Second Wireguard client network issue

Hi,

I am new to this forum, and after reading numerous posts I decided to post my issue and hope that someone can provide some tips.

I am using a Linksys WRT3200ACM running OpenWrt 19.07.2. I want to achieve the following configuration:
LAN #1 with SSID #1 <---> WAN
LAN #2 with SSID #2 <---> WG0 (connecting to a personal WG server)
LAN #3 with SSID #3 <---> WG1 (connecting to a Mullvad WG server)

The first part with connecting to SSID #2 and going out using WG0 is working perfectly after adding the following in /etc/config/network

config rule
	option in 'lan_2'
	option lookup '300'

config route
	option interface 'wg0'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '300'

The second part with connecting to SSID #3 and going out using WG1 is not working, and I suspect this is related to a routing issue. What I have tried so far:

  1. Added a route for the LAN #3 interface to use WG1
config rule
	option src 'lan_3'
	option lookup '200'

config route
	option interface 'wg1'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '200'
  1. Tried swapping tables 200 and 300 between the routes, same issue.
  2. A ping from wg1 is successful and I can see the Wireguard interface counters incrementing
ping -I wg1 4.2.2.2
  1. The firewall rules are configured identically for LAN #3 interface / WG1, as they are configured for LAN #2 interface / WG0
  2. "Route Allowed IPs" is disabled for both WG interface peers.
  3. Wireguard listening ports are not configured, but I can see that they are different.

Maybe I have forgot to mention some of the other troubleshooting steps I have tried performing.

Thanks.

If wg1 is not point to point you might need to add an option gateway in the config route stanza.

I am not sure what type of Wireguard connection is being provided by Mullvad, and if it is point to point.
I have tried adding an option gateway using the IP of the peer, but this did not work.

config rule
	option src 'lan_3'
	option lookup '200'

config route
	option interface 'wg1'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway 'ip_of_wg1_interface_peer'
	option table '200'

But I think there is something wrong with my option gateway line, as when trying to display table 200 there are no routes displayed.

ip route show table 200

If commenting out the option gateway from the network config and restarting networking the output of the above command is

default dev wg1 proto static scope link

Better let's see the whole picture:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;

Here is the configuration. I tried to redact public IP addresses and replaced them with some keywords consistently across the configurations.
Thanks for looking into this.

uci export network

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5d:9f29:a8c8::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'
	option hostname 'asus'
	option peerdns '0'
	option dns '8.8.8.8 8.8.4.4'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'
	option peerdns '0'
	option dns '2001:4860:4860::8888 2001:4860:4860::8844'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

config interface 'wg0'
	option proto 'wireguard'
	list addresses 'wg0_interface_private_IP/32'
	option private_key ‘****************'

config wireguard_wg0
	option endpoint_port '4500'
	option public_key '****************'
	option endpoint_host 'custom_wg_server_hostname'
	list allowed_ips '0.0.0.0/1'
	list allowed_ips '128.0.0.0/1'
	list allowed_ips '::/0'
	option persistent_keepalive '25'

config interface 'lan_2'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.3.1'
	option type 'bridge'
	list dns '8.8.8.8'

config rule
	option in 'lan_2'
	option lookup '300'

config route
	option interface 'wg0'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '300'

config interface 'wg1'
	option proto 'wireguard'
	option private_key ‘**********'
	list addresses 'wg1_interface_private_IP_mullvad/32'

config wireguard_wg1
	option public_key ‘***********’
	option description ‘*********’
	option persistent_keepalive '25'
	option endpoint_host 'wg1_server_IP_mullvad'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/1'
	list allowed_ips '128.0.0.0/1'

config interface 'lan_3'
	option proto 'static'
	option type 'bridge'
	option netmask '255.255.255.0'
	option ipaddr '192.168.4.1'
	list dns '8.8.8.8'

config rule
	option src 'lan_3'
	option lookup '200'

config route
	option interface 'wg1'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '200'

uci export dhcp

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan_2'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'lan_2'

config dhcp 'lan_3'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'lan_3'

uci export firewall

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wg0'
	option output 'ACCEPT'
	option network 'wg0'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan_2'
	option name 'lan_2'

config forwarding
	option dest 'wg0'
	option src 'lan_2'

config zone
	option name 'wg1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan_3'
	option output 'ACCEPT'

config forwarding
	option dest 'wg1'
	option src 'lan_3'

head -n -0 /etc/firewall.user
There is no configuration present in this configuration file.

