'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '6981'
        option dest_ip '192.168.182.192'
        option dest_port '6981'
        option name 'qBitTorrent'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1029'
        option dest_ip '192.168.182.23'
        option dest_port '1029'
        option name 'Webcam Cucina'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.192'
        option name 'OpenVPN backup TCP'
        option src_dport '8194'
        option dest_port '8194'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8195'
        option dest_ip '192.168.182.192'
        option dest_port '8195'
        option name 'OpenVPN backup UDP'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.10'
        option dest_port '8294'
        option name 'OpenVPN TCP P0'
        option src_dport '8294'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8295'
        option dest_ip '192.168.182.10'
        option dest_port '8295'
        option name 'OpenVPN UDP P0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '8394'
        option dest_ip '192.168.182.11'
        option dest_port '8394'
        option name 'OpenVPN TCP P1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '8395'
        option dest_ip '192.168.182.11'
        option dest_port '8395'
        option name 'OpenVPN UDP P1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '34567'
        option dest_ip '192.168.182.26'
        option dest_port '34567'
        option name 'Webcam cucina2'
        option enabled '0'

config rule
        option src 'lan'
        option name 'Drop IPv6 flooding UPnP'
        option target 'DROP'
        option family 'ipv6'
        option proto 'udp'
        option dest_port '1900'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.182.21'
        option name 'Webcam Camera2'
        option src_dport '1040'
        option dest_port '1040'
        option enabled '0'

config forwarding
        option dest 'vpn'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.182.192'
        option dest_port '4200'
        option name 'Shellinabox'
        option src_dport '443'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.182.1'
        option dest_port '9999'
        option name 'squid'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '88'
        option dest_ip '192.168.182.168'
        option dest_port '88'
        option name 'Xbox 1'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '500'
        option dest_ip '192.168.182.168'
        option dest_port '500'
        option name 'Xbox 2'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '3544'
        option dest_ip '192.168.182.168'
        option dest_port '3544'
        option name 'Xbox 3'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '4500'
        option dest_ip '192.168.182.168'
        option dest_port '4500'
        option name 'Xbox 4'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_ip '192.168.182.168'
        option dest_port '53'
        option name 'Xbox 5'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip '192.168.182.168'
        option dest_port '80'
        option name 'Xbox 6'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '50182'
        option dest_ip '192.168.182.168'
        option dest_port '50182'
        option name 'Xbox 7'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '50182'
        option name 'Xbox One'
        option family 'ipv6'
        option dest 'lan'
        option enabled '0'

config rule
        option proto 'tcp udp'
        option src 'lan'
        option src_mac 'A0:9D:C1:72:B3:85'
        option target 'DROP'
        option name 'IPCAM Cucina no Internet'
        option dest 'wan'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Sala no Internet'
        option src 'lan'
        option src_mac '48:02:2A:0B:E1:16'
        option dest 'wan'
        option target 'DROP'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Taverna no Internet'
        option src 'lan'
        option src_mac 'A0:9D:C1:72:EC:F4'
        option dest 'wan'
        option target 'DROP'

config rule
        option proto 'tcp udp'
        option name 'IPCAM Letto no Internet'
        option src 'lan'
        option src_mac 'E0:B9:4D:D4:A3:B5'
        option dest 'wan'
        option target 'DROP'

config rule
        option src 'wan'
        option proto 'udp'
        option name 'Block 3074'
        option dest 'lan'
        option target 'REJECT'
        option enabled '0'

config zone
        option output 'ACCEPT'
        option network 'VPN_USA'
        option name 'vpn_usa'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan_vpn_usa'
        option network 'LAN_VPN_USA'
        option forward 'ACCEPT'

config forwarding
        option dest 'vpn_usa'
        option src 'lan_vpn_usa'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config rule
        option name 'STUN'
        option proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '5349'
        option enabled '0'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.


