TCP connections failing via Wireguard

Hi there,

I am running OpenWRT with a Wireguard site to site VPN towards my pfSense firewall at home.

I have setup 2 SSID's. One routes everything down the tunnel towards my home, and the other only routes specific (home) subnets down the tunnel, with everything else to internet.

The VPN works fine, routing works fine and ping/traceroute works completely as expected in all scenarios. But when I try to establish TCP connections over the tunnel the traffic stops flowing after so many packets then the TCP connection is reset.

I have lowered the MTU on the WG interface to 1300 at each side and set MSS clamping also but I still cannot get TCP connections to work reliably. They just stop working after a few seconds and then I see in Wireshark lots of "TCP ACKed unknown segment" and Duplicate ACK's, TCP retransmissions etc.

This is killing me! Any ideas what it could be please?

I have another OpenWRT device that does not exhibit this behaviour when connecting to the same pfSense box.

What's the MTU inside and outside of the tunnel?

1 Like

The OpenWRT device is connected to an internet connection with 1500MTU, I can ping to internet up to 1472 bytes without fragmentation.
The pfSense is on a PPPoE connection, I can ping up to 1464 bytes without fragmentation.

Both wireguard interfaces are set to 1300 MTU currently. I can ping 1272 bytes both directions over the tunnel without fragmentation.

1 Like

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; ip link; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

OK thanks trendy

So I have now brought the OpenWRT device home with me and this is what I get when I connect it to my mobile phone hotspot (same issue).

I have redacted all public IP addresses that matter to me. Anywhere you see 'split' indicates split tunnelling. ADT means all down tunnel.

root@GL-AR750S:~# ubus call system board; \
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; ip link; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "4.14.241",
        "hostname": "GL-AR750S",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "GL.iNet GL-AR750S (NOR/NAND)",
        "board_name": "glinet,gl-ar750s-nor-nand",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.8",
                "revision": "r11364-ef56c85848",
                "target": "ath79/nand",
                "description": "OpenWrt 19.07.8 r11364-ef56c85848"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6f:a949:e7d2::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-AR750S-48c'
        option ipaddr '192.168.116.1'

config interface 'wan'
        option ifname 'eth0.2'
        option hostname 'GL-AR750S-48c'
        option ipv6 '0'
        option peerdns '0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option disabled '1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'
        option metric '20'

config interface 'wg0'
        option proto 'wireguard'
        list addresses '192.168.113.4'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option mtu '1300'

config wireguard_wg0
        option description 'Home'
        option endpoint_host 'XX.XX.XX.XX'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'

config interface 'lan_adt'
        option proto 'static'
        option ipaddr '192.168.117.1'
        option netmask '255.255.255.0'
        option type 'bridge'

config rule
        option in 'lan_adt'
        option lookup '100'

config rule
        option in 'lan'
        option lookup '101'

config rule
        option in 'lan'
        option lookup '102'

config rule
        option in 'lan'
        option lookup '103'

config rule
        option in 'lan'
        option lookup '104'

config route
        option interface 'wg0'
        option target '0.0.0.0'
        option netmask '0.0.0.0'
        option table '100'

config route
        option interface 'wg0'
        option target '192.168.111.0'
        option netmask '255.255.255.0'
        option table '101'

config route
        option interface 'wg0'
        option target '192.168.113.0'
        option netmask '255.255.255.0'
        option table '102'

config route
        option interface 'wg0'
        option target '192.168.115.0'
        option netmask '255.255.255.0'
        option table '103'

config route
        option interface 'wg0'
        option target '209.9.211.211'
        option netmask '255.255.255.255'
        option table '104'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option doth '0'
        option txpower '20'
        option txpower_max '20'
        option band '5G'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key 'XXXXXXXXXXXXXXXXX'
        option disassoc_low_ack '0'
        option ifname 'wlan0'
        option wds '1'
        option ssid 'spagbol-adt-5G'
        option network 'lan_adt'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option txpower_max '20'
        option txpower '20'
        option htmode 'HT40'
        option band '2G'
        option channel '11'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key 'XXXXXXXXXXXXXXXXX'
        option wds '1'
        option disassoc_low_ack '0'
        option ifname 'wlan1'
        option ssid 'spagbol-adt'
        option network 'lan_adt'

config wifi-iface 'guest5g'
        option device 'radio0'
        option network 'guest'
        option mode 'ap'
        option wds '1'
        option ssid 'GL-AR750S-48c-Guest-5G'
        option encryption 'psk2'
        option key 'XXXXXXXXXXXXXXXXX'
        option ifname 'wlan2'
        option disabled '1'
        option guest '1'
        option disassoc_low_ack '0'

