No, and by the way we are still waiting for the output of the commands.
This link has a txt file with the output to those commands:
(deleted link)
Could you post it here? Thanks!
It is too big. The forum rejects it. I could use pastebin if that is more acceptable.
Split in two posts
Part 1:
{
"kernel": "5.4.72",
"hostname": "spg3",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"revision": "r14793+67-9f1927173a",
"target": "ipq806x/generic",
"description": "OpenWrt SNAPSHOT r14793+67-9f1927173a"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '10.1.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
list dhcp_option '6,10.1.1.3'
option ra_management '1'
list dns 'xxxx:xxxx:xxxx:xxxx:ba27:ebff:fe0b:9be6'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config host
option ip '10.1.1.10'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'gus_e4'
option leasetime 'infinite'
config host
option ip '10.1.1.11'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'keith_one'
option leasetime 'infinite'
config host
option ip '10.1.1.12'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'kris_s5'
option leasetime 'infinite'
config host
option ip '10.1.1.13'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'kris_tab'
option leasetime 'infinite'
config host
option ip '10.1.1.14'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'greta_tab'
option leasetime 'infinite'
config host
option ip '10.1.1.15'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'keith_z2'
option leasetime 'infinite'
config host
option ip '10.1.1.16'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'greta_e5'
option leasetime 'infinite'
config host
option ip '10.1.1.24'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'pizero'
option leasetime 'infinite'
config host
option ip '10.1.1.25'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'usb_dongle'
option leasetime 'infinite'
config host
option ip '10.1.1.40'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'gusrune_wl'
option leasetime 'infinite'
config host
option ip '10.1.1.41'
option mac 'xx:xx:xx:xx:xx:xx'
option leasetime 'infinite'
option name 'rune64'
option duid '00010001268df250b827eb52ccd0'
config host
option ip '10.1.1.101'
option mac 'xx:xx:xx:xx:xx:xx'
option leasetime 'infinite'
option name 'grider-desktop'
option duid '00046f6ff4db548ad24e9a063c8b4750d7ef'
config host
option ip '10.1.1.102'
option leasetime 'infinite'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'jack'
config host
option ip '10.1.1.103'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'x550vx'
option leasetime 'infinite'
config host
option ip '10.1.1.104'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'x550vx_wl'
option leasetime 'infinite'
config host
option ip '10.1.1.105'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'inspiron_1525'
option leasetime 'infinite'
config host
option ip '10.1.1.106'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'compaq_cq50'
option leasetime 'infinite'
config host
option ip '10.1.1.107'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'kris_work'
option leasetime 'infinite'
config host
option ip '10.1.1.108'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'wii'
option leasetime 'infinite'
config host
option ip '10.1.1.109'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'ns400'
option leasetime 'infinite'
config host
option ip '10.1.1.111'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'kris_chrome'
option leasetime 'infinite'
config host
option ip '10.1.1.191'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'livingrune'
option leasetime 'infinite'
config host
option ip '10.1.1.192'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'gusrune'
option leasetime 'infinite'
config host
option ip '10.1.1.197'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'garagerune'
option leasetime 'infinite'
config host
option ip '10.1.1.198'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'nas'
option leasetime 'infinite'
config host
option ip '10.1.1.199'
option leasetime 'infinite'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'Build64'
config host
option ip '10.1.1.200'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'kitchenrune'
option leasetime 'infinite'
config host
option ip '10.1.1.202'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'plex'
option leasetime 'infinite'
config host
option ip '10.1.1.203'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'printserver'
option leasetime 'infinite'
config host
option ip '10.1.1.205'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'shinobi'
option leasetime 'infinite'
config host
option ip '10.1.1.207'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'mineos'
option leasetime 'infinite'
config host
option ip '10.1.1.210'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'roku'
option leasetime 'infinite'
config host
option ip '10.1.1.211'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'roku_wl'
option leasetime 'infinite'
config host
option ip '10.1.1.212'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'samsung_tv'
option leasetime 'infinite'
config host
option mac 'xx:xx:xx:xx:xx:xx'
option leasetime 'infinite'
option name 'gretarune'
option ip '10.1.1.193'
config host
option name 'keith-action'
option leasetime 'infinite'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.1.1.17'
config host
option name 'kris-a51'
option leasetime 'infinite'
option mac 'xx:xx:xx:xx:xx:xx'
option ip '10.1.1.18'
config host
option name 'OpenVPN-Jail'
option dns '1'
option ip '10.1.1.208'
option mac 'xx:xx:xx:xx:xx:xx'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option name 'OpenVPN'
option src 'wan'
option dest 'lan'
list proto 'udp'
option src_dport 'xxxx'
option dest_port 'xxxx'
