OpenVPN on main wifi, No VPN on guest wifi

andyp · January 22, 2021, 6:17pm

Hi

I am using 19.07.5 on a GL.iNet X750. I am using a 3g/4g internet connection from the device and have OpenVPN configured and working.

I would like to enable a 'guest' wifi which does not use the VPN.

I added the guest wifi (called No VPN) but of course both wifi's are using the VPN.

Any help configuring this much appreciated! BTW, if I 'stop' my OpenVPN connection, I loose internet connection - and I would like to maintain this behavior (so if OpenVPN stops, I get no internet on the VPN wifi) - of course my No VPN wifi should keep working....

Network:


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:89a4:3bb4::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'wwan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'rbi.netspeed.net.nz'
        option modes 'lte'

Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'xxxxxxxxxxxx'
        option encryption 'psk2'
        option ssid 'My VPN'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'xxxxxxxxxxxxxx'
        option ssid 'No VPN'
        option encryption 'psk2'

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'vpn'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

DHCP:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Thank you!

trendy · January 22, 2021, 7:08pm

You need to do Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for each internet connection.

andyp · January 22, 2021, 10:09pm

I have installed mwan3 (and the GUI), but it is not really clear what I should do next.

This is the default mwan3 configuration:

config globals 'globals'
        option mmx_mask '0x3F00'
        option rtmon_interval '5'

config interface 'wan'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wan6'
        option enabled '0'
        list track_ip '2001:4860:4860::8844'
        list track_ip '2001:4860:4860::8888'
        list track_ip '2620:0:ccd::2'
        list track_ip '2620:0:ccc::2'
        option family 'ipv6'
        option reliability '2'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wanb'
        option enabled '0'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '1'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wanb6'
        option enabled '0'
        list track_ip '2001:4860:4860::8844'
        list track_ip '2001:4860:4860::8888'
        list track_ip '2620:0:ccd::2'
        list track_ip '2620:0:ccc::2'
        option family 'ipv6'
        option reliability '1'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config member 'wanb_m1_w2'
        option interface 'wanb'
        option metric '1'
        option weight '2'

config member 'wanb_m2_w2'
        option interface 'wanb'
        option metric '2'
        option weight '2'

config member 'wan6_m1_w3'
        option interface 'wan6'
        option metric '1'
        option weight '3'

config member 'wan6_m2_w3'
        option interface 'wan6'
        option metric '2'
        option weight '3'

config member 'wanb6_m1_w2'
        option interface 'wanb6'
        option metric '1'
        option weight '2'

config member 'wanb6_m2_w2'
        option interface 'wanb6'
        option metric '2'
        option weight '2'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        list use_member 'wan6_m1_w3'

config policy 'wanb_only'
        list use_member 'wanb_m1_w2'
        list use_member 'wanb6_m1_w2'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m1_w2'

config policy 'wan_wanb'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m2_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m2_w2'

config policy 'wanb_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m2_w3'
        list use_member 'wanb6_m1_w2'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'
        option family 'ipv4'

config rule 'default_rule_v6'
        option dest_ip '::/0'
        option use_policy 'balanced'
        option family 'ipv6'

Borromini · January 22, 2021, 11:34pm

You seem to assume it's self-evident, but it's not. It shows your 'guest' WiFi is really just piggybacking on your normal WiFi. There's no separation between both.

You should split out your guest network. All you have, at present, is just another SSID, but it's still on your LAN, just like all your other clients. It's nothing more than a façade at this point. To start, assign a different subnet to your guest network (so you really isolate it from the remainder of your network).

When you have done that you will have a different zone in your firewall for the guest network, and your LAN -> VPN forwarding rule will only apply to the devices on your LAN, not on your guest SSID - that will have its own isolated network.

Check the wiki, it will get you on your way:

andyp · January 23, 2021, 3:23am

Ok, thank you.... So I have set up a true separate guest wifi, with a different subnet. Do I still need mwan3 installed?

Currently, with OpenVPN started, 'My VPN' wifi works, but the 'guest' wifi has no internet connection.
With OpenVPN stopped, neither wifi has internet.

