Maybe important (but I don't think):
Using LEDE 17.01.5 with MWAN3
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether f4:f2:6d:52:95:03 brd ff:ff:ff:ff:ff:ff
inet6 fe80::f6f2:6dff:fe52:9503/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
link/ether f4:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f4:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd22:5fd8:c23c::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::f6f2:6dff:fe52:9502/64 scope link
valid_lft forever preferred_lft forever
6: eth0.3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f4:f2:6d:52:95:03 brd ff:ff:ff:ff:ff:ff
inet 192.168.8.100/24 brd 192.168.8.255 scope global eth0.3
valid_lft forever preferred_lft forever
inet6 fe80::f6f2:6dff:fe52:9503/64 scope link
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
link/ether f4:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
inet6 fe80::f6f2:6dff:fe52:9502/64 scope link
valid_lft forever preferred_lft forever
10: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether f6:f2:6d:52:95:02 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.1/24 brd 192.168.2.255 scope global wlan0-1
valid_lft forever preferred_lft forever
inet6 fe80::f4f2:6dff:fe52:9502/64 scope link
valid_lft forever preferred_lft forever
17: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 91.148.136.161 peer 91.148.136.0/32 scope global pppoe-wan
valid_lft forever preferred_lft forever
18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 192.168.10.1/24 brd 192.168.10.255 scope global tun0
valid_lft forever preferred_lft forever
ip route show
default via 91.148.136.0 dev pppoe-wan proto static metric 10
default via 192.168.8.1 dev eth0.3 proto static src 192.168.8.100 metric 20
91.148.136.0 dev pppoe-wan proto kernel scope link src 91.148.136.161
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev wlan0-1 proto kernel scope link src 192.168.2.1
192.168.8.0/24 dev eth0.3 proto static scope link metric 20
192.168.8.1 dev eth0.3 proto static scope link src 192.168.8.100 metric 20
192.168.10.0/24 dev tun0 proto kernel scope link src 192.168.10.1
ip rule show
0: from all lookup local
1001: from all iif pppoe-wan lookup main
1002: from all iif eth0.3 lookup main
2001: from all fwmark 0x100/0xff00 lookup 1
2002: from all fwmark 0x200/0xff00 lookup 2
2253: from all fwmark 0xfd00/0xff00 blackhole
2254: from all fwmark 0xfe00/0xff00 unreachable
32766: from all lookup main
32767: from all lookup default
iptables-save
# Generated by iptables-save v1.4.21 on Sat Aug 3 08:02:37 2019
*nat
:PREROUTING ACCEPT [12:2146]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:55]
:POSTROUTING ACCEPT [1:55]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.3 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.3 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
-A zone_guest_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.160/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Dreambox (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.160/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: Dreambox (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 91.148.136.161/32 -p tcp -m tcp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 91.148.136.161/32 -p udp -m udp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.8.100/32 -p tcp -m tcp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.8.100/32 -p udp -m udp --dport 25443 -m comment --comment "!fw3: Dreambox (reflection)" -j DNAT --to-destination 192.168.1.160:443
-A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
-A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -s 37.221.197.244/32 -p tcp -m tcp --dport 25443 -m comment --comment "!fw3: Dreambox" -j DNAT --to-destination 192.168.1.160:443
-A zone_wan_prerouting -s 37.221.197.244/32 -p udp -m udp --dport 25443 -m comment --comment "!fw3: Dreambox" -j DNAT --to-destination 192.168.1.160:443
