I'm trying to host a web server on my LAN (192.168.1.x) and since my ISP filters all traffic the only way for me to get this to work is to tunnel traffic via a wireguard tunnel on a VPS somewhere.
Need some help as it looks like response traffic from my LAN client is being routed thru the default-gateway (WAN) instead of being routed outbound via the VPN tunnel where the original packet originated.
I may have misunderstood, but I thought this would not be an issue after I configured routing tables for the VPN itself in Wireguard internet reply traffic is going out WAN instead of tunnel - #7
However after some tcpdump in all directions, I see that traffic to my public IPv4 is going thru wireguard tunnel, it hits OpenWRT and it gets forwarded to my LAN 192.168.1.x device, which then responds to the public IP of the HTTP request. Then OpenWrt sends this out via WAN.
Interestingly, the "Port Forwards" web UI shows my settings both enabled but the configuration dump below says "option enabled '0'" not sure if this may be causing this?
Here's some config
# uci export firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option masq6 '1'
option masq6_privacy '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wgmia'
config rule
option name 'Allow-Ping-WG'
option src 'wgmia'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP-WG'
option src 'wgmia'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6-WG'
option src 'wgmia'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD-WG'
option src 'wgmia'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input-WG'
option src 'wgmia'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward-WG'
option src 'wgmia'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP-WG'
option src 'wgmia'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP-WG'
option src 'wgmia'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config zone
option name 'wgmia'
option forward 'REJECT'
list network 'wgmia'
option output 'ACCEPT'
option masq '1'
option masq6 '1'
option input 'REJECT'
config rule
option dest_port '443'
option src 'wgmia'
option target 'ACCEPT'
list proto 'tcp'
option name 'Allow-Internet-Luci-WG'
option enabled '0'
config redirect
option name 'HTTP'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
list proto 'tcp'
option src 'wgmia'
option dest_port '22'
option dest_ip '192.168.1.49'
config redirect
option dest_port '443'
option name 'HTTPS'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.214'
option dest 'lan'
list proto 'tcp'
option src 'wgmia'
config nat
option src_port '80'
list proto 'tcp'
option name 'HTTP'
option src_ip '192.168.1.214'
option target 'MASQUERADE'
option device 'wgmia'
option src 'lan'
option enabled '0'
config nat
option src_port '443'
list proto 'tcp'
option name 'HTTPS'
option src_ip '192.168.1.214'
option target 'MASQUERADE'
option device 'wgmia'
option src 'lan'
option enabled '0'
network (secrets removed)
# cat network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdde:104a:0f59::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '6t 3 2 1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 5'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '11'
option ports '6t 4'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t'
option vid '200'
config interface 'wgmia'
option proto 'wireguard'
option private_key 'xxxx'
list addresses '10.100.100.12/24'
list addresses 'xx:xx:xx:106:8888::12/112'
option mtu '1350'
option ip4table '1'
option ip6table '1'
config wireguard_wgmia
option public_key 'hxxx'
option description 'xxx'
option endpoint_port '88'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option preshared_key 'xx'
option endpoint_host 'xx'
option persistent_keepalive '19'
option route_allowed_ips '1'
config interface 'opnsense'
option proto 'none'
option type 'bridge'
option ifname 'eth1.11'
Some additional info
root@OpenWrt:/etc/config# fw3 print
Warning: Option @zone[1].masq6 is unknown
Warning: Option @zone[1].masq6_privacy is unknown
Warning: Option @zone[2].masq6 is unknown
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
iptables -t filter -N zone_wgmia_input
iptables -t filter -N zone_wgmia_output
iptables -t filter -N zone_wgmia_forward
iptables -t filter -N zone_wgmia_src_REJECT
iptables -t filter -N zone_wgmia_dest_ACCEPT
iptables -t filter -N zone_wgmia_dest_REJECT
iptables -t filter -N input_wgmia_rule
iptables -t filter -N output_wgmia_rule
iptables -t filter -N forwarding_wgmia_rule
iptables -t filter -A zone_wgmia_input -m comment --comment "!fw3: Custom wgmia input rule chain" -j input_wgmia_rule
iptables -t filter -A zone_wgmia_output -m comment --comment "!fw3: Custom wgmia output rule chain" -j output_wgmia_rule
iptables -t filter -A zone_wgmia_forward -m comment --comment "!fw3: Custom wgmia forwarding rule chain" -j forwarding_wgmia_rule
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
iptables -t filter -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
iptables -t filter -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
iptables -t filter -A syn_flood -m comment --comment "!fw3" -j DROP
iptables -t filter -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