Any help really appreciated

Network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdff:f765:c966::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'wwan'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option apn 'rbi.netspeed.net.nz'
        option modes 'lte'

config interface 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

Wifi:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'xxxxxxxxx'
        option ssid 'My VPN'
        option encryption 'psk2'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'

config wifi-iface 'guest'
        option device 'radio1'
        option mode 'ap'
        option network 'guest'
        option ssid 'guest'
        option encryption 'none'

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'tun0'

config forwarding
        option src 'lan'
        option dest 'vpn'


config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone 'guest'
        option name 'guest'
        option network 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding 'guest_wan'
        option src 'guest'
        option dest 'wan'

config rule 'guest_dns'
        option name 'Allow-DNS-Guest'
        option src 'guest'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'guest_dhcp'
        option name 'Allow-DHCP-Guest'
        option src 'guest'
        option dest_port '67'
        option family 'ipv4'
        option proto 'udp'
        option target 'ACCEPT'

DHCP:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '1h'

MWAN3:

config globals 'globals'
        option mmx_mask '0x3F00'
        option rtmon_interval '5'
        list rt_table_lookup '1'

config interface 'wan'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wan6'
        option enabled '0'
        list track_ip '2001:4860:4860::8844'
        list track_ip '2001:4860:4860::8888'
        list track_ip '2620:0:ccd::2'
        list track_ip '2620:0:ccc::2'
        option family 'ipv6'
        option reliability '2'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wanb'
        option enabled '0'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '1'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wanb6'
        option enabled '0'
        list track_ip '2001:4860:4860::8844'
        list track_ip '2001:4860:4860::8888'
        list track_ip '2620:0:ccd::2'
        list track_ip '2620:0:ccc::2'
        option family 'ipv6'
        option reliability '1'
        option count '1'
        option timeout '2'
        option interval '5'
        option down '3'
        option up '8'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config member 'wanb_m1_w2'
        option interface 'wanb'
        option metric '1'
        option weight '2'

config member 'wanb_m2_w2'
        option interface 'wanb'
        option metric '2'
        option weight '2'

config member 'wan6_m1_w3'
        option interface 'wan6'
        option metric '1'
        option weight '3'

config member 'wan6_m2_w3'
        option interface 'wan6'
        option metric '2'
        option weight '3'

config member 'wanb6_m1_w2'
        option interface 'wanb6'
        option metric '1'
        option weight '2'

config member 'wanb6_m2_w2'
        option interface 'wanb6'
        option metric '2'
        option weight '2'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        list use_member 'wan6_m1_w3'

config policy 'wanb_only'
        list use_member 'wanb_m1_w2'
        list use_member 'wanb6_m1_w2'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m1_w2'

config policy 'wan_wanb'
        list use_member 'wan_m1_w3'
        list use_member 'wanb_m2_w2'
        list use_member 'wan6_m1_w3'
        list use_member 'wanb6_m2_w2'

config policy 'wanb_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wanb_m1_w2'
        list use_member 'wan6_m2_w3'
        list use_member 'wanb6_m1_w2'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'balanced'

config rule 'default_rule_v4'
        option dest_ip '0.0.0.0/0'
        option use_policy 'balanced'
        option family 'ipv4'

config rule 'default_rule_v6'
        option dest_ip '::/0'
        option use_policy 'balanced'
        option family 'ipv6'

vgaetera · January 23, 2021, 3:37am

uci -q delete network.vpn
uci set network.vpn="interface"
uci set network.vpn.proto="none"
uci set network.vpn.ifname="tun0"
uci commit network
/etc/init.d/network restart
sleep 10
/etc/init.d/openvpn restart
opkg update
opkg install vpn-policy-routing
uci set vpn-policy-routing.config.enabled="1"
uci -q delete vpn-policy-routing.config.dest_ipset
uci -q delete vpn-policy-routing.guest_wwan
uci set vpn-policy-routing.guest_wwan="policy"
uci set vpn-policy-routing.guest_wwan.src_addr="192.168.3.0/24"
uci set vpn-policy-routing.guest_wwan.dest_addr="!192.168.0.0/22"
uci set vpn-policy-routing.guest_wwan.interface="wwan"
uci commit vpn-policy-routing
/etc/init.d/vpn-policy-routing restart

andyp · January 23, 2021, 3:56am

Hi - Thank you - So with that I should uninstall mwan3, right?

andyp · January 23, 2021, 4:23am

I ran those commands - error as below:

root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.9.116.147' [✓]
Routing 'blank' via wan [✗]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.x.xxx.xxx
ERROR: Unknown protocol 'dhcp' in policy 'blank'##
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan .
root@OpenWrt:~#

Any ideas where I look to see what is going on?