COMMIT
# Completed on Sat Aug 3 08:02:37 2019
# Generated by iptables-save v1.4.21 on Sat Aug 3 08:02:37 2019
*mangle
:PREROUTING ACCEPT [92:10609]
:INPUT ACCEPT [65:4640]
:FORWARD ACCEPT [16:3927]
:OUTPUT ACCEPT [89:17345]
:POSTROUTING ACCEPT [105:21272]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wan - [0:0]
:mwan3_iface_in_wan2 - [0:0]
:mwan3_iface_out_wan - [0:0]
:mwan3_iface_out_wan2 - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_ifaces_out - [0:0]
:mwan3_policy_balanced - [0:0]
:mwan3_policy_wan2_only - [0:0]
:mwan3_policy_wan2_wan - [0:0]
:mwan3_policy_wan_only - [0:0]
:mwan3_policy_wan_wan2 - [0:0]
:mwan3_rule_Laptop_Roland - [0:0]
:mwan3_rule_MC_Kueche - [0:0]
:mwan3_rule_MC_Master - [0:0]
:mwan3_rules - [0:0]
-A PREROUTING -j mwan3_hook
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m limit --limit 100/sec -m comment --comment "!fw3: vpn (mtu_fix logging)" -j LOG --log-prefix "MSSFIX(vpn): "
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: vpn (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j mwan3_hook
-A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0xff00/0xff00
-A mwan3_hook -j CONNMARK --restore-mark --nfmask 0xff00 --ctmask 0xff00
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_ifaces_in
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_connected
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_ifaces_out
-A mwan3_hook -m mark --mark 0x0/0xff00 -j mwan3_rules
-A mwan3_hook -j CONNMARK --save-mark --nfmask 0xff00 --ctmask 0xff00
-A mwan3_hook -m mark ! --mark 0xff00/0xff00 -j mwan3_connected
-A mwan3_iface_in_wan -i pppoe-wan -m set --match-set mwan3_connected src -m mark --mark 0x0/0xff00 -m comment --comment default -j MARK --set-xmark 0xff00/0xff00
-A mwan3_iface_in_wan -i pppoe-wan -m mark --mark 0x0/0xff00 -m comment --comment wan -j MARK --set-xmark 0x100/0xff00
-A mwan3_iface_in_wan2 -i eth0.3 -m set --match-set mwan3_connected src -m mark --mark 0x0/0xff00 -m comment --comment default -j MARK --set-xmark 0xff00/0xff00
-A mwan3_iface_in_wan2 -i eth0.3 -m mark --mark 0x0/0xff00 -m comment --comment wan2 -j MARK --set-xmark 0x200/0xff00
-A mwan3_iface_out_wan -s 91.148.136.161/32 -m mark --mark 0x0/0xff00 -m comment --comment wan -j MARK --set-xmark 0x100/0xff00
-A mwan3_iface_out_wan2 -s 192.168.8.100/32 -m mark --mark 0x0/0xff00 -m comment --comment wan2 -j MARK --set-xmark 0x200/0xff00
-A mwan3_ifaces_in -m mark --mark 0x0/0xff00 -j mwan3_iface_in_wan
-A mwan3_ifaces_in -m mark --mark 0x0/0xff00 -j mwan3_iface_in_wan2
-A mwan3_ifaces_out -m mark --mark 0x0/0xff00 -j mwan3_iface_out_wan
-A mwan3_ifaces_out -m mark --mark 0x0/0xff00 -j mwan3_iface_out_wan2
-A mwan3_policy_balanced -m mark --mark 0x0/0xff00 -m statistic --mode random --probability 0.39999999991 -m comment --comment "wan2 2 5" -j MARK --set-xmark 0x200/0xff00
-A mwan3_policy_balanced -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_policy_wan2_only -m mark --mark 0x0/0xff00 -m comment --comment "wan2 2 2" -j MARK --set-xmark 0x200/0xff00
-A mwan3_policy_wan2_wan -m mark --mark 0x0/0xff00 -m comment --comment "wan2 2 2" -j MARK --set-xmark 0x200/0xff00
-A mwan3_policy_wan_only -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_policy_wan_wan2 -m mark --mark 0x0/0xff00 -m comment --comment "wan 3 3" -j MARK --set-xmark 0x100/0xff00
-A mwan3_rule_Laptop_Roland -m mark --mark 0x0/0xff00 -j MARK --set-xmark 0x200/0xff00
-A mwan3_rule_Laptop_Roland -m mark --mark 0x200/0xff00 -m set ! --match-set mwan3_sticky_Laptop_Roland src,src -j MARK --set-xmark 0x0/0xff00
-A mwan3_rule_Laptop_Roland -m mark --mark 0x0/0xff00 -j mwan3_policy_wan2_only
-A mwan3_rule_Laptop_Roland -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_Laptop_Roland src,src
-A mwan3_rule_Laptop_Roland -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_Laptop_Roland src,src