# Generated by iptables-save v1.8.3 on Tue May  5 13:46:34 2020
*nat
:PREROUTING ACCEPT [8611:764725]
:INPUT ACCEPT [4246:395741]
:OUTPUT ACCEPT [670:50072]
:POSTROUTING ACCEPT [7549:710246]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_lan_vpn_usa_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_vpn_usa_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_lan_vpn_usa_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_vpn_usa_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_lan_vpn_usa_postrouting - [0:0]
:zone_lan_vpn_usa_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_vpn_usa_postrouting - [0:0]
:zone_vpn_usa_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1097118:97276086] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[513879:41931594] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[583239:55344492] -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[0:0] -A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_vpn_prerouting
[0:0] -A PREROUTING -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_prerouting
[0:0] -A PREROUTING -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_prerouting
[732096:64351526] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[547178:49670388] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[183960:14619298] -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[0:0] -A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_vpn_postrouting
[0:0] -A POSTROUTING -o tun2 -m comment --comment "!fw3" -j zone_vpn_usa_postrouting
[0:0] -A POSTROUTING -o eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_postrouting
[0:0] -A MINIUPNPD -p udp -m udp --dport 10100 -j DNAT --to-destination 192.168.182.25:10100
[0:0] -A MINIUPNPD -p udp -m udp --dport 10101 -j DNAT --to-destination 192.168.182.25:10101
[0:0] -A MINIUPNPD -p udp -m udp --dport 10102 -j DNAT --to-destination 192.168.182.25:10102
[0:0] -A MINIUPNPD -p udp -m udp --dport 10103 -j DNAT --to-destination 192.168.182.25:10103
[9:484] -A MINIUPNPD -p tcp -m tcp --dport 22222 -j DNAT --to-destination 192.168.182.105:22222
[0:0] -A MINIUPNPD -p udp -m udp --dport 9308 -j DNAT --to-destination 192.168.182.187:9308
[0:0] -A MINIUPNPD -p tcp -m tcp --dport 8621 -j DNAT --to-destination 192.168.182.91:8621
[15:928] -A MINIUPNPD -p tcp -m tcp --dport 51513 -j DNAT --to-destination 192.168.182.192:51513
[0:0] -A MINIUPNPD -p udp -m udp --dport 6881 -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A MINIUPNPD -p tcp -m tcp --dport 6881 -j DNAT --to-destination 192.168.182.192:6881
[547178:49670388] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.18/32 -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: Allarme (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.1/32 -p tcp -m tcp --dport 8094 -m comment --comment "!fw3: OpenVPN TCP (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.1/32 -p udp -m udp --dport 1195 -m comment --comment "!fw3: OpenVPN UDP (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.192/32 -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.10/32 -p tcp -m tcp --dport 8294 -m comment --comment "!fw3: OpenVPN TCP P0 (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.10/32 -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0 (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.11/32 -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P1 (reflection)" -j SNAT --to-source 192.168.182.1
[0:0] -A zone_lan_postrouting -s 192.168.182.0/24 -d 192.168.182.11/32 -p udp -m udp --dport 8395 -m comment --comment "!fw3: OpenVPN UDP P1 (reflection)" -j SNAT --to-source 192.168.182.1
[513879:41931594] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: Allarme (reflection)" -j DNAT --to-destination 192.168.182.18:10001
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP (reflection)" -j DNAT --to-destination 192.168.182.192:5144
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP (reflection)" -j DNAT --to-destination 192.168.182.192:5134
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first (reflection)" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second (reflection)" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: OpenVPN TCP (reflection)" -j DNAT --to-destination 192.168.182.1:8094
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 1195 -m comment --comment "!fw3: OpenVPN UDP (reflection)" -j DNAT --to-destination 192.168.182.1:1195