iptables-save -c

# Generated by iptables-save v1.8.3 on Wed May  6 08:35:33 2020
*nat
:PREROUTING ACCEPT [27666:2120561]
:INPUT ACCEPT [6422:434137]
:OUTPUT ACCEPT [20463:1694355]
:POSTROUTING ACCEPT [15496:655172]
:postrouting_lan_2_rule - [0:0]
:postrouting_lan_3_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg0_rule - [0:0]
:postrouting_wg1_rule - [0:0]
:prerouting_lan_2_rule - [0:0]
:prerouting_lan_3_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg0_rule - [0:0]
:prerouting_wg1_rule - [0:0]
:zone_lan_2_postrouting - [0:0]
:zone_lan_2_prerouting - [0:0]
:zone_lan_3_postrouting - [0:0]
:zone_lan_3_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg0_postrouting - [0:0]
:zone_wg0_prerouting - [0:0]
:zone_wg1_postrouting - [0:0]
:zone_wg1_prerouting - [0:0]
[27666:2120561] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[548:49229] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1859:186132] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[32:7339] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg0_prerouting
[1609:119565] -A PREROUTING -i br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_prerouting
[36128:2337360] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[7:1456] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[20386:1658631] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[246:23557] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg0_postrouting
[6:1408] -A POSTROUTING -o br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_postrouting
[6:1408] -A zone_lan_2_postrouting -m comment --comment "!fw3: Custom lan_2 postrouting rule chain" -j postrouting_lan_2_rule
[1609:119565] -A zone_lan_2_prerouting -m comment --comment "!fw3: Custom lan_2 prerouting rule chain" -j prerouting_lan_2_rule
[0:0] -A zone_lan_3_postrouting -m comment --comment "!fw3: Custom lan_3 postrouting rule chain" -j postrouting_lan_3_rule
[0:0] -A zone_lan_3_prerouting -m comment --comment "!fw3: Custom lan_3 prerouting rule chain" -j prerouting_lan_3_rule
[7:1456] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[548:49229] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[20386:1658631] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[20386:1658631] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1859:186132] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[246:23557] -A zone_wg0_postrouting -m comment --comment "!fw3: Custom wg0 postrouting rule chain" -j postrouting_wg0_rule
[246:23557] -A zone_wg0_postrouting -m comment --comment "!fw3" -j MASQUERADE
[32:7339] -A zone_wg0_prerouting -m comment --comment "!fw3: Custom wg0 prerouting rule chain" -j prerouting_wg0_rule
[0:0] -A zone_wg1_postrouting -m comment --comment "!fw3: Custom wg1 postrouting rule chain" -j postrouting_wg1_rule
[0:0] -A zone_wg1_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wg1_prerouting -m comment --comment "!fw3: Custom wg1 prerouting rule chain" -j prerouting_wg1_rule
COMMIT
# Completed on Wed May  6 08:35:33 2020
# Generated by iptables-save v1.8.3 on Wed May  6 08:35:33 2020
*raw
:PREROUTING ACCEPT [288210:187338817]
:OUTPUT ACCEPT [61564:7590448]
:zone_lan_2_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_lan_3_helper - [0:0]
[87514:13183464] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[10231:2540972] -A PREROUTING -i br-lan_2 -m comment --comment "!fw3: lan_2 CT helper assignment" -j zone_lan_2_helper
COMMIT
# Completed on Wed May  6 08:35:33 2020
# Generated by iptables-save v1.8.3 on Wed May  6 08:35:33 2020
*mangle
:PREROUTING ACCEPT [465:104025]
:INPUT ACCEPT [249:40994]
:FORWARD ACCEPT [206:60355]
:OUTPUT ACCEPT [244:113651]
:POSTROUTING ACCEPT [449:173966]
[15371:983744] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[230:14720] -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg0 MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May  6 08:35:33 2020
# Generated by iptables-save v1.8.3 on Wed May  6 08:35:33 2020
*filter
:INPUT ACCEPT [6812:439292]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [124:39552]
:forwarding_lan_2_rule - [0:0]
:forwarding_lan_3_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg0_rule - [0:0]
:forwarding_wg1_rule - [0:0]
:input_lan_2_rule - [0:0]
:input_lan_3_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg0_rule - [0:0]
:input_wg1_rule - [0:0]
:output_lan_2_rule - [0:0]
:output_lan_3_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg0_rule - [0:0]
:output_wg1_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_2_dest_ACCEPT - [0:0]
:zone_lan_2_forward - [0:0]
:zone_lan_2_input - [0:0]
:zone_lan_2_output - [0:0]
:zone_lan_2_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_3_dest_ACCEPT - [0:0]
:zone_lan_3_forward - [0:0]
:zone_lan_3_input - [0:0]
:zone_lan_3_output - [0:0]
:zone_lan_3_src_ACCEPT - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg0_dest_ACCEPT - [0:0]
:zone_wg0_dest_REJECT - [0:0]
:zone_wg0_forward - [0:0]
:zone_wg0_input - [0:0]
:zone_wg0_output - [0:0]
:zone_wg0_src_REJECT - [0:0]
:zone_wg1_dest_ACCEPT - [0:0]
:zone_wg1_dest_REJECT - [0:0]
:zone_wg1_forward - [0:0]
:zone_wg1_input - [0:0]
:zone_wg1_output - [0:0]
:zone_wg1_src_REJECT - [0:0]
[212:23484] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[41438:8178268] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[29726:7404675] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[765:33720] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[54:6306] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[3392:243084] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[67:11394] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg0_input