option dest_ip '10.1.1.208'
config redirect
option dest_port 'xxxx'
option src 'wan'
option name 'WireGuard'
option src_dport '51920'
option target 'DNAT'
option dest 'lan'
option dest_ip '10.1.1.3'
config redirect
option dest_port 'xxxx'
option src 'wan'
option name 'MineOS'
option src_dport 'xxxx'
option target 'DNAT'
option dest_ip '10.1.1.207'
option dest 'lan'
config redirect
option dest_port 'xxxx'
option src 'wan'
option name 'Plex'
option src_dport 'xxxx'
option target 'DNAT'
option dest_ip '10.1.1.202'
option dest 'lan'
config redirect
option dest_port '88'
option src 'wan'
option name 'Garage'
option src_dport 'xxxx'
option target 'DNAT'
option dest_ip '10.1.1.197'
option dest 'lan'
config redirect
option target 'DNAT'
option name 'MineOS_Mgmt'
option src 'wan'
option src_dport 'xxxx'
option dest 'lan'
option dest_ip '10.1.1.207'
option dest_port 'xxxx'
config rule
option name 'Kids Weekend '
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
option weekdays 'Fri Sat'
option start_time '00:00:00'
option stop_time '07:00:00'
option target 'REJECT'
option src 'lan'
option dest 'wan'
config rule
option name 'Kid Weekday'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_mac 'xx:xx:xx:xx:xx:xx'
option weekdays 'Sun Mon Tue Wed Thu'
option start_time '22:30:00'
option stop_time '07:00:00'
option target 'REJECT'
option src 'lan'
option dest 'wan'
config include 'estab'
option path '/etc/firewall.estab'
option reload '1'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*raw
:PREROUTING ACCEPT [1178845:1276033729]
:OUTPUT ACCEPT [211603:17430398]
:zone_lan_helper - [0:0]
[1136736:1272128699] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
# Generated by iptables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*nat
:PREROUTING ACCEPT [37856:6145121]
:INPUT ACCEPT [11322:1072611]
:OUTPUT ACCEPT [443:64420]
:POSTROUTING ACCEPT [11148:3681411]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[37913:6148337] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[25184:5179809] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[12729:968528] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[26883:5104852] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[11197:3683598] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[15595:1414853] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[11197:3683598] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.208/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.3/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.3/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j SNAT --to-source 10.1.1.1
[141:8708] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.202/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.202/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.197/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.197/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j SNAT --to-source 10.1.1.1
[0:0] -A zone_lan_postrouting -s 10.1.1.0/24 -d 10.1.1.207/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j SNAT --to-source 10.1.1.1
[25184:5179809] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OpenVPN (reflection)" -j DNAT --to-destination 10.1.1.208:1194
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j DNAT --to-destination 10.1.1.3:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: WireGuard (reflection)" -j DNAT --to-destination 10.1.1.3:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[25:1500] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Plex (reflection)" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j DNAT --to-destination 10.1.1.197:88
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: Garage (reflection)" -j DNAT --to-destination 10.1.1.197:88
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_lan_prerouting -s 10.1.1.0/24 -d xxx.xxx.176.97/32 -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt (reflection)" -j DNAT --to-destination 10.1.1.207:xxxx
[15595:1414853] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[15595:1414853] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[12729:968528] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[2:84] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: OpenVPN" -j DNAT --to-destination 10.1.1.208:xxxx
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: WireGuard" -j DNAT --to-destination 10.1.1.3:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: WireGuard" -j DNAT --to-destination 10.1.1.3:xxxx
[1:64] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS" -j DNAT --to-destination 10.1.1.207:xxxx
[2:120] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Plex" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: Plex" -j DNAT --to-destination 10.1.1.202:xxxx
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: Garage" -j DNAT --to-destination 10.1.1.197:88
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: Garage" -j DNAT --to-destination 10.1.1.197:88
[27:1448] -A zone_wan_prerouting -p tcp -m tcp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt" -j DNAT --to-destination 10.1.1.207:xxxx
[0:0] -A zone_wan_prerouting -p udp -m udp --dport xxxx -m comment --comment "!fw3: MineOS_Mgmt" -j DNAT --to-destination 10.1.1.207:xxxx
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
# Generated by iptables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*mangle
Part 2:
:PREROUTING ACCEPT [1178852:1276034169]
:INPUT ACCEPT [95328:30720989]
:FORWARD ACCEPT [1219189:1303795917]
:OUTPUT ACCEPT [211617:17438878]
:POSTROUTING ACCEPT [1430407:1321216222]
[6471:385216] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6467:383552] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