-A mwan3_rule_MC_Kueche -m mark --mark 0x0/0xff00 -j MARK --set-xmark 0x200/0xff00
-A mwan3_rule_MC_Kueche -m mark --mark 0x200/0xff00 -m set ! --match-set mwan3_sticky_MC_Kueche src,src -j MARK --set-xmark 0x0/0xff00
-A mwan3_rule_MC_Kueche -m mark --mark 0x0/0xff00 -j mwan3_policy_wan2_only
-A mwan3_rule_MC_Kueche -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_MC_Kueche src,src
-A mwan3_rule_MC_Kueche -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_MC_Kueche src,src
-A mwan3_rule_MC_Master -m mark --mark 0x0/0xff00 -j MARK --set-xmark 0x200/0xff00
-A mwan3_rule_MC_Master -m mark --mark 0x200/0xff00 -m set ! --match-set mwan3_sticky_MC_Master src,src -j MARK --set-xmark 0x0/0xff00
-A mwan3_rule_MC_Master -m mark --mark 0x0/0xff00 -j mwan3_policy_wan2_only
-A mwan3_rule_MC_Master -m mark ! --mark 0xfc00/0xfc00 -j SET --del-set mwan3_sticky_MC_Master src,src
-A mwan3_rule_MC_Master -m mark ! --mark 0xfc00/0xfc00 -j SET --add-set mwan3_sticky_MC_Master src,src
-A mwan3_rules -s 192.168.1.123/32 -m mark --mark 0x0/0xff00 -m comment --comment Laptop_Roland -j mwan3_rule_Laptop_Roland
-A mwan3_rules -m set --match-set dreambox dst -m mark --mark 0x0/0xff00 -m comment --comment Dreambox -j mwan3_policy_wan2_only
-A mwan3_rules -s 192.168.1.134/32 -m mark --mark 0x0/0xff00 -m comment --comment MC_Master -j mwan3_rule_MC_Master
-A mwan3_rules -s 192.168.1.229/32 -m mark --mark 0x0/0xff00 -m comment --comment MC_Kueche -j mwan3_rule_MC_Kueche
-A mwan3_rules -s 192.168.1.0/24 -m mark --mark 0x0/0xff00 -m comment --comment Home -j mwan3_policy_wan_wan2
-A mwan3_rules -s 192.168.2.0/24 -m mark --mark 0x0/0xff00 -m comment --comment Guest -j mwan3_policy_wan_only
COMMIT
# Completed on Sat Aug 3 08:02:37 2019
# Generated by iptables-save v1.4.21 on Sat Aug 3 08:02:37 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_dest_REJECT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.3 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.3 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i wlan0-1 -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.3 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o wlan0-1 -m comment --comment "!fw3" -j zone_guest_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_guest_dest_ACCEPT -o wlan0-1 -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_REJECT -o wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_guest_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: forwarding guest -> wan" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
-A zone_guest_input -m comment --comment "!fw3: user chain for input" -j input_guest_rule
-A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Guest DNS" -j ACCEPT
-A zone_guest_input -p tcp -m tcp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_guest_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: Guest DHCP" -j ACCEPT
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
-A zone_guest_output -m comment --comment "!fw3: user chain for output" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_REJECT -i wlan0-1 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_lan_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_REJECT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
-A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
-A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
-A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
-A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
-A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth0.3 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o eth0.3 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_dest_REJECT -o eth0.3 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
-A zone_wan_src_REJECT -i eth0.3 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Aug 3 08:02:37 2019