Mutli instance OpenVPN binds incorrect DNS servers from other instance tunnels

Hi there,

I'm battling a strange issue that I cant get my head around.

I currently have a linksys wrt1900acs running latest OpenWrt18.6.4. On this router I have successfully configured 3 separate instances of instances of Open VPN, with each tunnel connecting to ExpressVPN servers in USA, Canada and UK.

The idea of this setup is to allow different TVs and other devices to simultaneously stream from various regions, and to be able to toggle each device easily between regions via policy based routing. It actually works really well, ...but severe DNS leaks are killing its usefulness.

If I run only a single VPN instance and direct clients through this single tun1 interface, all is good - no DNS leaks. (eg No-resolve directives/ list server entries override the /etc/resolv.conf.auto take care of the usual leak issues in Openwrt)

However..

If I run 2 or more ovpn instances and direct further clients to these respective tun2 and tun3 interfaces, VERY strange things happen....

DNS leak tests show some pretty weird results where each tun interface correctly tunnels to its respective country, but each tunnel weirdly gets assigned DNS servers from one of the other VPN tunnels, but this only happens when other instances are started.

ie USA VPN shows it is using servers from Canada, Canada VPN shows its using DNS servers in UK, and UK VPN tries to use servers based in the USA. This seems to vary depending on the order instances are started.

If I close down 2 instances of openvpn, the wrong DNS servers still remain in use on the third. Only a restart of ovpn resets the correct DNS servers for the single remaining instance.

When running multiple instances, each VPN tunnel only appropriates servers from one other tunnel, never two

I've checked and re-checked all my obvious configs, and even rebuilt the while thing from scratch twice,... same behaviour results.

I'm trying to rack my brain how to solve this one! Any help would be really appreciated as I've spent days on this. All tunnels exit from the same WAN firewall zone, and its as though thats where things are getting jumbled. I've tried splitting each tunnel into its own firewall zone but this made zero difference.

The only relevant packages that comprise this setup are latest openvpn-ssl, dnsmasq-full and vpn-policy-routing package from stangri's repo.

Thanks in advance for any help you may be able to share.

How do you classify the traffic for each DNS to be using the appropriate VPN tunnel?

2 Likes
  • Make an SSID for each VPN
  • Setup IP rules (policy-based routing) to send traffic to each VPN
  • Use DHCP Option No. 6 on each SSID Interface to issue the DNS servers you desire
2 Likes

thanks for your suggestion lleachii, I'm already aware of that particular multiple SSID solution, (I was actually using it previously) but unfortunately that's not not quite what I want to achieve. I want to avoid having to toggle devices between different wifi networks, which is a pain, plus a number of devices are ethernet. I want to manage all this from the one lan-br interface - same as can be done with DDWRT

1 Like

Thanks for your reply Trendy,

I suspect your question may lead to the very point we need to get down into...

To use ExpressVPN or any other vpn provider without leaks, one must direct all DNS queries through the VPN. ExpressVPN further requires that DNS servers be set to google DNS (and that local DNS from ISP be blocked via no-resolve directive etc.) This config then ensures that the vpn sever pushs/translates/or replaces only these google IPs with their own secure DNS at the correct location.

If any other DNS servers aside from google are in the mix, there will be leaks. This setup using only google DNS all works perfectly with a single instance of OVPN client and I've been using this trouble free for years. What appears to be happening is that the "substituted" dns servers from each tunnel are being pushed to the wrong tunnel in a random fashion.

So, I'm thinking perhaps the answer lies in how to isolate DNS traffic between each tunnel when the dns settings for each tunnel must be effectively set to the same IP ie 8.8.8.8, or how to configure DNSmasq-full to isolate each of its spawned dynamic routing tables that manage the mangling of DNS packets in and out between tunnels, or some combination of the two.

.... but I have no idea whether this is a valid thought, or how I might look deeper into this. All ideas appreciated!

First of all you need to have static routes for particular nameservers via the designated tunnel. In order to avoid leaks in case the tunnel is down, you can create a blackhole static route.
Second you can define specific nameservers to resolve specific names.

list server '/tralala.com/100.64.1.1'

If this doesn't fully cover your needs, I am out of ideas.

1 Like

I've been doing some more testing today.

If I run all three instances of OpenVPN, and then issue /etc/init.d/openvpn stop , One of the three DNS servers allocated to the previous tunnels remains stuck to the WAN interface.

A network restart cures this, but in doing so a network restart breaks running openvpn instances and the problem starts all over again. The order that the instances come up seems to determine the pattern of incorrect DNS server allocation.