iptables -t filter -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wgmia_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping-WG" -j ACCEPT
iptables -t filter -A zone_wgmia_input -p 2 -m comment --comment "!fw3: Allow-IGMP-WG" -j ACCEPT
iptables -t filter -A zone_wgmia_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP-WG" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wgmia_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP-WG" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wgmia forwarding policy" -j zone_wgmia_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -D FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A zone_wgmia_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wgmia_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wgmia_input -m comment --comment "!fw3" -j zone_wgmia_src_REJECT
iptables -t filter -A zone_wgmia_forward -m comment --comment "!fw3" -j zone_wgmia_dest_REJECT
iptables -t filter -A zone_wgmia_output -m comment --comment "!fw3" -j zone_wgmia_dest_ACCEPT
iptables -t filter -D zone_wgmia_dest_ACCEPT -o wgmia -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -A zone_wgmia_dest_ACCEPT -o wgmia -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
iptables -t filter -D zone_wgmia_dest_ACCEPT -o wgmia -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wgmia_dest_ACCEPT -o wgmia -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_wgmia_src_REJECT -i wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wgmia_src_REJECT -i wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -D zone_wgmia_dest_REJECT -o wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -A zone_wgmia_dest_REJECT -o wgmia -m comment --comment "!fw3" -j reject
iptables -t filter -D INPUT -i wgmia -m comment --comment "!fw3" -j zone_wgmia_input
iptables -t filter -A INPUT -i wgmia -m comment --comment "!fw3" -j zone_wgmia_input
iptables -t filter -D OUTPUT -o wgmia -m comment --comment "!fw3" -j zone_wgmia_output
iptables -t filter -A OUTPUT -o wgmia -m comment --comment "!fw3" -j zone_wgmia_output
iptables -t filter -D FORWARD -i wgmia -m comment --comment "!fw3" -j zone_wgmia_forward
iptables -t filter -A FORWARD -i wgmia -m comment --comment "!fw3" -j zone_wgmia_forward
iptables -t filter -A FORWARD -m comment --comment "!fw3" -j reject
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
iptables -t nat -N zone_wgmia_postrouting
iptables -t nat -N zone_wgmia_prerouting
iptables -t nat -N prerouting_wgmia_rule
iptables -t nat -N postrouting_wgmia_rule
iptables -t nat -A zone_wgmia_prerouting -m comment --comment "!fw3: Custom wgmia prerouting rule chain" -j prerouting_wgmia_rule
iptables -t nat -A zone_wgmia_postrouting -m comment --comment "!fw3: Custom wgmia postrouting rule chain" -j postrouting_wgmia_rule
iptables -t nat -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
iptables -t nat -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
iptables -t nat -A zone_wgmia_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: HTTP" -j DNAT --to-destination 192.168.1.49:22
iptables -t nat -D zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.49:22
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 80 -m comment --comment "!fw3: HTTP (reflection)" -j DNAT --to-destination 192.168.1.49:22
iptables -t nat -D zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.49/255.255.255.255 -m tcp --dport 22 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.49/255.255.255.255 -m tcp --dport 22 -m comment --comment "!fw3: HTTP (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -A zone_wgmia_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: HTTPS" -j DNAT --to-destination 192.168.1.214:443
iptables -t nat -D zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.214:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.1.0/255.255.255.0 -d 10.100.100.12/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j DNAT --to-destination 192.168.1.214:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.214/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 192.168.1.0/255.255.255.0 -d 192.168.1.214/255.255.255.255 -m tcp --dport 443 -m comment --comment "!fw3: HTTPS (reflection)" -j SNAT --to-source 192.168.1.1
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -D PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -D POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A zone_wgmia_postrouting -m comment --comment "!fw3" -j MASQUERADE
iptables -t nat -D PREROUTING -i wgmia -m comment --comment "!fw3" -j zone_wgmia_prerouting
iptables -t nat -A PREROUTING -i wgmia -m comment --comment "!fw3" -j zone_wgmia_prerouting
iptables -t nat -D POSTROUTING -o wgmia -m comment --comment "!fw3" -j zone_wgmia_postrouting
iptables -t nat -A POSTROUTING -o wgmia -m comment --comment "!fw3" -j zone_wgmia_postrouting
iptables -t mangle -D FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -o eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -p tcp -i eth0.2 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
iptables -t raw -N zone_lan_helper
iptables -t raw -D PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
iptables -t raw -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
root@OpenWrt:/etc/config#
Thanks!