[1156:64253] -A INPUT -i br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_input
[244981:178765611] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[227355:177589170] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[52:6204] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg0_forward
[268:27407] -A FORWARD -i br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_forward
[17306:1142830] -A FORWARD -m comment --comment "!fw3" -j reject
[212:23484] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[61353:7567112] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[40329:5831072] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:3424] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[20872:1688704] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg0_output
[15:4360] -A OUTPUT -o br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_output
[15423:994178] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[3836:354938] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[534:24456] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[231:9264] -A syn_flood -m comment --comment "!fw3" -j DROP
[15:4360] -A zone_lan_2_dest_ACCEPT -o br-lan_2 -m comment --comment "!fw3" -j ACCEPT
[268:27407] -A zone_lan_2_forward -m comment --comment "!fw3: Custom lan_2 forwarding rule chain" -j forwarding_lan_2_rule
[268:27407] -A zone_lan_2_forward -m comment --comment "!fw3: Zone lan_2 to wg0 forwarding policy" -j zone_wg0_dest_ACCEPT
[0:0] -A zone_lan_2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_2_forward -m comment --comment "!fw3" -j zone_lan_2_dest_ACCEPT
[1156:64253] -A zone_lan_2_input -m comment --comment "!fw3: Custom lan_2 input rule chain" -j input_lan_2_rule
[0:0] -A zone_lan_2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1156:64253] -A zone_lan_2_input -m comment --comment "!fw3" -j zone_lan_2_src_ACCEPT
[15:4360] -A zone_lan_2_output -m comment --comment "!fw3: Custom lan_2 output rule chain" -j output_lan_2_rule
[15:4360] -A zone_lan_2_output -m comment --comment "!fw3" -j zone_lan_2_dest_ACCEPT
[1156:64253] -A zone_lan_2_src_ACCEPT -i br-lan_2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[13:3424] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[52:6204] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[52:6204] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[54:6306] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[54:6306] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_3_forward -m comment --comment "!fw3: Custom lan_3 forwarding rule chain" -j forwarding_lan_3_rule
[0:0] -A zone_lan_3_forward -m comment --comment "!fw3: Zone lan_3 to wg1 forwarding policy" -j zone_wg1_dest_ACCEPT
[0:0] -A zone_lan_3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_3_forward -m comment --comment "!fw3" -j zone_lan_3_dest_ACCEPT
[0:0] -A zone_lan_3_input -m comment --comment "!fw3: Custom lan_3 input rule chain" -j input_lan_3_rule
[0:0] -A zone_lan_3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_3_input -m comment --comment "!fw3" -j zone_lan_3_src_ACCEPT
[0:0] -A zone_lan_3_output -m comment --comment "!fw3: Custom lan_3 output rule chain" -j output_lan_3_rule
[0:0] -A zone_lan_3_output -m comment --comment "!fw3" -j zone_lan_3_dest_ACCEPT
[13:3424] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:3424] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[54:6306] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[32:1280] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[20892:1693628] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[3392:243084] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[1506:48192] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1886:194892] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[20872:1688704] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[20872:1688704] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1886:194892] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
[13:664] -A zone_wg0_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[255:26743] -A zone_wg0_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg0_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg0_forward -m comment --comment "!fw3: Custom wg0 forwarding rule chain" -j forwarding_wg0_rule
[0:0] -A zone_wg0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg0_forward -m comment --comment "!fw3" -j zone_wg0_dest_REJECT
[67:11394] -A zone_wg0_input -m comment --comment "!fw3: Custom wg0 input rule chain" -j input_wg0_rule
[0:0] -A zone_wg0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[67:11394] -A zone_wg0_input -m comment --comment "!fw3" -j zone_wg0_src_REJECT
[0:0] -A zone_wg0_output -m comment --comment "!fw3: Custom wg0 output rule chain" -j output_wg0_rule
[0:0] -A zone_wg0_output -m comment --comment "!fw3" -j zone_wg0_dest_ACCEPT
[67:11394] -A zone_wg0_src_REJECT -i wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg1_forward -m comment --comment "!fw3: Custom wg1 forwarding rule chain" -j forwarding_wg1_rule
[0:0] -A zone_wg1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg1_forward -m comment --comment "!fw3" -j zone_wg1_dest_REJECT
[0:0] -A zone_wg1_input -m comment --comment "!fw3: Custom wg1 input rule chain" -j input_wg1_rule
[0:0] -A zone_wg1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg1_input -m comment --comment "!fw3" -j zone_wg1_src_REJECT
[0:0] -A zone_wg1_output -m comment --comment "!fw3: Custom wg1 output rule chain" -j output_wg1_rule
[0:0] -A zone_wg1_output -m comment --comment "!fw3" -j zone_wg1_dest_ACCEPT
COMMIT
# Completed on Wed May  6 08:35:33 2020