Are you suggesting that even though there is a static route for a nameserver via a tunnel, by the time the tunnel goes down it is accessible via WAN interface?

yep, if I move any device from one tun to another, it connects though the correct new tunnel, but the DNS settings don't move over with it, and these previous settings seem to stick. . Once a device has been moved between ovpn instances at least one time, if I stop all tunnels and move that device back to using WAN, it STILL retains the previous VPN dns server. Only a network restart makes the correct local WAN dns bind. . I can replicate this over and over, its got me really confused. But it is very consistent

That is not exactly what I meant, but anyway.
Can you post here your configuration to check what you have in place? It will provide better insight.

uci show network;uci show wireless; \
uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
ip -6 addr ; ip -6 ro ; ip -6 ru; \
iptables-save; ip6tables-save; \
head -n -0 /etc/firewall.user; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

You can ignore the lines about ipv6 if you don't have such connection.
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
grafik

1 Like

It's the same destination address:

According to DNS leak test, Google DNS performs regional load balancing.

So, the routing policy should be based on the source address.

It can be achieved with different subnets / SSIDs / VLANs / individual DHCP options.

1 Like

Hi Trendy, thanks so much for taking a look . I notice that in the VPR prerouting section TCP is factored in routing rules, but NOT UDP or any others. Not sure of the implications with that.

Code is too big to send in one note, so it is split into the next two....
root@router1:~# uci show network;uci show wireless; \

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc6:aa85:14ec::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.proto='static'
network.lan.ipaddr='172.17.8.1'
network.lan.netmask='255.255.254.0'
network.lan.ip6assign='60'
network.lan.ifname='eth0.1'
network.lan.delegate='0'
network.lan.stp='1'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='pppoe'
network.wan.ipv6='0'
network.wan.username='#######@#####'
network.wan.password='#######'
network.wan.delegate='0'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[0].vid='1'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4t 6t'
network.@switch_vlan[1].vid='2'
network.guest=interface
network.guest.proto='static'
network.guest.ipaddr='172.17.1.1'
network.guest.netmask='255.255.255.0'
network.guest.delegate='0'
network.tun1=interface
network.tun1.proto='none'
network.tun1.ifname='tun1'
network.tun1.delegate='0'
network.tun2=interface
network.tun2.proto='none'
network.tun2.ifname='tun2'
network.tun2.delegate='0'
network.tun3=interface
network.tun3.proto='none'
network.tun3.ifname='tun3'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.hwmode='11a'
wireless.radio0.path='soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
wireless.radio0.country='AU'
wireless.radio0.channel='auto'
wireless.radio0.legacy_rates='1'
wireless.radio0.htmode='VHT20'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.mode='ap'
wireless.default_radio0.macaddr='62:38:e0:d8:57:e9'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='#####'
wireless.default_radio0.wpa_disable_eapol_key_retries='1'
wireless.default_radio0.network='lan'
wireless.default_radio0.macfilter='deny'
wireless.default_radio0.maclist='38:1D:D9:BE:14:3C'
wireless.default_radio0.ssid='#Blowfly'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11g'
wireless.radio1.path='soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
wireless.radio1.country='AU'
wireless.radio1.channel='auto'
wireless.radio1.legacy_rates='1'
wireless.radio1.htmode='HT20'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.mode='ap'
wireless.default_radio1.macaddr='62:38:e0:d8:57:e8'
wireless.default_radio1.encryption='psk2'
wireless.default_radio1.key='#####'
wireless.default_radio1.wpa_disable_eapol_key_retries='1'
wireless.default_radio1.network='lan'
wireless.default_radio1.macfilter='deny'
wireless.default_radio1.maclist='B8:27:EB:D8:97:D3'
wireless.default_radio1.ssid='#Blowfly'
wireless.guest=wifi-iface
wireless.guest.device='radio0'
wireless.guest.mode='ap'
wireless.guest.network='guest'
wireless.guest.encryption='psk2+ccmp'
wireless.guest.key='#####'
wireless.guest.ssid='#Ratbag'
root@router1:~# uci show firewall; uci show dhcp; \