Thanks again!

andyp · January 23, 2021, 4:26am

I guess the problem is here. List supported interface is blank.

Which interface should be added here - probably 'Guest' (the name of my guest wifi interface)? Thanks!

config vpn-policy-routing 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option src_ipset '0'
	option dest_ipset 'dnsmasq.ipset'
	option ipv6_enabled '0'
	list supported_interface ''
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_enable_column '0'
	option webui_protocol_column '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option enabled '1'

config include
	option path '/etc/vpn-policy-routing.netflix.user'
	option enabled '0'

config include
	option path '/etc/vpn-policy-routing.aws.user'
	option enabled '0'

config policy 'wan'
	option src_addr '192.168.3.0/24'
	option interface 'wan'

andyp · January 23, 2021, 4:44am

The device is connected to the internet via 3g/4g wwan.

I ran with wwan instead, and still get the error:

root@OpenWrt:~# uci set vpn-policy-routing.wan="policy"
root@OpenWrt:~# uci set vpn-policy-routing.wan.src_addr="192.168.3.0/24"
root@OpenWrt:~# uci set vpn-policy-routing.wan.interface="wwan"
root@OpenWrt:~# uci commit vpn-policy-routing
root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.9.116.147' [✓]
Routing 'blank' via wwan [✗]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.9.116.147
ERROR: Unknown protocol 'dhcp' in policy 'blank'##
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan .
root@OpenWrt:~#

andyp · January 23, 2021, 5:10am

root@OpenWrt:~# uci show vpn-policy-routing; /etc/init.d/vpn-policy-routing supp
ort
vpn-policy-routing.config=vpn-policy-routing
vpn-policy-routing.config.verbosity='2'
vpn-policy-routing.config.strict_enforcement='1'
vpn-policy-routing.config.src_ipset='0'
vpn-policy-routing.config.dest_ipset='dnsmasq.ipset'
vpn-policy-routing.config.ipv6_enabled='0'
vpn-policy-routing.config.supported_interface=''
vpn-policy-routing.config.ignored_interface='vpnserver wgserver'
vpn-policy-routing.config.boot_timeout='30'
vpn-policy-routing.config.iptables_rule_option='append'
vpn-policy-routing.config.iprule_enabled='0'
vpn-policy-routing.config.webui_enable_column='0'
vpn-policy-routing.config.webui_protocol_column='0'
vpn-policy-routing.config.webui_chain_column='0'
vpn-policy-routing.config.webui_sorting='1'
vpn-policy-routing.config.webui_supported_protocol='tcp' 'udp' 'tcp udp' 'icmp' 'all'
vpn-policy-routing.config.enabled='1'
vpn-policy-routing.@include[0]=include
vpn-policy-routing.@include[0].path='/etc/vpn-policy-routing.netflix.user'
vpn-policy-routing.@include[0].enabled='0'
vpn-policy-routing.@include[1]=include
vpn-policy-routing.@include[1].path='/etc/vpn-policy-routing.aws.user'
vpn-policy-routing.@include[1].enabled='0'
vpn-policy-routing.wan=policy
vpn-policy-routing.wan.src_addr='192.168.3.0/24'
vpn-policy-routing.wan.interface='wwan'
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wwan_4/dev/202.9.116.148.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.8.0.13       128.0.0.0       UG    0      0        0 tun0
default         202.x.xxx.xxx.s 0.0.0.0         UG    0      0        0 wwan0
IPv4 Table 201: 0.0.0.0/1 via 10.8.0.13 dev tun0
unreachable default
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 201 Rules:
32754:  from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: 0.0.0.0/1 via 10.8.0.13 dev tun0
default via 202.9.116.147 dev wwan0
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 202 Rules:
32753:  from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: 0.0.0.0/1 via 10.8.0.13 dev tun0
default via 192.168.3.1 dev br-guest
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 203 Rules:
32761:  from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create guest hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#

andyp · January 23, 2021, 5:50am

Still an error on running /etc/init.d/vpn-policy-routing restart

I have internet when connected to 'my vpn' wifi (when openVPN is running). No internet on my 'guest' wifi.


root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.x.xxx.xxx' [✓]
Creating table 'vpn/tun0/10.8.0.14' [✓]
Routing 'blank' via wwan [✗]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.x.xxx.xxx
vpn/tun0/10.8.0.14 [✓]
ERROR: Unknown protocol 'dhcp' in policy 'blank'##
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan vpn .
root@OpenWrt:~#

andyp · January 23, 2021, 7:08am

Thank you, I have applied those changes... VPN wifi working, guest wifi no internet.....