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent (reflection)" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP (reflection)" -j DNAT --to-destination 192.168.182.192:8194
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP (reflection)" -j DNAT --to-destination 192.168.182.192:8195
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 8294 -m comment --comment "!fw3: OpenVPN TCP P0 (reflection)" -j DNAT --to-destination 192.168.182.10:8294
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0 (reflection)" -j DNAT --to-destination 192.168.182.10:8295
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P1 (reflection)" -j DNAT --to-destination 192.168.182.11:8394
[0:0] -A zone_lan_prerouting -s 192.168.182.0/24 -d 192.168.188.24/32 -p udp -m udp --dport 8395 -m comment --comment "!fw3: OpenVPN UDP P1 (reflection)" -j DNAT --to-destination 192.168.182.11:8395
[0:0] -A zone_lan_vpn_usa_postrouting -m comment --comment "!fw3: Custom lan_vpn_usa postrouting rule chain" -j postrouting_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_prerouting -m comment --comment "!fw3: Custom lan_vpn_usa prerouting rule chain" -j prerouting_lan_vpn_usa_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
[0:0] -A zone_vpn_usa_postrouting -m comment --comment "!fw3: Custom vpn_usa postrouting rule chain" -j postrouting_vpn_usa_rule
[0:0] -A zone_vpn_usa_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_usa_prerouting -m comment --comment "!fw3: Custom vpn_usa prerouting rule chain" -j prerouting_vpn_usa_rule
[183960:14619298] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[183959:14619205] -A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
[183960:14619298] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[583239:55344492] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[4:176] -A zone_wan_prerouting -p tcp -m tcp --dport 10001 -m comment --comment "!fw3: Allarme" -j DNAT --to-destination 192.168.182.18:10001
[10795:579612] -A zone_wan_prerouting -p tcp -m tcp --dport 5144 -m comment --comment "!fw3: aMule TCP" -j DNAT --to-destination 192.168.182.192:5144
[361400:26655038] -A zone_wan_prerouting -p udp -m udp --dport 5134 -m comment --comment "!fw3: aMule UDP" -j DNAT --to-destination 192.168.182.192:5134
[881:45836] -A zone_wan_prerouting -p tcp -m tcp --dport 6881 -m comment --comment "!fw3: Torrent first" -j DNAT --to-destination 192.168.182.192:6881
[172872:22109287] -A zone_wan_prerouting -p udp -m udp --dport 6881 -m comment --comment "!fw3: Torrent first" -j DNAT --to-destination 192.168.182.192:6881
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6882 -m comment --comment "!fw3: Torrent second" -j DNAT --to-destination 192.168.182.192:6882
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 6882 -m comment --comment "!fw3: Torrent second" -j DNAT --to-destination 192.168.182.192:6882
[893:39820] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: OpenVPN TCP" -j DNAT --to-destination 192.168.182.1:8094
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 1195 -m comment --comment "!fw3: OpenVPN UDP" -j DNAT --to-destination 192.168.182.1:1195
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 6981 -m comment --comment "!fw3: qBitTorrent" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 6981 -m comment --comment "!fw3: qBitTorrent" -j DNAT --to-destination 192.168.182.192:6981
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8194 -m comment --comment "!fw3: OpenVPN backup TCP" -j DNAT --to-destination 192.168.182.192:8194
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8195 -m comment --comment "!fw3: OpenVPN backup UDP" -j DNAT --to-destination 192.168.182.192:8195
[2:88] -A zone_wan_prerouting -p tcp -m tcp --dport 8294 -m comment --comment "!fw3: OpenVPN TCP P0" -j DNAT --to-destination 192.168.182.10:8294
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8295 -m comment --comment "!fw3: OpenVPN UDP P0" -j DNAT --to-destination 192.168.182.10:8295
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8394 -m comment --comment "!fw3: OpenVPN TCP P1" -j DNAT --to-destination 192.168.182.11:8394
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8395 -m comment --comment "!fw3: OpenVPN UDP P1" -j DNAT --to-destination 192.168.182.11:8395
[36392:5914635] -A zone_wan_prerouting -j MINIUPNPD

COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by iptables-save v1.8.3 on Tue May  5 13:46:34 2020
*mangle
:PREROUTING ACCEPT [49192563:39629695280]
:INPUT ACCEPT [614704:147506253]
:FORWARD ACCEPT [48540392:39475540272]
:OUTPUT ACCEPT [675805:122677320]
:POSTROUTING ACCEPT [49105029:39591814275]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[49206092:39639671445] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[615301:147583771] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[48553309:39485428400] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[122636:6803616] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn_usa MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[676498:122874235] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_PREROUTING -s 192.168.180.0/24 -m comment --comment VPN_USA -j MARK --set-xmark 0x40000/0xff0000
COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by iptables-save v1.8.3 on Tue May  5 13:46:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_usa_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_vpn_usa_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_usa_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_vpn_usa_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_usa_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_vpn_usa_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_usa_dest_ACCEPT - [0:0]
:zone_lan_vpn_usa_forward - [0:0]
:zone_lan_vpn_usa_input - [0:0]
:zone_lan_vpn_usa_output - [0:0]
:zone_lan_vpn_usa_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_vpn_usa_dest_ACCEPT - [0:0]
:zone_vpn_usa_dest_REJECT - [0:0]
:zone_vpn_usa_forward - [0:0]
:zone_vpn_usa_input - [0:0]
:zone_vpn_usa_output - [0:0]
:zone_vpn_usa_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[7137:797903] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[607576:146708818] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[306706:119587950] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[15539:794372] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1083:57604] -A INPUT -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
[267607:23802567] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[32069:3255671] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A INPUT -i tun1 -m comment --comment "!fw3" -j zone_vpn_input
[88:3830] -A INPUT -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_input
[0:0] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_input
[48540399:39475547364] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[47727932:39406214675] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[257901:19189139] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[554566:50143550] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_forward
[0:0] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[7137:797903] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[668678:121884327] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[527258:76131483] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[89547:42336094] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[51873:3416750] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun2 -m comment --comment "!fw3" -j zone_vpn_usa_output
[0:0] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_output
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10100 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10101 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10102 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.25/32 -p udp -m udp --dport 10103 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.105/32 -p tcp -m tcp --dport 22222 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.187/32 -p udp -m udp --dport 9308 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.91/32 -p tcp -m tcp --dport 8621 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.192/32 -p tcp -m tcp --dport 51513 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.192/32 -p udp -m udp --dport 6881 -j ACCEPT
[0:0] -A MINIUPNPD -d 192.168.182.192/32 -p tcp -m tcp --dport 6881 -j ACCEPT
[13596:604323] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[16961:2589906] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[15516:793176] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[23:1196] -A syn_flood -m comment --comment "!fw3" -j DROP
[644497:92509596] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[257901:19189139] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[47399:2843940] -A zone_lan_forward -p tcp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[59408:3382392] -A zone_lan_forward -p udp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[151094:12962807] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[151094:12962807] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[384:29952] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[267607:23802567] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[267607:23802567] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[89547:42336094] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[89547:42336094] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[267606:23802515] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Custom lan_vpn_usa forwarding rule chain" -j forwarding_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Zone lan_vpn_usa to vpn_usa forwarding policy" -j zone_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3: Custom lan_vpn_usa input rule chain" -j input_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3" -j zone_lan_vpn_usa_src_ACCEPT
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3: Custom lan_vpn_usa output rule chain" -j output_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_src_ACCEPT -i eth0.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_REJECT -o tun2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3: Custom vpn_usa forwarding rule chain" -j forwarding_vpn_usa_rule
[0:0] -A zone_vpn_usa_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3" -j zone_vpn_usa_dest_REJECT
[88:3830] -A zone_vpn_usa_input -m comment --comment "!fw3: Custom vpn_usa input rule chain" -j input_vpn_usa_rule
[0:0] -A zone_vpn_usa_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[88:3830] -A zone_vpn_usa_input -m comment --comment "!fw3" -j zone_vpn_usa_src_REJECT
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3: Custom vpn_usa output rule chain" -j output_vpn_usa_rule
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3" -j zone_vpn_usa_dest_ACCEPT
[88:3830] -A zone_vpn_usa_src_REJECT -i tun2 -m comment --comment "!fw3" -j reject
[4511:226463] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[198072:16123142] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
[106807:6226332] -A zone_wan_dest_DROP -o br-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o 6in4-wan6 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
[554566:50143550] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[554566:50143550] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -j MINIUPNPD
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[32069:3255671] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[707:25452] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[893:39820] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[30469:3190399] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[51873:3416750] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[51873:3416750] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[30469:3190399] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by ip6tables-save v1.8.3 on Tue May  5 13:46:34 2020
*mangle
:PREROUTING ACCEPT [293562:113384129]
:INPUT ACCEPT [18612:1570367]
:FORWARD ACCEPT [251363:107557637]
:OUTPUT ACCEPT [248955:116628686]
:POSTROUTING ACCEPT [500309:224185475]
[0:0] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[111881:8933028] -A FORWARD -o 6in4-wan6 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o tun2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn_usa MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue May  5 13:46:34 2020
# Generated by ip6tables-save v1.8.3 on Tue May  5 13:46:34 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_lan_vpn_usa_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_vpn_usa_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_lan_vpn_usa_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_vpn_usa_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_lan_vpn_usa_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_vpn_usa_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_lan_vpn_usa_dest_ACCEPT - [0:0]
:zone_lan_vpn_usa_forward - [0:0]
:zone_lan_vpn_usa_input - [0:0]
:zone_lan_vpn_usa_output - [0:0]
:zone_lan_vpn_usa_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_vpn_usa_dest_ACCEPT - [0:0]
:zone_vpn_usa_dest_REJECT - [0:0]
:zone_vpn_usa_forward - [0:0]
:zone_vpn_usa_input - [0:0]
:zone_vpn_usa_output - [0:0]
:zone_vpn_usa_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_DROP - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[368:45622] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[18244:1524745] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[6432:424676] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:160] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT

[11788:1098917] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A INPUT -i tun1 -m comment --comment "!fw3" -j zone_vpn_input
[24:1152] -A INPUT -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_input
[0:0] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_input
[251363:107557637] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[230561:105287230] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[19488:2133786] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[1314:136621] -A FORWARD -i 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -i tun2 -m comment --comment "!fw3" -j zone_vpn_usa_forward
[0:0] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[368:45622] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[248587:116583064] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6375:385406] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[240910:116106666] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1086:72232] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[216:18760] -A OUTPUT -o 6in4-wan6 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_vpn_output
[0:0] -A OUTPUT -o tun2 -m comment --comment "!fw3" -j zone_vpn_usa_output
[0:0] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_lan_vpn_usa_output
[5:608] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[24:1152] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[2:160] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[240917:116107271] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[19488:2133786] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:B3:85 -m comment --comment "!fw3: IPCAM Cucina no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source 48:02:2A:0B:E1:16 -m comment --comment "!fw3: IPCAM Sala no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source A0:9D:C1:72:EC:F4 -m comment --comment "!fw3: IPCAM Taverna no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[0:0] -A zone_lan_forward -p udp -m mac --mac-source E0:B9:4D:D4:A3:B5 -m comment --comment "!fw3: IPCAM Letto no Internet" -j zone_wan_dest_DROP
[19488:2133786] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[19488:2133786] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11788:1098917] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[11788:1098917] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[240910:116106666] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[240910:116106666] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[11788:1098917] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Custom lan_vpn_usa forwarding rule chain" -j forwarding_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3: Zone lan_vpn_usa to vpn_usa forwarding policy" -j zone_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_forward -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3: Custom lan_vpn_usa input rule chain" -j input_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_input -m comment --comment "!fw3" -j zone_lan_vpn_usa_src_ACCEPT
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3: Custom lan_vpn_usa output rule chain" -j output_lan_vpn_usa_rule
[0:0] -A zone_lan_vpn_usa_output -m comment --comment "!fw3" -j zone_lan_vpn_usa_dest_ACCEPT
[0:0] -A zone_lan_vpn_usa_src_ACCEPT -i eth0.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Zone vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_vpn_usa_dest_ACCEPT -o tun2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_usa_dest_REJECT -o tun2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3: Custom vpn_usa forwarding rule chain" -j forwarding_vpn_usa_rule
[0:0] -A zone_vpn_usa_forward -m comment --comment "!fw3" -j zone_vpn_usa_dest_REJECT
[24:1152] -A zone_vpn_usa_input -m comment --comment "!fw3: Custom vpn_usa input rule chain" -j input_vpn_usa_rule
[24:1152] -A zone_vpn_usa_input -m comment --comment "!fw3" -j zone_vpn_usa_src_REJECT
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3: Custom vpn_usa output rule chain" -j output_vpn_usa_rule
[0:0] -A zone_vpn_usa_output -m comment --comment "!fw3" -j zone_vpn_usa_dest_ACCEPT
[24:1152] -A zone_vpn_usa_src_REJECT -i tun2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1086:72232] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[4:240] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[19700:2152306] -A zone_wan_dest_ACCEPT -o 6in4-wan6 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_DROP -o br-wan -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_DROP -o 6in4-wan6 -m comment --comment "!fw3" -j DROP
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[5:608] -A zone_wan_dest_REJECT -o 6in4-wan6 -m comment --comment "!fw3" -j reject