ip -4 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
40: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
42: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.104/24 brd 192.168.1.255 scope global eth1.2
       valid_lft forever preferred_lft forever
43: br-lan_2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan_2
       valid_lft forever preferred_lft forever
44: br-lan_3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan_3
       valid_lft forever preferred_lft forever
46: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet wg0_interface_private_IP/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
47: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet wg1_interface_private_IP_mullvad/32 brd 255.255.255.255 scope global wg1
       valid_lft forever preferred_lft forever

ip -4 ro li tab all

default dev wg0 table 300 proto static scope link 
default dev wg1 table 200 proto static scope link 
default via 192.168.1.1 dev eth1.2 proto static src 192.168.1.104 
wg0_server_IP via 192.168.1.1 dev eth1.2 proto static 
wg1_server_IP_mullvad via 192.168.1.1 dev eth1.2 proto static 
192.168.1.0/24 dev eth1.2 proto kernel scope link src 192.168.1.104 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev br-lan_2 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev br-lan_3 proto kernel scope link src 192.168.4.1 
local wg1_interface_private_IP_mullvad dev wg1 table local proto kernel scope host src wg1_interface_private_IP_mullvad 
local wg0_interface_private_IP dev wg0 table local proto kernel scope host src wg0_interface_private_IP 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev eth1.2 table local proto kernel scope link src 192.168.1.104 
local 192.168.1.104 dev eth1.2 table local proto kernel scope host src 192.168.1.104 
broadcast 192.168.1.255 dev eth1.2 table local proto kernel scope link src 192.168.1.104 
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev br-lan_2 table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev br-lan_2 table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev br-lan_2 table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.4.0 dev br-lan_3 table local proto kernel scope link src 192.168.4.1 
local 192.168.4.1 dev br-lan_3 table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev br-lan_3 table local proto kernel scope link src 192.168.4.1

ip -4 ru

0:	from all lookup local 
1:	from all iif br-lan_2 lookup 300 
32766:	from all lookup main 
32767:	from all lookup default
config zone
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option name 'lan_3'
	option output 'ACCEPT'

it's missing the option network lan_3


config zone
	option name 'wg1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option output 'ACCEPT'

likewise it's missing the option network wg1

Noticed now that there are some warnings when I restart the firewall. With my initial configuration these look like:

root@router:/etc/config# /etc/init.d/firewall reload
Warning: Section @zone[4] (wg1) has no device, network, subnet or extra options
Warning: Section @zone[5] (lan_3) has no device, network, subnet or extra options
Warning: Section @zone[4] (wg1) has no device, network, subnet or extra options
Warning: Section @zone[5] (lan_3) has no device, network, subnet or extra options