root@OpenWrt:~# uci set vpn-policy-routing.wan.dest_addr="!192.168.0.0/22"
root@OpenWrt:~# uci commit vpn-policy-routing
root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.x.xxx.xxx' [✓]
Creating table 'vpn/tun0/10.8.0.14' [✓]
Routing 'blank' via wwan [✗]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.x.xxx.xxx
vpn/tun0/10.8.0.14 [✓]
ERROR: Unknown protocol 'dhcp' in policy 'blank'##
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan vpn .
root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wwan_4/dev/202.x.xxx.xxx.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.8.0.13       128.0.0.0       UG    0      0        0 tun0
default         202.x.xxx.xxx.s 0.0.0.0         UG    0      0        0 wwan0
IPv4 Table 201: unreachable default
173.xxx.xxx.x via 202.9.116.148 dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 201 Rules:
32753:  from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 202.x.xxx.xxx dev wwan0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 202 Rules:
32752:  from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 10.8.0.14 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 203 Rules:
32751:  from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#

andyp · January 23, 2021, 7:28am

Unfortunately, no change....

root@OpenWrt:~# uci rename vpn-policy-routing.wan="wwan"
root@OpenWrt:~# uci commit vpn-policy-routing
root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.x.xxx.xxx' [✓]
Creating table 'vpn/tun0/10.8.0.14' [✓]
Routing 'blank' via wwan [✗]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.x.xxx.xxx
vpn/tun0/10.8.0.14 [✓]
ERROR: Unknown protocol 'qmi' in policy 'blank'##
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan vpn .
root@OpenWrt:~#

andyp · January 23, 2021, 7:37am

Thank you again - that removed the error Unfortunately still no internet on the guest wifi......

Can I gather some more data to help?

root@OpenWrt:~# uci rename vpn-policy-routing.@policy[0]="guest_wwan"
root@OpenWrt:~# uci commit vpn-policy-routing
root@OpenWrt:~# /etc/init.d/vpn-policy-routing restart
Creating table 'wan/eth1/0.0.0.0' [✓]
Creating table 'wwan/wwan0/202.x.xxx.xxx' [✓]
Creating table 'vpn/tun0/10.8.0.14' [✓]
Routing 'blank' via wwan [✓]
vpn-policy-routing 0.2.1-13 started with gateways:
wan/eth1/0.0.0.0
wwan/wwan0/202.x.xxx.xxx
vpn/tun0/10.8.0.14 [✓]
vpn-policy-routing 0.2.1-13 monitoring interfaces: wan wwan vpn .
root@OpenWrt:~#

vgaetera · January 23, 2021, 7:51am

Connect to the guest network and check:

# Guest client
ping 8.8.8.8
ping example.org

# OpenWrt
/etc/init.d/vpn-policy-routing support

andyp · January 23, 2021, 7:57am

Thanks for all your help.... sorry we are not quite there yet....

Ping from guest network:

C:\Users\Andrew>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\Andrew>ping openwrt.org

Pinging openwrt.org [139.59.209.225] with 32 bytes of data:
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.
Reply from 192.168.3.1: Destination port unreachable.

Ping statistics for 139.59.209.225:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\Andrew>

root@OpenWrt:~# /etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.2.1-13 running on OpenWrt 19.07.5. WAN (IPv4): wwan_4/dev/202.9.116.148.
============================================================
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth nettlehash DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default         10.8.0.13       128.0.0.0       UG    0      0        0 tun0
default         202.x.xxx.xxx.s 0.0.0.0         UG    0      0        0 wwan0
IPv4 Table 201: unreachable default
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 201 Rules:
32756:  from all fwmark 0x10000/0xff0000 lookup 201
IPv4 Table 202: default via 202.9.116.147 dev wwan0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 202 Rules:
32755:  from all fwmark 0x20000/0xff0000 lookup 202
IPv4 Table 203: default via 10.8.0.14 dev tun0
173.xxx.xxx.x via 202.x.xxx.xxx dev wwan0
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
IPv4 Table 203 Rules:
32754:  from all fwmark 0x30000/0xff0000 lookup 203
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.3.0/24 ! -d 192.168.0.0/22 -m comment --comment blank -c 1561 98421 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables FORWARD
-N VPR_FORWARD
-A VPR_FORWARD -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_FORWARD -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_FORWARD -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables INPUT
-N VPR_INPUT
-A VPR_INPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_INPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_INPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
IP Tables OUTPUT
-N VPR_OUTPUT
-A VPR_OUTPUT -m set --match-set vpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_OUTPUT -m set --match-set wwan dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_OUTPUT -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create wwan hash:net family inet hashsize 1024 maxelem 65536 comment
create vpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
root@OpenWrt:~#

andyp · January 23, 2021, 8:08am

Unfortunately still no internet on the guest wifi....

