IPv6/v4 Firewall Traffic Rules

No, and by the way we are still waiting for the output of the commands.

1 Like

This link has a txt file with the output to those commands:
(deleted link)

Could you post it here? Thanks!

It is too big. The forum rejects it. I could use pastebin if that is more acceptable.

Split in two posts :wink:

Part 1:

{
        "kernel": "5.4.72",
        "hostname": "spg3",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r14793+67-9f1927173a",
                "target": "ipq806x/generic",
                "description": "OpenWrt SNAPSHOT r14793+67-9f1927173a"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.1.1.3'
        option ra_management '1'
        list dns 'xxxx:xxxx:xxxx:xxxx:ba27:ebff:fe0b:9be6'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option ip '10.1.1.10'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'gus_e4'
        option leasetime 'infinite'

config host
        option ip '10.1.1.11'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'keith_one'
        option leasetime 'infinite'

config host
        option ip '10.1.1.12'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'kris_s5'
        option leasetime 'infinite'

config host
        option ip '10.1.1.13'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'kris_tab'
        option leasetime 'infinite'

config host
        option ip '10.1.1.14'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'greta_tab'
        option leasetime 'infinite'

config host
        option ip '10.1.1.15'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'keith_z2'
        option leasetime 'infinite'

config host
        option ip '10.1.1.16'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'greta_e5'
        option leasetime 'infinite'

config host
        option ip '10.1.1.24'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'pizero'
        option leasetime 'infinite'

config host
        option ip '10.1.1.25'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'usb_dongle'
        option leasetime 'infinite'

config host
        option ip '10.1.1.40'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'gusrune_wl'
        option leasetime 'infinite'

config host
        option ip '10.1.1.41'
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime 'infinite'
        option name 'rune64'
        option duid '00010001268df250b827eb52ccd0'

config host
        option ip '10.1.1.101'
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime 'infinite'
        option name 'grider-desktop'
        option duid '00046f6ff4db548ad24e9a063c8b4750d7ef'

config host
        option ip '10.1.1.102'
        option leasetime 'infinite'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'jack'

config host
        option ip '10.1.1.103'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'x550vx'
        option leasetime 'infinite'

config host
        option ip '10.1.1.104'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'x550vx_wl'
        option leasetime 'infinite'

config host
        option ip '10.1.1.105'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'inspiron_1525'
        option leasetime 'infinite'

config host
        option ip '10.1.1.106'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'compaq_cq50'
        option leasetime 'infinite'

config host
        option ip '10.1.1.107'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'kris_work'
        option leasetime 'infinite'

config host
        option ip '10.1.1.108'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'wii'
        option leasetime 'infinite'

config host
        option ip '10.1.1.109'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'ns400'
        option leasetime 'infinite'

config host
        option ip '10.1.1.111'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'kris_chrome'
        option leasetime 'infinite'

config host
        option ip '10.1.1.191'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'livingrune'
        option leasetime 'infinite'

config host
        option ip '10.1.1.192'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'gusrune'
        option leasetime 'infinite'

config host
        option ip '10.1.1.197'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'garagerune'
        option leasetime 'infinite'

config host
        option ip '10.1.1.198'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'nas'
        option leasetime 'infinite'

config host
        option ip '10.1.1.199'
        option leasetime 'infinite'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'Build64'

config host
        option ip '10.1.1.200'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'kitchenrune'
        option leasetime 'infinite'

config host
        option ip '10.1.1.202'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'plex'
        option leasetime 'infinite'

config host
        option ip '10.1.1.203'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'printserver'
        option leasetime 'infinite'

config host
        option ip '10.1.1.205'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'shinobi'
        option leasetime 'infinite'

config host
        option ip '10.1.1.207'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'mineos'
        option leasetime 'infinite'

config host
        option ip '10.1.1.210'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'roku'
        option leasetime 'infinite'

config host
        option ip '10.1.1.211'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'roku_wl'
        option leasetime 'infinite'

config host
        option ip '10.1.1.212'
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'samsung_tv'
        option leasetime 'infinite'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option leasetime 'infinite'
        option name 'gretarune'
        option ip '10.1.1.193'