[1314:136621] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[1302:135408] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[12:1213] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
[5:608] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[5:608] -A zone_wan_forward -j MINIUPNPD
[5:608] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --sport 547 --dport 547 -m comment --comment "!fw3: Allow DHCPv6 Relay" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1302:90992] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1302:90992] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i 6in4-wan6 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue May  5 13:46:34 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.182.1/24 brd 192.168.182.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.188.24/24 brd 192.168.188.255 scope global br-wan
       valid_lft forever preferred_lft forever
12: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.180.1/24 brd 192.168.180.255 scope global eth0.10
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
14: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.9.0.1 peer 10.9.0.2/32 scope global tun1
       valid_lft forever preferred_lft forever
16: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.200.0.42 peer 10.200.0.41/32 scope global tun2
       valid_lft forever preferred_lft forever
default via 192.168.188.1 dev br-wan table 201
81.208.50.214 via 192.168.188.1 dev br-wan table 201 proto static
192.168.180.0/24 dev eth0.10 table 201 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 201 proto kernel scope link src 192.168.188.24
default via 10.8.0.1 dev tun0 table 202
81.208.50.214 via 192.168.188.1 dev br-wan table 202 proto static
192.168.180.0/24 dev eth0.10 table 202 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 202 proto kernel scope link src 192.168.188.24
default via 10.9.0.1 dev tun1 table 203
81.208.50.214 via 192.168.188.1 dev br-wan table 203 proto static
192.168.180.0/24 dev eth0.10 table 203 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 203 proto kernel scope link src 192.168.188.24
default via 10.200.0.42 dev tun2 table 204
81.208.50.214 via 192.168.188.1 dev br-wan table 204 proto static
192.168.180.0/24 dev eth0.10 table 204 proto static scope link metric 10
192.168.188.0/24 dev br-wan table 204 proto kernel scope link src 192.168.188.24
default via 192.168.188.1 dev br-wan proto static src 192.168.188.24
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.9.0.0/24 via 10.9.0.2 dev tun1
10.9.0.2 dev tun1 proto kernel scope link src 10.9.0.1
10.10.0.0/24 via 192.168.182.192 dev br-lan proto static
10.11.0.0/24 via 192.168.182.192 dev br-lan proto static
10.12.0.0/24 via 192.168.182.10 dev br-lan proto static
10.13.0.0/24 via 192.168.182.10 dev br-lan proto static
10.14.0.0/24 via 192.168.182.11 dev br-lan proto static
10.15.0.0/24 via 192.168.182.11 dev br-lan proto static
10.200.0.41 dev tun2 proto kernel scope link src 10.200.0.42
81.208.50.214 via 192.168.188.1 dev br-wan proto static
192.168.56.0/24 via 192.168.182.192 dev br-lan proto static
192.168.180.0/24 dev eth0.10 proto static scope link metric 10
192.168.182.0/24 dev br-lan proto kernel scope link src 192.168.182.1
192.168.183.0/24 via 192.168.182.135 dev br-lan proto static
192.168.188.0/24 dev br-wan proto kernel scope link src 192.168.188.24
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
local 10.9.0.1 dev tun1 table local proto kernel scope host src 10.9.0.1
local 10.200.0.42 dev tun2 table local proto kernel scope host src 10.200.0.42
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.180.0 dev eth0.10 table local proto kernel scope link src 192.168.180.1
local 192.168.180.1 dev eth0.10 table local proto kernel scope host src 192.168.180.1
broadcast 192.168.180.255 dev eth0.10 table local proto kernel scope link src 192.168.180.1
broadcast 192.168.182.0 dev br-lan table local proto kernel scope link src 192.168.182.1
local 192.168.182.1 dev br-lan table local proto kernel scope host src 192.168.182.1
broadcast 192.168.182.255 dev br-lan table local proto kernel scope link src 192.168.182.1
broadcast 192.168.188.0 dev br-wan table local proto kernel scope link src 192.168.188.24
local 192.168.188.24 dev br-wan table local proto kernel scope host src 192.168.188.24
broadcast 192.168.188.255 dev br-wan table local proto kernel scope link src 192.168.188.24
0:      from all lookup local
32729:  from all fwmark 0x40000 lookup 204
32730:  from all fwmark 0x30000 lookup 203
32731:  from all fwmark 0x20000 lookup 202
32732:  from all fwmark 0x10000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2001:xxx:yyyy:d3e3::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fdb5:24dd:30d::1/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