After adding the option network to the firewall configuration

config zone                                 
        option name 'wg1'      
        option mtu_fix '1'             
        option input 'REJECT'          
        option forward 'REJECT'        
        option masq '1'                
        option output 'ACCEPT'         
        option network 'wg1'   
                                       
config zone                            
        option input 'ACCEPT'          
        option forward 'ACCEPT'        
        option name 'lan_3'      
        option output 'ACCEPT'    
        option network 'lan_3'

when restarting the firewall I still have the warnings, but only 2 warnings instead of 4:

root@router:/etc/config# /etc/init.d/firewall reload
Warning: Section @zone[4] (wg1) has no device, network, subnet or extra options
Warning: Section @zone[5] (lan_3) has no device, network, subnet or extra options

It looks like something else is missing from the wg1 & lan_3 firewall configuration. But the firewall configuration for wg0 and lan_2 Firewall Zones is identical, yet there are no errors referring to them.
Any ideas what is causing these warnings?

Do a fw3 restart and let us know the output.

Here is the output of fw3 restart :

 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan_2' -> 'wg0'
   * Forward 'lan_3' -> 'wg1'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'wg0'
   * Zone 'lan_2'
   * Zone 'wg1'
   * Zone 'lan_3'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'wg0'
   * Zone 'lan_2'
   * Zone 'wg1'
   * Zone 'lan_3'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'wg0'
   * Zone 'lan_2'
   * Zone 'wg1'
   * Zone 'lan_3'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'

   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Forward 'lan_2' -> 'wg0'
   * Forward 'lan_3' -> 'wg1'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'wg0'
   * Zone 'lan_2'
   * Zone 'wg1'
   * Zone 'lan_3'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'wg0'
   * Zone 'lan_2'
   * Zone 'wg1'
   * Zone 'lan_3'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

That's better, no errors and the zones are created.

Still I am having the same issues, as I do not have any internet access when connecting to SSID #3. This SSID #3 is connected with lan_3.

Post once again these:
ip -4 ro li tab all ; ip -4 ru; ip -4 addr; iptables-save -c

Here are my configs.

ip -4 ro li tab all

default dev wg0 table 300 proto static scope link 
default dev wg1 table 200 proto static scope link 
default via 192.168.1.1 dev eth1.2 proto static src 192.168.1.104 
wg0_server_IP via 192.168.1.1 dev eth1.2 proto static 
wg1_server_IP_mullvad via 192.168.1.1 dev eth1.2 proto static 
192.168.1.0/24 dev eth1.2 proto kernel scope link src 192.168.1.104 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev br-lan_2 proto kernel scope link src 192.168.3.1 
192.168.4.0/24 dev br-lan_3 proto kernel scope link src 192.168.4.1 
local wg1_interface_private_IP_mullvad dev wg1 table local proto kernel scope host src wg1_interface_private_IP_mullvad 
local wg0_interface_private_IP dev wg0 table local proto kernel scope host src wg0_interface_private_IP 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev eth1.2 table local proto kernel scope link src 192.168.1.104 
local 192.168.1.104 dev eth1.2 table local proto kernel scope host src 192.168.1.104 
broadcast 192.168.1.255 dev eth1.2 table local proto kernel scope link src 192.168.1.104 
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168.2.1 
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.168.2.1 
broadcast 192.168.3.0 dev br-lan_2 table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev br-lan_2 table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev br-lan_2 table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.4.0 dev br-lan_3 table local proto kernel scope link src 192.168.4.1 
local 192.168.4.1 dev br-lan_3 table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev br-lan_3 table local proto kernel scope link src 192.168.4.1 

ip -4 ru
One thing which I have noticed is that in this output, table 200 for wg1 is not displayed. Could this be related to the issue I am having?