config wifi-iface 'guest2g'
        option device 'radio1'
        option network 'guest'
        option mode 'ap'
        option wds '1'
        option ssid 'GL-AR750S-48c-Guest'
        option encryption 'psk2'
        option key 'XXXXXXXXXXXXXXXXX'
        option ifname 'wlan3'
        option disabled '1'
        option guest '1'
        option disassoc_low_ack '0'

config wifi-iface 'wifinet5'
        option ssid 'spagbol-split-5G'
        option encryption 'psk2+ccmp'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option key 'XXXXXXXXXXXXXXXXX'

config wifi-iface 'wifinet6'
        option ssid 'spagbol-split'
        option encryption 'psk2+ccmp'
        option device 'radio1'
        option mode 'ap'
        option network 'lan'
        option key 'XXXXXXXXXXXXXXXXX'

config wifi-iface 'sta'
        option network 'wwan'
        option mode 'sta'
        option ifname 'wlan-sta'
        option ssid 'STUPID PHONE'
        option bssid 'BE:BA:57:XX:XX:XX'
        option channel '11'
        option device 'radio1'
        option encryption 'psk2'
        option key 'XXXXXXXXXXXXXXXXX'
        option disabled '0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option noresolv '1'
        option rebind_protection '0'
        list server '127.0.0.1#53535'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        option dhcpv6 'disabled'
        option ra 'disabled'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option dhcpv6 'disabled'
        option ra 'disabled'

config domain 'localhost'
        option name 'console.gl-inet.com'
        option ip '192.168.116.1'

config dhcp 'lan_adt'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'lan_adt'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option mtu_fix '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'DROP'
        option network 'wan wan6 wwan'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guest'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '1'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config zone
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option name 'lan_adt'
        list network 'lan_adt'

config zone
        option name 'wg_vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option mtu_fix '1'

config forwarding
        option dest 'lan'
        option src 'wg_vpn'

config forwarding
        option dest 'wan'
        option src 'wg_vpn'

config forwarding
        option dest 'wg_vpn'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'lan_adt'

config forwarding
        option dest 'wan'
        option src 'lan_adt'

config forwarding
        option dest 'wg_vpn'
        option src 'lan_adt'

config forwarding
        option dest 'lan_adt'
        option src 'lan'

config forwarding
        option dest 'lan_adt'
        option src 'wg_vpn'

Continued.....

force_dns() {
        # lanip=$(ifconfig br-lan |sed -n 's/.*dr:\(.*\) Bc.*/\1/p')
        lanip=$(uci get network.lan.ipaddr)
        tor=$(ps|grep /usr/sbin/tor|grep -v grep)
        [ "$1" = "add" ] && {
                ip=$(uci get glconfig.general.ipaddr)
                [ -z "$ip" ] && ip=$(uci get network.lan.ipaddr)
                iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $ip
                iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $ip

                uci set glconfig.general.ipaddr=$lanip
                uci commit glconfig
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

                if [ -n "$tor" ];then
                        iptables -t nat -C PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        iptables -t nat -C PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                        [ ! "$?" = "0" ] && iptables -t nat -I PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                fi



        }
        [ "$1" = "remove" ] && {
                lanip=$(uci get glconfig.general.ipaddr)
                [ -z "$lanip" ] && lanip=$(uci get network.lan.ipaddr)
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p udp --dport 53 -j DNAT --to $lanip
                iptables -t nat -C PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip
                [ "$?" = "0" ] && iptables -t nat -D PREROUTING -i br-+ -s 0/0 -p tcp --dport 53 -j DNAT --to $lanip

                if [ -n "$tor" ];then
                        iptables -t nat -D PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j REDIRECT --to-ports 9053
                        iptables -t nat -D PREROUTING -i br-lan -p udp -m udp --dport 53 -j REDIRECT --to-ports 9053
                fi
        }
}

force=$(uci get glconfig.general.force_dns)
if [ -n "$force" ]; then
    force_dns add
else
    force_dns remove
fi
gl-firewall

continued...