10: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
12: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::1:c8ff:feec:fc1c/64 scope link
       valid_lft forever preferred_lft forever
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::ccc7:b54f:f031:1cab/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
14: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::3727:7ab3:c808:a293/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
15: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::2605:fff:fedd:3b60/64 scope link
       valid_lft forever preferred_lft forever
16: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 100
    inet6 fe80::f533:3ab6:ea18:1b40/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
17: 6in4-wan6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 1000
    inet6 2001:xxx:yyyy:d3e3::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::c0a8:bc18/64 scope link
       valid_lft forever preferred_lft forever
default from 2001:xxx:yyyy:d3e3::/64 dev 6in4-wan6 proto static metric 1024 pref medium
2001:xxx:yyyy:d3e3:3902:8aa6:54f1:e97 dev br-lan proto static metric 1024 pref medium
2001:xxx:yyyy:d3e3::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
2001:xxx:yyyy:d3e3::/64 dev br-lan proto static metric 1024 pref medium
unreachable 2001:xxx:yyyy:d3e3::/64 dev lo proto static metric 2147483647 error 4294967183 pref medium
fdb5:24dd:30d::5a1 dev br-lan proto static metric 1024 pref medium
fdb5:24dd:30d::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdb5:24dd:30d::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev tun1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.10 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev br-wan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev tun2 proto kernel metric 256 pref medium
fe80::/64 dev 6in4-wan6 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 2001:xxx:yyyy:d3e3:: dev 6in4-wan6 table local proto kernel metric 0 pref medium
anycast 2001:xxx:yyyy:d3e3:: dev br-lan table local proto kernel metric 0 pref medium
local 2001:xxx:yyyy:d3e3::1 dev br-lan table local proto kernel metric 0 pref medium
local 2001:xxx:yyyy:d3e3::2 dev 6in4-wan6 table local proto kernel metric 0 pref medium
anycast fdb5:24dd:30d:: dev br-lan table local proto kernel metric 0 pref medium
local fdb5:24dd:30d::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun1 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.10 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-wan table local proto kernel metric 0 pref medium
anycast fe80:: dev tun2 table local proto kernel metric 0 pref medium
anycast fe80:: dev 6in4-wan6 table local proto kernel metric 0 pref medium
local fe80::c0a8:bc18 dev 6in4-wan6 table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev eth0.10 table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev eth0 table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev br-lan table local proto kernel metric 0 pref medium
local fe80::1:c8ff:feec:fc1c dev br-wan table local proto kernel metric 0 pref medium
local fe80::2605:fff:fedd:3b60 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::3727:7ab3:c808:a293 dev tun1 table local proto kernel metric 0 pref medium
local fe80::ccc7:b54f:f031:1cab dev tun0 table local proto kernel metric 0 pref medium
local fe80::f533:3ab6:ea18:1b40 dev tun2 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
ff00::/8 dev tun1 table local metric 256 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev eth0.10 table local metric 256 pref medium
ff00::/8 dev br-wan table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun2 table local metric 256 pref medium
ff00::/8 dev 6in4-wan6 table local metric 256 pref medium
0:      from all lookup local
32766:  from all lookup main
4200000000:     from 2001:xxx:yyyy:d3e3::1/64 iif br-lan unreachable
4200000001:     from all iif lo failed_policy
4200000008:     from all iif br-lan failed_policy
4200000010:     from all iif br-wan failed_policy
4200000012:     from all iif eth0.10 failed_policy
4200000013:     from all iif tun0 failed_policy
4200000014:     from all iif tun1 failed_policy
4200000016:     from all iif tun2 failed_policy
4200000017:     from all iif 6in4-wan6 failed_policy
lrwxrwxrwx    1 root     root            16 Feb  7 10:23 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 May  4 14:28 /tmp/resolv.conf
-rw-r--r--    1 root     root           174 May  4 13:12 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface lan
nameserver 8.8.8.8
nameserver 8.8.4.4
# Interface wan
nameserver 192.168.188.1
search fritz.box
# Interface LAN_VPN_USA
nameserver 8.8.8.8
nameserver 4.4.4.4
root@MenionRouter:~#