0:	from all lookup local 
1:	from all iif br-lan_2 lookup 300 
32766:	from all lookup main 
32767:	from all lookup default 

ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
21: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.104/24 brd 192.168.1.255 scope global eth1.2
valid_lft forever preferred_lft forever
22: br-lan_2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan_2
valid_lft forever preferred_lft forever
23: br-lan_3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan_3
valid_lft forever preferred_lft forever
24: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet wg0_interface_private_IP/32 brd 255.255.255.255 scope global wg0
valid_lft forever preferred_lft forever
26: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet wg1_interface_private_IP_mullvad/32 brd 255.255.255.255 scope global wg1
valid_lft forever preferred_lft forever

**iptables-save -c**
*nat
:PREROUTING ACCEPT [49160:4987761]
:INPUT ACCEPT [11670:776134]
:OUTPUT ACCEPT [9926:723878]
:POSTROUTING ACCEPT [15788:678202]
:postrouting_lan_2_rule - [0:0]
:postrouting_lan_3_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg0_rule - [0:0]
:postrouting_wg1_rule - [0:0]
:prerouting_lan_2_rule - [0:0]
:prerouting_lan_3_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg0_rule - [0:0]
:prerouting_wg1_rule - [0:0]
:zone_lan_2_postrouting - [0:0]
:zone_lan_2_prerouting - [0:0]
:zone_lan_3_postrouting - [0:0]
:zone_lan_3_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg0_postrouting - [0:0]
:zone_wg0_prerouting - [0:0]
:zone_wg1_postrouting - [0:0]
:zone_wg1_prerouting - [0:0]
[49160:4987761] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[12220:1981059] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[6010:621356] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[10:1587] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg0_prerouting
[4107:371228] -A PREROUTING -i br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_prerouting
[0:0] -A PREROUTING -i wg1 -m comment --comment "!fw3" -j zone_wg1_prerouting
[26813:2012531] -A PREROUTING -i br-lan_3 -m comment --comment "!fw3" -j zone_lan_3_prerouting
[31621:2731704] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[21:5488] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[14597:1921737] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[1236:131765] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg0_postrouting
[16:3568] -A POSTROUTING -o br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_postrouting
[0:0] -A POSTROUTING -o wg1 -m comment --comment "!fw3" -j zone_wg1_postrouting
[15750:669028] -A POSTROUTING -o br-lan_3 -m comment --comment "!fw3" -j zone_lan_3_postrouting
[16:3568] -A zone_lan_2_postrouting -m comment --comment "!fw3: Custom lan_2 postrouting rule chain" -j postrouting_lan_2_rule
[4107:371228] -A zone_lan_2_prerouting -m comment --comment "!fw3: Custom lan_2 prerouting rule chain" -j prerouting_lan_2_rule
[15750:669028] -A zone_lan_3_postrouting -m comment --comment "!fw3: Custom lan_3 postrouting rule chain" -j postrouting_lan_3_rule
[26813:2012531] -A zone_lan_3_prerouting -m comment --comment "!fw3: Custom lan_3 prerouting rule chain" -j prerouting_lan_3_rule
[21:5488] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[12220:1981059] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[14597:1921737] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[14597:1921737] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[6010:621356] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[1236:131765] -A zone_wg0_postrouting -m comment --comment "!fw3: Custom wg0 postrouting rule chain" -j postrouting_wg0_rule
[1236:131765] -A zone_wg0_postrouting -m comment --comment "!fw3" -j MASQUERADE
[10:1587] -A zone_wg0_prerouting -m comment --comment "!fw3: Custom wg0 prerouting rule chain" -j prerouting_wg0_rule
[0:0] -A zone_wg1_postrouting -m comment --comment "!fw3: Custom wg1 postrouting rule chain" -j postrouting_wg1_rule
[0:0] -A zone_wg1_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wg1_prerouting -m comment --comment "!fw3: Custom wg1 prerouting rule chain" -j prerouting_wg1_rule
COMMIT

*mangle
:PREROUTING ACCEPT [1373940:1216919688]
:INPUT ACCEPT [137302:108050771]
:FORWARD ACCEPT [1229364:1107591054]
:OUTPUT ACCEPT [121072:20809661]
:POSTROUTING ACCEPT [1332303:1127205044]
[19755:1252944] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1181:75644] -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg0 MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o wg1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg1 MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT


*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_2_rule - [0:0]
:forwarding_lan_3_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg0_rule - [0:0]
:forwarding_wg1_rule - [0:0]
:input_lan_2_rule - [0:0]
:input_lan_3_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg0_rule - [0:0]
:input_wg1_rule - [0:0]
:output_lan_2_rule - [0:0]
:output_lan_3_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg0_rule - [0:0]
:output_wg1_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_2_dest_ACCEPT - [0:0]
:zone_lan_2_forward - [0:0]
:zone_lan_2_input - [0:0]
:zone_lan_2_output - [0:0]
:zone_lan_2_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_3_dest_ACCEPT - [0:0]
:zone_lan_3_forward - [0:0]
:zone_lan_3_input - [0:0]
:zone_lan_3_output - [0:0]
:zone_lan_3_src_ACCEPT - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg0_dest_ACCEPT - [0:0]
:zone_wg0_dest_REJECT - [0:0]
:zone_wg0_forward - [0:0]
:zone_wg0_input - [0:0]
:zone_wg0_output - [0:0]
:zone_wg0_src_REJECT - [0:0]
:zone_wg1_dest_ACCEPT - [0:0]
:zone_wg1_dest_REJECT - [0:0]
:zone_wg1_forward - [0:0]
:zone_wg1_input - [0:0]
:zone_wg1_output - [0:0]
:zone_wg1_src_REJECT - [0:0]
[64:8493] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[137257:108044694] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[112097:106335774] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1668:69744] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[2682:188844] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[10648:781752] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[25:2602] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg0_input
[2025:129203] -A INPUT -i br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_input
[0:0] -A INPUT -i wg1 -m comment --comment "!fw3" -j zone_wg1_input
[9328:588367] -A INPUT -i br-lan_3 -m comment --comment "!fw3" -j zone_lan_3_input
[1229369:1107592739] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[1204363:1104611862] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5628:1590103] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg0_forward
[1519:210552] -A FORWARD -i br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_forward
[0:0] -A FORWARD -i wg1 -m comment --comment "!fw3" -j zone_wg1_forward
[17859:1180222] -A FORWARD -i br-lan_3 -m comment --comment "!fw3" -j zone_lan_3_forward
[17859:1180222] -A FORWARD -m comment --comment "!fw3" -j reject
[64:8493] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[121026:20815920] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[109067:19941327] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[33:9424] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[11701:801477] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg0_output
[33:9144] -A OUTPUT -o br-lan_2 -m comment --comment "!fw3" -j zone_lan_2_output
[0:0] -A OUTPUT -o wg1 -m comment --comment "!fw3" -j zone_wg1_output
[192:54548] -A OUTPUT -o br-lan_3 -m comment --comment "!fw3" -j zone_lan_3_output
[15638:1003170] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[8294:813118] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[1216:51592] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[452:18152] -A syn_flood -m comment --comment "!fw3" -j DROP
[33:9144] -A zone_lan_2_dest_ACCEPT -o br-lan_2 -m comment --comment "!fw3" -j ACCEPT
[1519:210552] -A zone_lan_2_forward -m comment --comment "!fw3: Custom lan_2 forwarding rule chain" -j forwarding_lan_2_rule
[1519:210552] -A zone_lan_2_forward -m comment --comment "!fw3: Zone lan_2 to wg0 forwarding policy" -j zone_wg0_dest_ACCEPT
[0:0] -A zone_lan_2_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_2_forward -m comment --comment "!fw3" -j zone_lan_2_dest_ACCEPT
[2025:129203] -A zone_lan_2_input -m comment --comment "!fw3: Custom lan_2 input rule chain" -j input_lan_2_rule
[0:0] -A zone_lan_2_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2025:129203] -A zone_lan_2_input -m comment --comment "!fw3" -j zone_lan_2_src_ACCEPT
[33:9144] -A zone_lan_2_output -m comment --comment "!fw3: Custom lan_2 output rule chain" -j output_lan_2_rule
[33:9144] -A zone_lan_2_output -m comment --comment "!fw3" -j zone_lan_2_dest_ACCEPT
[2025:129203] -A zone_lan_2_src_ACCEPT -i br-lan_2 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[33:9424] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[5628:1590103] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[5628:1590103] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2682:188844] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[2682:188844] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[192:54548] -A zone_lan_3_dest_ACCEPT -o br-lan_3 -m comment --comment "!fw3" -j ACCEPT