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6 tun1 tun2 tun3'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.guest_zone=zone
firewall.guest_zone.name='guest'
firewall.guest_zone.network='guest'
firewall.guest_zone.input='REJECT'
firewall.guest_zone.forward='REJECT'
firewall.guest_zone.output='ACCEPT'
firewall.guest_forwarding=forwarding
firewall.guest_forwarding.src='guest'
firewall.guest_forwarding.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dns.name='Guest DNS Queries'
firewall.guest_dhcp=rule
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.src_port='68'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.target='ACCEPT'
firewall.guest_dhcp.name='Guest DHCP request'
firewall.guest_printer1=rule
firewall.guest_printer1.src='guest'
firewall.guest_printer1.family='ipv4'
firewall.guest_printer1.proto='all'
firewall.guest_printer1.target='ACCEPT'
firewall.guest_printer1.dest_ip='172.17.8.128/25'
firewall.guest_printer1.name='Guest-Allow-Services'
firewall.guest_printer1.dest='lan'
firewall.@rule[12]=rule
firewall.@rule[12].target='ACCEPT'
firewall.@rule[12].src='guest'
firewall.@rule[12].name='Guest-WRT-Mgmt'
firewall.@rule[12].family='ipv4'
firewall.@rule[12].proto='tcp'
firewall.@rule[12].dest_port='22 80 443'
firewall.@rule[12].dest_ip='172.17.8.1'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].proto='tcp udp'
firewall.@redirect[0].name='sip5060'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='172.17.8.6'
firewall.@redirect[0].dest_port='5060'
firewall.@redirect[0].src_dport='5060'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='5061'
firewall.@redirect[1].dest_ip='172.17.8.6'
firewall.@redirect[1].dest_port='5061'
firewall.@redirect[1].name='sip5061'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[2].src_dport='5070'
firewall.@redirect[2].dest_ip='172.17.8.6'
firewall.@redirect[2].dest_port='5070'
firewall.@redirect[2].name='sip5070'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].proto='tcp udp'
firewall.@redirect[3].src_dport='1194'
firewall.@redirect[3].dest_ip='172.17.8.2'
firewall.@redirect[3].dest_port='1194'
firewall.@redirect[3].name='ovpn1194'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].allservers='1'
dhcp.@dnsmasq[0].strictorder='1'
dhcp.@dnsmasq[0].local='/local/'
dhcp.@dnsmasq[0].domain='local'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.limit='253'
dhcp.lan.start='172.17.19.0'
dhcp.lan.leasetime='5m'
dhcp.lan.dhcp_option='6,172.17.8.1' '44,172.17.8.1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.guest=dhcp
dhcp.guest.interface='guest'
dhcp.guest.start='2'
dhcp.guest.limit='252'
dhcp.guest.leasetime='12h'

code 2 of 3```

root@router1:~# ip -4 addr ; ip -4 ro ; ip -4 ru; \

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 172.17.8.1/23 brd 172.17.9.255 scope global br-lan
valid_lft forever preferred_lft forever
17: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
inet 220.245.180.72 peer 10.20.22.139/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
23: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.193.0.50 peer 10.193.0.49/32 scope global tun2
valid_lft forever preferred_lft forever
24: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.47.0.78 peer 10.47.0.77/32 scope global tun1
valid_lft forever preferred_lft forever
25: tun3: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
inet 10.116.0.14 peer 10.116.0.13/32 scope global tun3
valid_lft forever preferred_lft forever
26: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 172.17.1.1/24 brd 172.17.1.255 scope global wlan0-1
valid_lft forever preferred_lft forever
0.0.0.0/1 via 10.116.0.13 dev tun3
0.0.0.0/1 via 10.47.0.77 dev tun1
0.0.0.0/1 via 10.193.0.49 dev tun2
default via 10.20.22.139 dev pppoe-wan proto static
10.20.22.139 dev pppoe-wan proto kernel scope link src 220.245.180.72
10.47.0.1 via 10.47.0.77 dev tun1
10.47.0.77 dev tun1 proto kernel scope link src 10.47.0.78
10.116.0.1 via 10.116.0.13 dev tun3
10.116.0.13 dev tun3 proto kernel scope link src 10.116.0.14
10.193.0.1 via 10.193.0.49 dev tun2
10.193.0.49 dev tun2 proto kernel scope link src 10.193.0.50
45.56.149.62 via 10.20.22.139 dev pppoe-wan
71.19.252.84 via 10.20.22.139 dev pppoe-wan
128.0.0.0/1 via 10.116.0.13 dev tun3
128.0.0.0/1 via 10.47.0.77 dev tun1
128.0.0.0/1 via 10.193.0.49 dev tun2
172.17.1.0/24 dev wlan0-1 proto kernel scope link src 172.17.1.1
172.17.8.0/23 dev br-lan proto kernel scope link src 172.17.8.1
185.43.110.247 via 10.20.22.139 dev pppoe-wan
0: from all lookup local
32734: from all fwmark 0x40000 lookup 204
32735: from all fwmark 0x30000 lookup 203
32736: from all fwmark 0x20000 lookup 202
32737: from all fwmark 0x10000 lookup 201
32766: from all lookup main
32767: from all lookup default
root@router1:~# iptables-save; ip6tables-save; \