config host
        option name 'keith-action'
        option leasetime 'infinite'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.1.1.17'

config host
        option name 'kris-a51'
        option leasetime 'infinite'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '10.1.1.18'

config host
        option name 'OpenVPN-Jail'
        option dns '1'
        option ip '10.1.1.208'
        option mac 'xx:xx:xx:xx:xx:xx'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

config redirect
        option target 'DNAT'
        option name 'OpenVPN'
        option src 'wan'
        option dest 'lan'
        list proto 'udp'
        option src_dport 'xxxx'
        option dest_port 'xxxx'
        option dest_ip '10.1.1.208'

config redirect
        option dest_port 'xxxx'
        option src 'wan'
        option name 'WireGuard'
        option src_dport '51920'
        option target 'DNAT'
        option dest 'lan'
        option dest_ip '10.1.1.3'

config redirect
        option dest_port 'xxxx'
        option src 'wan'
        option name 'MineOS'
        option src_dport 'xxxx'
        option target 'DNAT'
        option dest_ip '10.1.1.207'
        option dest 'lan'

config redirect
        option dest_port 'xxxx'
        option src 'wan'
        option name 'Plex'
        option src_dport 'xxxx'
        option target 'DNAT'
        option dest_ip '10.1.1.202'
        option dest 'lan'

config redirect
        option dest_port '88'
        option src 'wan'
        option name 'Garage'
        option src_dport 'xxxx'
        option target 'DNAT'
        option dest_ip '10.1.1.197'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option name 'MineOS_Mgmt'
        option src 'wan'
        option src_dport 'xxxx'
        option dest 'lan'
        option dest_ip '10.1.1.207'
        option dest_port 'xxxx'

config rule
        option name 'Kids Weekend '
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        option weekdays 'Fri Sat'
        option start_time '00:00:00'
        option stop_time '07:00:00'
        option target 'REJECT'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Kid Weekday'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        list src_mac 'xx:xx:xx:xx:xx:xx'
        option weekdays 'Sun Mon Tue Wed Thu'
        option start_time '22:30:00'
        option stop_time '07:00:00'
        option target 'REJECT'
        option src 'lan'
        option dest 'wan'

config include 'estab'
        option path '/etc/firewall.estab'
        option reload '1'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*raw
:PREROUTING ACCEPT [1178845:1276033729]
:OUTPUT ACCEPT [211603:17430398]
:zone_lan_helper - [0:0]
[1136736:1272128699] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
# Generated by iptables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*nat
:PREROUTING ACCEPT [37856:6145121]
:INPUT ACCEPT [11322:1072611]
:OUTPUT ACCEPT [443:64420]
:POSTROUTING ACCEPT [11148:3681411]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[37913:6148337] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[25184:5179809] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[12729:968528] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[26883:5104852] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[11197:3683598] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[15595:1414853] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[11197:3683598] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.208/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.3/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.3/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j SNAT --to-source 10.1.1.1
[141:8708] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.202/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.202/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.197/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.197/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j SNAT --to-source 10.1.1.1
[25184:5179809] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN (reflection)" -j DNAT --to-destination 10.1.1.208:1194
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j DNAT --to-destination 10.1.1.3:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j DNAT --to-destination 10.1.1.3:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[25:1500] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j DNAT --to-destination 10.1.1.197:88
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j DNAT --to-destination 10.1.1.197:88
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[15595:1414853] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[15595:1414853] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[12729:968528] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2:84] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: OpenVPN" -j DNAT --to-destination 10.1.1.208:xxxx
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: WireGuard" -j DNAT --to-destination 10.1.1.3:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: WireGuard" -j DNAT --to-destination 10.1.1.3:xxxx
[1:64] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS" -j DNAT --to-destination 10.1.1.207:xxxx
[2:120] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Plex" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: Plex" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Garage" -j DNAT --to-destination 10.1.1.197:88
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: Garage" -j DNAT --to-destination 10.1.1.197:88
[27:1448] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt" -j DNAT --to-destination 10.1.1.207:xxxx
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
# Generated by iptables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*mangle

Part 2:


:PREROUTING ACCEPT [1178852:1276034169]
:INPUT ACCEPT [95328:30720989]
:FORWARD ACCEPT [1219189:1303795917]
:OUTPUT ACCEPT [211617:17438878]
:POSTROUTING ACCEPT [1430407:1321216222]
[6471:385216] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6467:383552] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
# Generated by iptables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*filter
:INPUT ACCEPT [1:83]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1037:93507] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[94297:30626697] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[5586:554125] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2780:113992] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[73801:29019040] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[14910:1053532] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[1219189:1303795917] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1193623:1301224576] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[25566:2571341] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[25446:2564671] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[1037:93507] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[210559:17344495] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[22144:2830303] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[187896:14452519] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[519:61673] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[4696:194695] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[136:26659] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2780:113992] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1344910:1312635800] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1193623:1301224576] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[1193623:1301224576] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[26:12862] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[1157014:1298183281] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[73801:29019040] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[73801:29019040] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[187896:14452519] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[187896:14452519] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[73800:29018957] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[372:17298] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[36730:3072808] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[25566:2571341] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[120:6670] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[25446:2564671] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[14910:1053532] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[9789:821774] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[289:10404] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4832:221354] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[519:61673] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[519:61673] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[4832:221354] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
# Generated by ip6tables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*nat
:PREROUTING ACCEPT [23735:4697466]
:INPUT ACCEPT [22:4984]
:OUTPUT ACCEPT [306:38842]
:POSTROUTING ACCEPT [24004:4727326]
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
# Generated by ip6tables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*mangle
:PREROUTING ACCEPT [156610:42821791]
:INPUT ACCEPT [52279:25771495]
:FORWARD ACCEPT [198512:72765558]
:OUTPUT ACCEPT [195639:18769548]
:POSTROUTING ACCEPT [393150:91461630]
[9053:722624] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6547:498568] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
# Generated by ip6tables-save v1.8.4 on Wed Nov  4 08:52:03 2020
*filter
:INPUT ACCEPT [9:1264]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[184:20658] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[52095:25750837] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[111:13872] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[49469:25551957] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2515:185008] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[198508:72762415] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[167882:67520355] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[30626:5242060] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[30469:5228186] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[157:13874] -A FORWARD -m comment --comment "!fw3" -j reject
[184:20658] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[195455:18748890] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[56:6288] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[192553:18528570] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2846:214032] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[142:12464] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[15:1410] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[310917:77362628] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[167882:67520355] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[167882:67520355] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[118364:58834058] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49469:25551957] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[49469:25551957] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[192553:18528570] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[192553:18528570] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49460:25550693] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[844:59602] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[51520:8840727] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[30626:5242060] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[30626:5242060] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2515:185008] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[20:4320] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1380:99360] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[89:15664] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1026:65664] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2846:214032] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2846:214032] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov  4 08:52:03 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.1.1.1/24 brd 10.1.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xxx.xxx.176.97/22 brd xxx.xxx.179.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via xxx.xxx.176.1 dev eth0.2  src xxx.xxx.176.97
xxx.xxx.176.0/22 dev eth0.2 scope link  src xxx.xxx.176.97
10.1.1.0/24 dev br-lan scope link  src 10.1.1.1
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast xxx.xxx.176.0 dev eth0.2 table local scope link  src xxx.xxx.176.97
local xxx.xxx.176.97 dev eth0.2 table local scope host  src xxx.xxx.176.97
broadcast xxx.xxx.179.255 dev eth0.2 table local scope link  src xxx.xxx.176.97
broadcast 10.1.1.0 dev br-lan table local scope link  src 10.1.1.1
local 10.1.1.1 dev br-lan table local scope host  src 10.1.1.1
broadcast 10.1.1.255 dev br-lan table local scope link  src 10.1.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::a02:8eff:fe94:1296/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::a02:8eff:fe94:1295/64 scope link
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xxxx:xxxx:xxxx::1/64 scope global dynamic
       valid_lft 2490sec preferred_lft 2490sec
    inet6 xxxx:xxxx:xxxx::1/60 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::a02:8eff:fe94:1295/64 scope link
       valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 xxxx:xxxx:xxxx:xxxx:a02:8eff:fe94:1296/64 scope global dynamic
       valid_lft 3086sec preferred_lft 3086sec
    inet6 xxxx:xxxx:xxxx:xxxx::48/128 scope global dynamic
       valid_lft 2490sec preferred_lft 2490sec
    inet6 fe80::a02:8eff:fe94:1296/64 scope link
       valid_lft forever preferred_lft forever
15: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::a02:8eff:fe94:1297/64 scope link
       valid_lft forever preferred_lft forever
16: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::a02:8eff:fe94:1298/64 scope link
       valid_lft forever preferred_lft forever
default from xxxx:xxxx:xxxx:xxxx::48 via fe80::6e63:9cff:fea1:9220 dev eth0.2  metric 512
default from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2  metric 512
default from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2  metric 512
xxxx:xxxx:xxxx:xxxx::/60 from xxxx:xxxx:xxxx:xxxx::48 via fe80::6e63:9cff:fea1:9220 dev eth0.2  metric 384
xxxx:xxxx:xxxx:xxxx::/60 from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2  metric 384
xxxx:xxxx:xxxx:xxxx::/60 from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2  metric 384
xxxx:xxxx:xxxx:xxxx::/64 dev eth0.2  metric 256
xxxx:xxxx:xxxx:xxxx::/64 dev br-lan  metric 1024
unreachable xxxx:xxxx:xxxx:xxxx::/64 dev lo  metric 2147483647
xxxx:xxxx:xxxx::/64 dev br-lan  metric 1024
unreachable xxxx:xxxx:xxxx::/48 dev lo  metric 2147483647
fe80::/64 dev eth1  metric 256
fe80::/64 dev eth0.2  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev eth0  metric 256
fe80::/64 dev wlan1  metric 256
fe80::/64 dev wlan0  metric 256
local ::1 dev lo table local  metric 0
anycast xxxx:xxxx:xxxx:xxxx:: dev eth0.2 table local  metric 0
local xxxx:xxxx:xxxx:xxxx::48 dev eth0.2 table local  metric 0
local xxxx:xxxx:xxxx:xxxx:a02:8eff:fe94:1296 dev eth0.2 table local  metric 0
anycast xxxx:xxxx:xxxx:xxxx:: dev br-lan table local  metric 0
local xxxx:xxxx:xxxx:xxxx::1 dev br-lan table local  metric 0
anycast xxxx:xxxx:xxxx:: dev br-lan table local  metric 0
local xxxx:xxxx:xxxx::1 dev br-lan table local  metric 0
anycast fe80:: dev eth1 table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev eth0.2 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wlan0 table local  metric 0
anycast fe80:: dev wlan1 table local  metric 0
local fe80::a02:8eff:fe94:1295 dev eth1 table local  metric 0
local fe80::a02:8eff:fe94:1295 dev br-lan table local  metric 0
local fe80::a02:8eff:fe94:1296 dev eth0 table local  metric 0
local fe80::a02:8eff:fe94:1296 dev eth0.2 table local  metric 0
local fe80::a02:8eff:fe94:1297 dev wlan0 table local  metric 0
local fe80::a02:8eff:fe94:1298 dev wlan1 table local  metric 0
ff00::/8 dev eth1 table local  metric 256
ff00::/8 dev br-lan table local  metric 256
ff00::/8 dev eth0.2 table local  metric 256
ff00::/8 dev eth0 table local  metric 256
ff00::/8 dev wlan1 table local  metric 256
ff00::/8 dev wlan0 table local  metric 256
0:      from all lookup local
32766:  from all lookup main
4200000000:     from xxxx:xxxx:xxxx:xxxx::1/64 iif br-lan lookup unspec unreachable
4200000001:     from all iif lo lookup unspec 12
4200000010:     from all iif br-lan lookup unspec 12
4200000012:     from all iif eth0.2 lookup unspec 12
4200000012:     from all iif eth0.2 lookup unspec 12