[17859:1180222] -A zone_lan_3_forward -m comment --comment "!fw3: Custom lan_3 forwarding rule chain" -j forwarding_lan_3_rule
[17859:1180222] -A zone_lan_3_forward -m comment --comment "!fw3: Zone lan_3 to wg1 forwarding policy" -j zone_wg1_dest_ACCEPT
[0:0] -A zone_lan_3_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[17859:1180222] -A zone_lan_3_forward -m comment --comment "!fw3" -j zone_lan_3_dest_ACCEPT
[9328:588367] -A zone_lan_3_input -m comment --comment "!fw3: Custom lan_3 input rule chain" -j input_lan_3_rule
[0:0] -A zone_lan_3_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[9328:588367] -A zone_lan_3_input -m comment --comment "!fw3" -j zone_lan_3_src_ACCEPT
[192:54548] -A zone_lan_3_output -m comment --comment "!fw3: Custom lan_3 output rule chain" -j output_lan_3_rule
[192:54548] -A zone_lan_3_output -m comment --comment "!fw3" -j zone_lan_3_dest_ACCEPT
[9328:588367] -A zone_lan_3_src_ACCEPT -i br-lan_3 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[33:9424] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[33:9424] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[2682:188844] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[175:12133] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[17154:2379447] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[10648:781752] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[2:1152] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[4598:147136] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6048:633464] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[11701:801477] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[11701:801477] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[6048:633464] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
[112:7580] -A zone_wg0_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1407:202972] -A zone_wg0_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg0_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg0_forward -m comment --comment "!fw3: Custom wg0 forwarding rule chain" -j forwarding_wg0_rule
[0:0] -A zone_wg0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg0_forward -m comment --comment "!fw3" -j zone_wg0_dest_REJECT
[25:2602] -A zone_wg0_input -m comment --comment "!fw3: Custom wg0 input rule chain" -j input_wg0_rule
[0:0] -A zone_wg0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[25:2602] -A zone_wg0_input -m comment --comment "!fw3" -j zone_wg0_src_REJECT
[0:0] -A zone_wg0_output -m comment --comment "!fw3: Custom wg0 output rule chain" -j output_wg0_rule
[0:0] -A zone_wg0_output -m comment --comment "!fw3" -j zone_wg0_dest_ACCEPT
[25:2602] -A zone_wg0_src_REJECT -i wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg1_dest_ACCEPT -o wg1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wg1_dest_ACCEPT -o wg1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg1_dest_REJECT -o wg1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg1_forward -m comment --comment "!fw3: Custom wg1 forwarding rule chain" -j forwarding_wg1_rule
[0:0] -A zone_wg1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg1_forward -m comment --comment "!fw3" -j zone_wg1_dest_REJECT
[0:0] -A zone_wg1_input -m comment --comment "!fw3: Custom wg1 input rule chain" -j input_wg1_rule
[0:0] -A zone_wg1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg1_input -m comment --comment "!fw3" -j zone_wg1_src_REJECT
[0:0] -A zone_wg1_output -m comment --comment "!fw3: Custom wg1 output rule chain" -j output_wg1_rule
[0:0] -A zone_wg1_output -m comment --comment "!fw3" -j zone_wg1_dest_ACCEPT
[0:0] -A zone_wg1_src_REJECT -i wg1 -m comment --comment "!fw3" -j reject
COMMIT

Yes, that is essential.
Do a service network restart to see if you spot any error from the device.

service network restart does not return any errors or warnings. It only mentions that radio 2 is disabled, which is correct, as I have it disabled.

/etc/system/config contains option conloglevel '8', and logread does not output any error messages related to routing or table 200. I can copy here the full output in case you want to review it, but I did not spot anything.

Are there any other logs or tools which I can use to spot any errors?

config rule
	option src 'lan_3'
	option lookup '200'

Wrong syntax, it is option in 'lan_3'

This made it work. Thank you for looking into this.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.