# Generated by iptables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*filter
:INPUT ACCEPT [1:83]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1037:93507] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[94297:30626697] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[5586:554125] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2780:113992] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[73801:29019040] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[14910:1053532] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[1219189:1303795917] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1193623:1301224576] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[25566:2571341] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[25446:2564671] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
[1037:93507] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[210559:17344495] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[22144:2830303] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[187896:14452519] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[519:61673] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[4696:194695] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[136:26659] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2780:113992] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1344910:1312635800] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[1193623:1301224576] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[1193623:1301224576] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[26:12862] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[1157014:1298183281] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[73801:29019040] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[73801:29019040] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[187896:14452519] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[187896:14452519] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[73800:29018957] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[372:17298] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[36730:3072808] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[25566:2571341] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[120:6670] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[25446:2564671] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[14910:1053532] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[9789:821774] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[289:10404] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[4832:221354] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[519:61673] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[519:61673] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[4832:221354] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
# Generated by ip6tables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*nat
:PREROUTING ACCEPT [23735:4697466]
:INPUT ACCEPT [22:4984]
:OUTPUT ACCEPT [306:38842]
:POSTROUTING ACCEPT [24004:4727326]
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
# Generated by ip6tables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*mangle
:PREROUTING ACCEPT [156610:42821791]
:INPUT ACCEPT [52279:25771495]
:FORWARD ACCEPT [198512:72765558]
:OUTPUT ACCEPT [195639:18769548]
:POSTROUTING ACCEPT [393150:91461630]
[9053:722624] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6547:498568] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
# Generated by ip6tables-save v1.8.4 on Wed Nov 4 08:52:03 2020
*filter
:INPUT ACCEPT [9:1264]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[184:20658] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[52095:25750837] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[111:13872] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[49469:25551957] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2515:185008] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[198508:72762415] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[167882:67520355] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[30626:5242060] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[30469:5228186] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[157:13874] -A FORWARD -m comment --comment "!fw3" -j reject
[184:20658] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[195455:18748890] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[56:6288] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[192553:18528570] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[2846:214032] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[142:12464] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[15:1410] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[310917:77362628] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[167882:67520355] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[0:0] -A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
[167882:67520355] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[118364:58834058] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49469:25551957] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[49469:25551957] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[192553:18528570] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[192553:18528570] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49460:25550693] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[844:59602] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[51520:8840727] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[30626:5242060] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[30626:5242060] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2515:185008] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[20:4320] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1380:99360] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[89:15664] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[1026:65664] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[2846:214032] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[2846:214032] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov 4 08:52:03 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 10.1.1.1/24 brd 10.1.1.255 scope global br-lan
valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet xxx.xxx.176.97/22 brd xxx.xxx.179.255 scope global eth0.2
valid_lft forever preferred_lft forever
default via xxx.xxx.176.1 dev eth0.2 src xxx.xxx.176.97
xxx.xxx.176.0/22 dev eth0.2 scope link src xxx.xxx.176.97
10.1.1.0/24 dev br-lan scope link src 10.1.1.1
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast xxx.xxx.176.0 dev eth0.2 table local scope link src xxx.xxx.176.97
local xxx.xxx.176.97 dev eth0.2 table local scope host src xxx.xxx.176.97
broadcast xxx.xxx.179.255 dev eth0.2 table local scope link src xxx.xxx.176.97
broadcast 10.1.1.0 dev br-lan table local scope link src 10.1.1.1
local 10.1.1.1 dev br-lan table local scope host src 10.1.1.1
broadcast 10.1.1.255 dev br-lan table local scope link src 10.1.1.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::a02:8eff:fe94:1296/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::a02:8eff:fe94:1295/64 scope link
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 xxxx:xxxx:xxxx:xxxx::1/64 scope global dynamic
valid_lft 2490sec preferred_lft 2490sec
inet6 xxxx:xxxx:xxxx::1/60 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a02:8eff:fe94:1295/64 scope link
valid_lft forever preferred_lft forever
12: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 xxxx:xxxx:xxxx:xxxx:a02:8eff:fe94:1296/64 scope global dynamic
valid_lft 3086sec preferred_lft 3086sec
inet6 xxxx:xxxx:xxxx:xxxx::48/128 scope global dynamic
valid_lft 2490sec preferred_lft 2490sec
inet6 fe80::a02:8eff:fe94:1296/64 scope link
valid_lft forever preferred_lft forever
15: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::a02:8eff:fe94:1297/64 scope link
valid_lft forever preferred_lft forever
16: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 fe80::a02:8eff:fe94:1298/64 scope link
valid_lft forever preferred_lft forever
default from xxxx:xxxx:xxxx:xxxx::48 via fe80::6e63:9cff:fea1:9220 dev eth0.2 metric 512
default from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2 metric 512
default from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2 metric 512
xxxx:xxxx:xxxx:xxxx::/60 from xxxx:xxxx:xxxx:xxxx::48 via fe80::6e63:9cff:fea1:9220 dev eth0.2 metric 384
xxxx:xxxx:xxxx:xxxx::/60 from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2 metric 384
xxxx:xxxx:xxxx:xxxx::/60 from xxxx:xxxx:xxxx:xxxx::/64 via fe80::6e63:9cff:fea1:9220 dev eth0.2 metric 384
xxxx:xxxx:xxxx:xxxx::/64 dev eth0.2 metric 256
xxxx:xxxx:xxxx:xxxx::/64 dev br-lan metric 1024
unreachable xxxx:xxxx:xxxx:xxxx::/64 dev lo metric 2147483647
xxxx:xxxx:xxxx::/64 dev br-lan metric 1024
unreachable xxxx:xxxx:xxxx::/48 dev lo metric 2147483647
fe80::/64 dev eth1 metric 256
fe80::/64 dev eth0.2 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev eth0 metric 256
fe80::/64 dev wlan1 metric 256
fe80::/64 dev wlan0 metric 256
local ::1 dev lo table local metric 0
anycast xxxx:xxxx:xxxx:xxxx:: dev eth0.2 table local metric 0
local xxxx:xxxx:xxxx:xxxx::48 dev eth0.2 table local metric 0
local xxxx:xxxx:xxxx:xxxx:a02:8eff:fe94:1296 dev eth0.2 table local metric 0
anycast xxxx:xxxx:xxxx:xxxx:: dev br-lan table local metric 0
local xxxx:xxxx:xxxx:xxxx::1 dev br-lan table local metric 0
anycast xxxx:xxxx:xxxx:: dev br-lan table local metric 0
local xxxx:xxxx:xxxx::1 dev br-lan table local metric 0
anycast fe80:: dev eth1 table local metric 0
anycast fe80:: dev eth0 table local metric 0
anycast fe80:: dev eth0.2 table local metric 0
anycast fe80:: dev br-lan table local metric 0
anycast fe80:: dev wlan0 table local metric 0
anycast fe80:: dev wlan1 table local metric 0
local fe80::a02:8eff:fe94:1295 dev eth1 table local metric 0
local fe80::a02:8eff:fe94:1295 dev br-lan table local metric 0
local fe80::a02:8eff:fe94:1296 dev eth0 table local metric 0
local fe80::a02:8eff:fe94:1296 dev eth0.2 table local metric 0
local fe80::a02:8eff:fe94:1297 dev wlan0 table local metric 0
local fe80::a02:8eff:fe94:1298 dev wlan1 table local metric 0
ff00::/8 dev eth1 table local metric 256
ff00::/8 dev br-lan table local metric 256
ff00::/8 dev eth0.2 table local metric 256
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev wlan1 table local metric 256
ff00::/8 dev wlan0 table local metric 256
0: from all lookup local
32766: from all lookup main
4200000000: from xxxx:xxxx:xxxx:xxxx::1/64 iif br-lan lookup unspec unreachable
4200000001: from all iif lo lookup unspec 12
4200000010: from all iif br-lan lookup unspec 12
4200000012: from all iif eth0.2 lookup unspec 12
4200000012: from all iif eth0.2 lookup unspec 12
Time restriction seems to be broken on snapshots:
Time/day of week firewall rules not working correctly
A possible workaround:
cat << "EOF" >> /etc/firewall.user
for IPT in iptables ip6tables
do for MAC in 11:22:33:44:55:66 aa:bb:cc:dd:ee:ff
do ${IPT} -A forwarding_lan_rule -p all \
-m mac --mac-source ${MAC} \
-m time --timestart 00:00:00 --timestop 07:00:00 \
--weekdays Mon,Tue,Wed,Thu,Fri --kerneltz \
-m comment --comment "!fw3: Restrict-Internet" -j REJECT
done
done
EOF
i haven't looked in detail but i see that you are trying to make it time-based - well day of the week based. as a first punt i would bet that it's because fw3 is broken and does not handle weekday-based rules properly.