vgaetera · January 23, 2021, 8:12am

ip address show; ip route show table all; ip rule show; iptables-save -c

andyp · January 23, 2021, 8:19am

Thank you....

root@OpenWrt:~# ip address show; ip route show table all; ip rule show; iptables
-save -c
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:03:e2:dc brd ff:ff:ff:ff:ff:ff
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 94:83:c4:03:e2:db brd ff:ff:ff:ff:ff:ff
4: wwan0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/none
    inet 202.x.xxx.xxx/29 brd 202.9.116.151 scope global wwan0
       valid_lft forever preferred_lft forever
    inet6 fe80::2231:adeb:ca0a:7ea6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:03:e2:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdff:f765:c966::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe03:e2dc/64 scope link
       valid_lft forever preferred_lft forever
8: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 94:83:c4:03:e2:dd brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
    inet6 fe80::9683:c4ff:fe03:e2dd/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-guest state UP group default qlen 1000
    link/ether 94:83:c4:03:e2:dd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe03:e2dd/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 94:83:c4:03:e2:dd brd ff:ff:ff:ff:ff:ff
    inet6 fe80::9683:c4ff:fe03:e2dd/64 scope link
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.14 peer 10.8.0.13/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::d39c:66e3:f0d4:6c84/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
unreachable default table 201
173.xxx.xxx.xvia 202.9.116.148 dev wwan0 table 201
192.168.3.0/24 dev br-guest table 201 proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 table 201 proto kernel scope link src 202.x.xxx.xxx
default via 202.x.xxx.xxx dev wwan0 table 202
173.xxx.xxx.xvia 202.9.116.148 dev wwan0 table 202
192.168.3.0/24 dev br-guest table 202 proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 table 202 proto kernel scope link src 202.x.xxx.xxx
default via 10.8.0.14 dev tun0 table 203
173.xxx.xxx.xvia 202.9.116.148 dev wwan0 table 203
192.168.3.0/24 dev br-guest table 203 proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 table 203 proto kernel scope link src 202.x.xxx.xxx
0.0.0.0/1 via 10.8.0.13 dev tun0
default via 202.9.116.148 dev wwan0 proto static src 202.x.xxx.xxx
10.8.0.9 via 10.8.0.13 dev tun0 metric 1
10.8.0.13 dev tun0 proto kernel scope link src 10.8.0.14
128.0.0.0/1 via 10.8.0.13 dev tun0
173.xxx.xxx.xvia 202.9.116.148 dev wwan0
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1
202.x.xxx.xxx/29 dev wwan0 proto kernel scope link src 202.x.xxx.xxx
local 10.8.0.14 dev tun0 table local proto kernel scope host src 10.8.0.14
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.3.0 dev br-guest table local proto kernel scope link src 192.168.3.1
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1
broadcast 202.x.xxx.xxx dev wwan0 table local proto kernel scope link src 202.x.xxx.xxx
local 202.x.xxx.xxx dev wwan0 table local proto kernel scope host src 202.x.xxx.xxx
broadcast 202.9.116.151 dev wwan0 table local proto kernel scope link src 202.x.xxx.xxx
fdff:f765:c966::/64 dev br-lan proto static metric 1024 pref medium
unreachable fdff:f765:c966::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wwan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fdff:f765:c966:: dev br-lan table local proto kernel metric 0 pref medium
local fdff:f765:c966::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wwan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tun0 table local proto kernel metric 0 pref medium
local fe80::2231:adeb:ca0a:7ea6 dev wwan0 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fe03:e2dc dev br-lan table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fe03:e2dd dev br-guest table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fe03:e2dd dev wlan1 table local proto kernel metric 0 pref medium
local fe80::9683:c4ff:fe03:e2dd dev wlan0 table local proto kernel metric 0 pref medium
local fe80::d39c:66e3:f0d4:6c84 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev wwan0 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev br-guest table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium
0:      from all lookup local
32748:  from all fwmark 0x30000/0xff0000 lookup 203
32749:  from all fwmark 0x20000/0xff0000 lookup 202
32750:  from all fwmark 0x10000/0xff0000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.3 on Sat Jan 23 08:15:02 2021
*nat
:PREROUTING ACCEPT [967:84237]
:INPUT ACCEPT [180:12196]
:OUTPUT ACCEPT [253:17951]
:POSTROUTING ACCEPT [310:13129]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[967:84237] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[354:35153] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[61:5566] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[509:41472] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[746:41931] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[437:28922] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[308:12896] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[308:12896] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[509:41472] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[354:35153] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[437:28922] -A zone_vpn_postrouting -m comment --comment "!fw3: Custom vpn postrouting rule chain" -j postrouting_vpn_rule