Time restriction seems to be broken on snapshots:
Time/day of week firewall rules not working correctly

A possible workaround:

cat << "EOF" >> /etc/firewall.user
for IPT in iptables ip6tables
do for MAC in 11:22:33:44:55:66 aa:bb:cc:dd:ee:ff
do ${IPT} -A forwarding_lan_rule -p all \
    -m mac --mac-source ${MAC} \
    -m time --timestart 00:00:00 --timestop 07:00:00 \
    --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz \
    -m comment --comment "!fw3: Restrict-Internet" -j REJECT
done
done
EOF
1 Like

i haven't looked in detail but i see that you are trying to make it time-based - well day of the week based. as a first punt i would bet that it's because fw3 is broken and does not handle weekday-based rules properly.

no idea how patches are handled in openwrt but there seems to be little interest in reviewing or merging this: https://patchwork.ozlabs.org/project/openwrt/patch/20200923220836.18537-1-facboy@gmail.com/

2 Likes

Only one day from each rule is actually applied. This is probably related to the bug mentioned before.
You can try to copy paste the rules and use only one day in each one as a workaround until a proper solution is applied.

2 Likes

Can I manually edit the iptable and manually put it in?
I did an "iptables-save > dmp.txt" then edited the file to add a rule for each MAC for each day.
Once done, can I just "iptables-restore < dmp.txt"?

It would be more reliable, compact and easier modify and troubleshoot if you use the workaround mentioned above.
I've updated the code to support multiple MAC addresses.


Actually, there's a better workaround.
Just replace the option weekdays with extra:

uci -q delete firewall.@rule[-2].weekdays
uci -q delete firewall.@rule[-1].weekdays
uci set firewall.@rule[-2].extra="--weekdays Fri,Sat"
uci set firewall.@rule[-1].extra="--weekdays Sun,Mon,Tue,Wed,Thu"
uci commit firewall
/etc/init.d/firewall restart
1 Like

@vgaetera I do appreciate the help! But... I really don't follow exactly what I need to do to take my existing rules and programmatically add each day. Do I just run the 4 lines from the CLI that you posted yesterday or do I need to, somehow, add those lines to the previous set you sent? I have not yet done anything for fear of breaking something.

He means that the option weekdays doesn't work. As a workaround you can use the extra option, where you can fill in the "--weekdays Fri,Sat" on the first and "--weekdays Sun,Mon,Tue,Wed,Thu" on the second

1 Like

The latest workaround is preferable, I've adapted it for your config.
You can post the resulting firewall config, so we can verify it.

I just ran those commands. It does not look like it worked as there is only one rule per each MAC for the weekday and weekend rules. Wasn't it supposed to generate one rule for each day for each mac?
From iptables-save > test.txt

...
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
...

ip6tables-save looks similar.

I wonder if a bug in fw3 is why it didn't work in ddwrt, either.It has been years since it worked in ddwrt as well.

Edit - I went in and edited the /etc/config/firewall to create a rule for each day then ran:

uci commit firewall
/etc/init.d/firewall restart

and it spit this back:

...
   * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Kids Friday'
   * Rule 'Kids Saturday'
   * Rule 'Kid Sunday'
   * Rule 'Kid Monday'
   * Rule 'Kid Tuesday'
   * Rule 'Kid Wednesday'
   * Rule 'Kid Thursday'
... 
   * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Kids Friday'
   * Rule 'Kids Saturday'
   * Rule 'Kids Sunday'
   * Rule 'Kids Monday'
   * Rule 'Kids Tuesday'
   * Rule 'Kids Wednesday'
   * Rule 'Kids Thursday'
...

It looks correct to me. One rule is spanning over multiple days.

BTW use iptables-save -c to check also the hits per rule.

1 Like

Just to close this out... I was unable to get any success with the scripts. Probably my fault, but was unable to.
What did work was editing the /etc/config/firewall to create a rule for each day (m,t,w,h,f,s,s) but for multiple MACs. Then 'commit' then 'restart' (as above). This works. I can go to sleep when I want to and rest assured that the internet will turn off for the kids. Maybe, in the future, you will be able to have multiple days in a single rule, but not yet. I was unable to build an image to test the patch that @facboy posted.

1 Like

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.