no idea how patches are handled in openwrt but there seems to be little interest in reviewing or merging this: https://patchwork.ozlabs.org/project/openwrt/patch/20200923220836.18537-1-facboy@gmail.com/
Only one day from each rule is actually applied. This is probably related to the bug mentioned before.
You can try to copy paste the rules and use only one day in each one as a workaround until a proper solution is applied.
Can I manually edit the iptable and manually put it in?
I did an "iptables-save > dmp.txt" then edited the file to add a rule for each MAC for each day.
Once done, can I just "iptables-restore < dmp.txt"?
It would be more reliable, compact and easier modify and troubleshoot if you use the workaround mentioned above.
I've updated the code to support multiple MAC addresses.
Actually, there's a better workaround.
Just replace the option weekdays
with extra
:
uci -q delete firewall.@rule[-2].weekdays
uci -q delete firewall.@rule[-1].weekdays
uci set firewall.@rule[-2].extra="--weekdays Fri,Sat"
uci set firewall.@rule[-1].extra="--weekdays Sun,Mon,Tue,Wed,Thu"
uci commit firewall
/etc/init.d/firewall restart
@vgaetera I do appreciate the help! But... I really don't follow exactly what I need to do to take my existing rules and programmatically add each day. Do I just run the 4 lines from the CLI that you posted yesterday or do I need to, somehow, add those lines to the previous set you sent? I have not yet done anything for fear of breaking something.
He means that the option weekdays doesn't work. As a workaround you can use the extra option, where you can fill in the "--weekdays Fri,Sat"
on the first and "--weekdays Sun,Mon,Tue,Wed,Thu"
on the second
The latest workaround is preferable, I've adapted it for your config.
You can post the resulting firewall config, so we can verify it.
I just ran those commands. It does not look like it worked as there is only one rule per each MAC for the weekday and weekend rules. Wasn't it supposed to generate one rule for each day for each mac?
From iptables-save > test.txt
...
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 00:00:00 --timestop 07:00:00 --weekdays Fri,Sat --kerneltz -m comment --comment "!fw3: Kids Weekend " -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p tcp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
-A zone_lan_forward -p udp -m mac --mac-source xx:xx:xx:xx:xx:xx -m time --timestart 22:30:00 --timestop 07:00:00 --weekdays Mon,Tue,Wed,Thu,Sun --kerneltz -m comment --comment "!fw3: Kid Weekday" -j zone_wan_dest_REJECT
...
ip6tables-save looks similar.
I wonder if a bug in fw3 is why it didn't work in ddwrt, either.It has been years since it worked in ddwrt as well.
Edit - I went in and edited the /etc/config/firewall to create a rule for each day then ran:
uci commit firewall
/etc/init.d/firewall restart
and it spit this back:
...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Kids Friday'
* Rule 'Kids Saturday'
* Rule 'Kid Sunday'
* Rule 'Kid Monday'
* Rule 'Kid Tuesday'
* Rule 'Kid Wednesday'
* Rule 'Kid Thursday'
...
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'Kids Friday'
* Rule 'Kids Saturday'
* Rule 'Kids Sunday'
* Rule 'Kids Monday'
* Rule 'Kids Tuesday'
* Rule 'Kids Wednesday'
* Rule 'Kids Thursday'
...
It looks correct to me. One rule is spanning over multiple days.
BTW use iptables-save -c
to check also the hits per rule.
Just to close this out... I was unable to get any success with the scripts. Probably my fault, but was unable to.
What did work was editing the /etc/config/firewall to create a rule for each day (m,t,w,h,f,s,s) but for multiple MACs. Then 'commit' then 'restart' (as above). This works. I can go to sleep when I want to and rest assured that the internet will turn off for the kids. Maybe, in the future, you will be able to have multiple days in a single rule, but not yet. I was unable to build an image to test the patch that @facboy posted.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.