[437:28922] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[61:5566] -A zone_vpn_prerouting -m comment --comment "!fw3: Custom vpn prerouting rule chain" -j prerouting_vpn_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[0:0] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Jan 23 08:15:02 2021
# Generated by iptables-save v1.8.3 on Sat Jan 23 08:15:02 2021
*mangle
:PREROUTING ACCEPT [5379:2648561]
:INPUT ACCEPT [2038:1221987]
:FORWARD ACCEPT [3197:1404665]
:OUTPUT ACCEPT [2158:538726]
:POSTROUTING ACCEPT [5257:1937359]
:VPR_FORWARD - [0:0]
:VPR_INPUT - [0:0]
:VPR_OUTPUT - [0:0]
:VPR_PREROUTING - [0:0]
[5405:2650330] -A PREROUTING -m mark --mark 0x0/0xff0000 -j VPR_PREROUTING
[2047:1222557] -A INPUT -m mark --mark 0x0/0xff0000 -j VPR_INPUT
[0:0] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[158:8792] -A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[110:5696] -A FORWARD -i tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[3124:1400019] -A FORWARD -m mark --mark 0x0/0xff0000 -j VPR_FORWARD
[2177:540466] -A OUTPUT -m mark --mark 0x0/0xff0000 -j VPR_OUTPUT
[0:0] -A VPR_FORWARD -m set --match-set vpn dst -j MARK --set-xmark 0x30000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wwan dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_FORWARD -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set vpn dst -j MARK --set-xmark 0x30000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wwan dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_INPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set vpn dst -j MARK --set-xmark 0x30000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wwan dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_OUTPUT -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
[102:8981] -A VPR_PREROUTING -s 192.168.3.0/24 ! -d 192.168.0.0/22 -m comment --comment blank -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set vpn dst -j MARK --set-xmark 0x30000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wwan dst -j MARK --set-xmark 0x20000/0xff0000
[0:0] -A VPR_PREROUTING -m set --match-set wan dst -j MARK --set-xmark 0x10000/0xff0000
COMMIT
# Completed on Sat Jan 23 08:15:02 2021
# Generated by iptables-save v1.8.3 on Sat Jan 23 08:15:02 2021
*filter
:INPUT ACCEPT [44:2086]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:3317]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_REJECT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[4894:2974064] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[4477:2926492] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[85:3588] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[176:30147] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[67:5806] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[130:9533] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[7423:3252114] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[6744:3195482] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[345:35848] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[334:20784] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[334:20784] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5139:1123871] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4860:1101313] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:224] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[270:18361] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[2:656] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[369:23893] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[33:2761] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[85:3588] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:656] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[334:20784] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[334:20784] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[334:20784] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[130:9533] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[127:8813] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[2:656] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:64] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[2:656] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[2:656] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[1:64] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[2:224] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[345:35848] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[345:35848] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to vpn forwarding policy" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[176:30147] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[176:30147] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:224] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:224] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[176:30147] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[71:2840] -A zone_vpn_dest_ACCEPT -o tun0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[544:51369] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: Custom vpn forwarding rule chain" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_REJECT
[67:5806] -A zone_vpn_input -m comment --comment "!fw3: Custom vpn input rule chain" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[67:5806] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_REJECT
[270:18361] -A zone_vpn_output -m comment --comment "!fw3: Custom vpn output rule chain" -j output_vpn_rule
[270:18361] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[67:5806] -A zone_vpn_src_REJECT -i tun0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Jan 23 08:15:02 2021
root@OpenWrt:~#