Are you sure about this? The delegated prefix cannot be the same as the uplink to your ISP. Look for example the henet configuration.

        option ip6addr '2001:xxx:yyyy:d3e3::2/64'
        list ip6prefix '2001:xxx:yyyy:d3e3::/64'

I also don't see the point of wan interface being a bridge. And this usually causes problems, so remove it if there is no reason.

Are you running some relay or server? It is not clear. In lan you have server for RAs DHCPv6, NDP is hybrid, then wan is configured for relay.

config dhcp 'lan'
...
        option ndp 'hybrid'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

You have some weird forwardings in the firewall, like wan->lan, wan->vpn. I hope these are for troubleshooting only.

Other than that I can see that there are some routing tables, is it mwan3 or VPN PBR?
But the main issue is re-using the same prefix in wan and lan.

Well my ISP gives a /64 prefix, so this is the result of the configuration following the instructions. Neverthless I have exactly the same problem with the hurricane tunnel that gives a /48

I forgot to mention that the upstream IPv4 on WAN is my ISP router. So I am actually running behind the NAT of the ISP router (having the OpenWRT in DMZ). I bridge WAN because I use a dedicated VLAN to bring the ISP LAN subnet to particular clients that may need it.

mmmm I have completely forgot this. What I am actually trying to do is to have the LAN interface to act as dhcpv6 server and delegate prefix based on the information of wan6.

Which one exaclty? they should be "normal" VPN and WAN rules

Yes I use VPN PBR

What shall I configure then, considering the on the 6in4 tunnel i get /64 prefix?

What it is really confusing me is why this setup was working for lile 4 years across two major Openwrt release and suddenly stopped to work.

There must be something on the reouter I believe, because the LAN devices can ping each other, while any ping from router to LAN (or incoming packet from WAN6) are sent back to the tunnel like it was unable to resolve NDP or something.

And the most weird thing is that a windows 10 laptop, in my lan, can works sometime (usually at the first boot) and loose the ipv6 connectivity if i bring down/up wifi (check this picture I have just taken)

ipv61861×698 89.4 KB

This is all confusing. Two things:

Fix:

EDIT: I realized the LAN config is not posted- that was incorrect

This will work if you ask HE for a /48. Otherwise, simply assign the /64 to the LAN interface.

Regarding ping, have you looked at your WAN firewall zone!

(I must also be confused because I thought the OP was using 6in4.)

If they are allocating just a /64 for the wan6, then you cannot delegate it to the lan. What you can do is relay from lan.

We'll have to look at it individually, if you want to stick with that.

Since there is no other interface in the bridge, there is no usage of the bridge. If other clients need to connect directly to the ISP router this isn't the right way. Better connect them on the ISP router.

Then this configuration is not correct. But even if you configure it as delegated, it won't work, because the ISP router will try to contact the hosts directly, because they are in the same subnet.

config forwarding
        option dest 'vpn'
        option src 'wan'

config forwarding
        option dest 'lan'
        option src 'wan'

Use the last example of relay.
Or check here to use hybrid for both relay and delegation.

Trendy, are you certain that you're assisting with a 6-in-4 setup?

If the OP is assigned a /64 from a tunnel broker, they just addresses the wan6 interface with the tunnel IP provided by the broker; then either:

• assign the /64 as a in option ip6prefix on the wan6 - then add option ip6class 'wan6' on LAN config; or
• simply configure it as a IPv6 static assignment on LAN

Actually there are, it is eth0.3 (VLAN3). And it is working for the scope I have (I cannot physically connect device to ISP router)

So, tried with:

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option start '50'
        option limit '200'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'

config dhcp 'wan'
        option interface 'wan'
        option dhcpv6 'relay'
        option ra 'relay'
        option ndp 'relay'
        option master '1'

Now the device do not get any IPv6 address at all. Honestly I do not fully follow this configuration, my ISP does not have any DHCPv6, it just assign prefix over tunnel

@lleachii

Shall I keep the wan6 setting as they are, run RA and DHCPv6 server on lan and just add option ip6class 'wan6' in LAN config?

OP has 2 6in4 interfaces in the network configuration. henet, from HE and wan6 from his ISP. henet is fine from what I can see. The wan6 is using the same /64 for uplink and delegated prefix. This cannot work without relay.

This is only one interface. I don't see where are the other interfaces that you need to bridge on the device.

Did you also remove the list ip6prefix '2001:xxx:yyyy:d3e3::/64' from wan6?
I also noticed that you don't allow inbound protocol 41 (the 6in4) on wan. Check here the last example configurations.

You are right, WAN is bridged because I used it for a while together with a wireless.
Proto 41 I do not think is an issue because IPv6 can work on router, so upstream is ok
Generally speaking: can you see why this configuration stopped to work?

Done, no IP is gotten in LAN.