Generated by iptables-save v1.6.2 on Thu Sep 12 09:50:14 2019

*nat
:PREROUTING ACCEPT [412:108264]
:INPUT ACCEPT [29:10642]
:OUTPUT ACCEPT [17:1294]
:POSTROUTING ACCEPT [3:1481]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_postrouting
-A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.6/32 -p tcp -m tcp --dport 5060 -m comment --comment "!fw3: sip5060 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.6/32 -p udp -m udp --dport 5060 -m comment --comment "!fw3: sip5060 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.6/32 -p tcp -m tcp --dport 5061 -m comment --comment "!fw3: sip5061 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.6/32 -p udp -m udp --dport 5061 -m comment --comment "!fw3: sip5061 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.6/32 -p tcp -m tcp --dport 5070 -m comment --comment "!fw3: sip5070 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.6/32 -p udp -m udp --dport 5070 -m comment --comment "!fw3: sip5070 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: ovpn1194 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_postrouting -s 172.17.8.0/23 -d 172.17.8.2/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: ovpn1194 (reflection)" -j SNAT --to-source 172.17.8.1
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p tcp -m tcp --dport 5060 -m comment --comment "!fw3: sip5060 (reflection)" -j DNAT --to-destination 172.17.8.6:5060
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p udp -m udp --dport 5060 -m comment --comment "!fw3: sip5060 (reflection)" -j DNAT --to-destination 172.17.8.6:5060
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p tcp -m tcp --dport 5061 -m comment --comment "!fw3: sip5061 (reflection)" -j DNAT --to-destination 172.17.8.6:5061
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p udp -m udp --dport 5061 -m comment --comment "!fw3: sip5061 (reflection)" -j DNAT --to-destination 172.17.8.6:5061
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p tcp -m tcp --dport 5070 -m comment --comment "!fw3: sip5070 (reflection)" -j DNAT --to-destination 172.17.8.6:5070
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p udp -m udp --dport 5070 -m comment --comment "!fw3: sip5070 (reflection)" -j DNAT --to-destination 172.17.8.6:5070
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: ovpn1194 (reflection)" -j DNAT --to-destination 172.17.8.2:119
-A zone_lan_prerouting -s 172.17.8.0/23 -d 220.245.180.72/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: ovpn1194 (reflection)" -j DNAT --to-destination 172.17.8.2:119
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 5060 -m comment --comment "!fw3: sip5060" -j DNAT --to-destination 172.17.8.6:5060
-A zone_wan_prerouting -p udp -m udp --dport 5060 -m comment --comment "!fw3: sip5060" -j DNAT --to-destination 172.17.8.6:5060
-A zone_wan_prerouting -p tcp -m tcp --dport 5061 -m comment --comment "!fw3: sip5061" -j DNAT --to-destination 172.17.8.6:5061
-A zone_wan_prerouting -p udp -m udp --dport 5061 -m comment --comment "!fw3: sip5061" -j DNAT --to-destination 172.17.8.6:5061
-A zone_wan_prerouting -p tcp -m tcp --dport 5070 -m comment --comment "!fw3: sip5070" -j DNAT --to-destination 172.17.8.6:5070
-A zone_wan_prerouting -p udp -m udp --dport 5070 -m comment --comment "!fw3: sip5070" -j DNAT --to-destination 172.17.8.6:5070
-A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: ovpn1194" -j DNAT --to-destination 172.17.8.2:1194
-A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: ovpn1194" -j DNAT --to-destination 172.17.8.2:1194
COMMIT

Completed on Thu Sep 12 09:50:14 2019

Generated by iptables-save v1.6.2 on Thu Sep 12 09:50:14 2019

*mangle
:PREROUTING ACCEPT [13412:7150898]
:INPUT ACCEPT [5359:3454800]
:FORWARD ACCEPT [7914:3631425]
:OUTPUT ACCEPT [4370:858716]
:POSTROUTING ACCEPT [11947:4476699]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
-A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
-A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
-A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
-A VPR_PREROUTING -s 172.17.8.138/32 -p tcp -m comment --comment lgtvbr1-eth -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 172.17.8.132/32 -p tcp -m comment --comment xboxbed1 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 172.17.8.10/32 -p tcp -m comment --comment davidlaptop-wifi -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -s 172.17.8.7/32 -p tcp -m comment --comment mediazilla -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 172.17.8.6/32 -p tcp -m comment --comment voipata -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 172.17.1.0/24 -p tcp -m comment --comment Guest-Lan -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -s 172.17.9.0/24 -p tcp -m comment --comment DHCP-Lan -j MARK --set-xmark 0x10000/0xff0000
-A VPR_PREROUTING -m set --match-set tun3 dst -j MARK --set-xmark 0x40000/0xff0000
-A VPR_PREROUTING -m set --match-set tun2 dst -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set tun1 dst -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT

Completed on Thu Sep 12 09:50:14 2019

Generated by iptables-save v1.6.2 on Thu Sep 12 09:50:14 2019

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -d 172.17.8.128/25 -m comment --comment "!fw3: Guest-Allow-Services" -j zone_lan_dest_ACCEPT
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS Queries" -j ACCEPT
-A zone_guest_input -p udp -m udp --sport 68 --dport 67 -m comment --comment "!fw3: Guest DHCP request" -j ACCEPT
-A zone_guest_input -d 172.17.8.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: Guest-WRT-Mgmt" -j ACCEPT
-A zone_guest_input -d 172.17.8.1/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Guest-WRT-Mgmt" -j ACCEPT
-A zone_guest_input -d 172.17.8.1/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Guest-WRT-Mgmt" -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun3 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun3 -m comment --comment "!fw3" -j reject
COMMIT

Completed on Thu Sep 12 09:50:14 2019

Generated by ip6tables-save v1.6.2 on Thu Sep 12 09:50:14 2019

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT

Completed on Thu Sep 12 09:50:14 2019

Generated by ip6tables-save v1.6.2 on Thu Sep 12 09:50:14 2019

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS Queries" -j ACCEPT
-A zone_guest_input -p udp -m udp --sport 68 --dport 67 -m comment --comment "!fw3: Guest DHCP request" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun1 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o tun3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o tun3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun1 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun2 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o tun3 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun1 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun2 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i tun3 -m comment --comment "!fw3" -j reject
COMMIT

Completed on Thu Sep 12 09:50:14 2019

Code 3 of 3

root@router1:~# head -n -0 /etc/firewall.user; \

This file is interpreted as shell script.

Put your custom iptables rules here, they will

be executed with each firewall (re-)start.

Internal uci firewall chains are flushed and recreated on reload, so

put custom rules into the root chains e.g. INPUT or FORWARD or into the

special user chains, e.g. input_wan_rule or postrouting_lan_rule.

root@router1:~# ls -l /etc/resolv.* /tmp/resolv.; head -n -0 /etc/resolv. /tmp/resolv.*
lrwxrwxrwx 1 root root 16 Jun 27 22:18 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 34 Sep 12 09:40 /tmp/resolv.conf
-rw-r--r-- 1 root root 66 Sep 12 09:39 /tmp/resolv.conf.auto
-rw-r--r-- 1 root root 50 Sep 12 09:39 /tmp/resolv.conf.ppp
==> /etc/resolv.conf <==
search local
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search local
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==

Interface wan

nameserver 203.12.160.35
nameserver 203.12.160.36

==> /tmp/resolv.conf.ppp <==
nameserver 203.12.160.35
nameserver 203.12.160.36

I don't think you need the VPR. You can just create a rule in /etc/config/network and a static route for 0.0.0.0/0 to be forwarded to the VPN that you want to use.

config rule
        option in 'lan'
        option src '192.168.1.61/32'
        option lookup '100'

config route
        option interface 'vpn'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option metric '200'
        option table '100'

That is one example. Create more tables (could be 101, 102, etc). Depending to which table the IP is assigned in the rule, you will use that tunnel.

You didn't use preformatted text and the code is hard to read...

1 Like

thanks for your help so far, I've only been using OWRT for < 1 week so I really appreciate it. As streaming services further carve up the world market, successfully running multiple OVPN clients is a great use case...so IMHO worth figuring through.

Static routes may be a reasonable workaround, but then I'd lose the GUI ability to switch between VPNS ( eg kids watch various things available across numerous netflix libraries)

I don't think I'm articulating the issue as well as I need to help others help me, so I need to break it down some more

As such I'm going to build a simpler second router config - (with far less config to share!) I'll also leave out DNSmasq-full ipsets for test and comparison, and work my way back from there. I'll come back when in done if thats ok ?

thanks

To the best of my knowledge there is no such solution. And it is more complicated because you are trying to use the same service from different geolocations.
Therefore you'll need to manually switch the vpn provider each time you need to change the content.

I am not sure I understand your concern about GUI here.

Thanks for being my sounding board and snapping me out of my laziness :slight_smile:

yes, PBR is actually not needed. This setup can actually be reasonably achieved manually. I've actually got it all sorted now... just one last DNS leak to solve. Thanks for your help.