# PPTP Passthrough
iptables -t raw -D OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp


#AnyConnect workarounds (these next few lines are for use when connected to my employer's client). Not relevant to this topic.
iptables -t nat -A PREROUTING -p tcp -d 209.9.211.211 --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
# iptables -t nat -A PREROUTING -p tcp -d 209.9.211.211 --dport 551 -j DNAT --to-destination 192.168.111.70:554
# iptables -t nat -A PREROUTING -p tcp -d 209.9.211.211 --dport 552 -j DNAT --to-destination 192.168.111.54:554
# iptables -t nat -A POSTROUTING -j MASQUERADE
# Generated by iptables-save v1.8.3 on Thu Mar 24 20:34:53 2022
*nat
:PREROUTING ACCEPT [287:35361]
:INPUT ACCEPT [82:5414]
:OUTPUT ACCEPT [133:10486]
:POSTROUTING ACCEPT [26:5296]
:GL_SPEC_DMZ - [0:0]
:postrouting_guestzone_rule - [0:0]
:postrouting_lan_adt_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_vpn_rule - [0:0]
:prerouting_guestzone_rule - [0:0]
:prerouting_lan_adt_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_vpn_rule - [0:0]
:zone_guestzone_postrouting - [0:0]
:zone_guestzone_prerouting - [0:0]
:zone_lan_adt_postrouting - [0:0]
:zone_lan_adt_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_vpn_postrouting - [0:0]
:zone_wg_vpn_prerouting - [0:0]
[287:35361] -A PREROUTING -j GL_SPEC_DMZ
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[289:35604] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[194:15631] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[95:19973] -A PREROUTING -i wlan-sta -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guestzone_prerouting
[0:0] -A PREROUTING -i br-lan_adt -m comment --comment "!fw3" -j zone_lan_adt_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg_vpn_prerouting
[0:0] -A PREROUTING -d 209.9.211.211/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination XX.XX.XX.XX:443
[196:17355] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[170:12059] -A POSTROUTING -o wlan-sta -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guestzone_postrouting
[0:0] -A POSTROUTING -o br-lan_adt -m comment --comment "!fw3" -j zone_lan_adt_postrouting
[8:4040] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg_vpn_postrouting
[0:0] -A zone_guestzone_postrouting -m comment --comment "!fw3: Custom guestzone postrouting rule chain" -j postrouting_guestzone_rule
[0:0] -A zone_guestzone_prerouting -m comment --comment "!fw3: Custom guestzone prerouting rule chain" -j prerouting_guestzone_rule
[0:0] -A zone_lan_adt_postrouting -m comment --comment "!fw3: Custom lan_adt postrouting rule chain" -j postrouting_lan_adt_rule
[0:0] -A zone_lan_adt_prerouting -m comment --comment "!fw3: Custom lan_adt prerouting rule chain" -j prerouting_lan_adt_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[194:15631] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[170:12059] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[170:12059] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[95:19973] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[8:4040] -A zone_wg_vpn_postrouting -m comment --comment "!fw3: Custom wg_vpn postrouting rule chain" -j postrouting_wg_vpn_rule
[0:0] -A zone_wg_vpn_prerouting -m comment --comment "!fw3: Custom wg_vpn prerouting rule chain" -j prerouting_wg_vpn_rule
COMMIT
# Completed on Thu Mar 24 20:34:53 2022
# Generated by iptables-save v1.8.3 on Thu Mar 24 20:34:53 2022
*raw
:PREROUTING ACCEPT [5612:2204357]
:OUTPUT ACCEPT [2260:1165784]
:zone_guestzone_helper - [0:0]
:zone_lan_adt_helper - [0:0]
:zone_lan_helper - [0:0]
:zone_wg_vpn_helper - [0:0]
[2297:865500] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3: guestzone CT helper assignment" -j zone_guestzone_helper
[0:0] -A PREROUTING -i br-lan_adt -m comment --comment "!fw3: lan_adt CT helper assignment" -j zone_lan_adt_helper
[817:298102] -A PREROUTING -i wg0 -m comment --comment "!fw3: wg_vpn CT helper assignment" -j zone_wg_vpn_helper
[0:0] -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_guestzone_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_guestzone_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan_adt_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_adt_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan_adt_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_adt_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_adt_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan_adt_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_adt_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_adt_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_adt_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan_adt_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_lan_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_lan_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
[0:0] -A zone_wg_vpn_helper -p udp -m comment --comment "!fw3: Amanda backup and archiving proto" -m udp --dport 10080 -j CT --helper amanda
[0:0] -A zone_wg_vpn_helper -p tcp -m comment --comment "!fw3: FTP passive connection tracking" -m tcp --dport 21 -j CT --helper ftp
[0:0] -A zone_wg_vpn_helper -p udp -m comment --comment "!fw3: RAS proto tracking" -m udp --dport 1719 -j CT --helper RAS
[0:0] -A zone_wg_vpn_helper -p tcp -m comment --comment "!fw3: Q.931 proto tracking" -m tcp --dport 1720 -j CT --helper Q.931
[0:0] -A zone_wg_vpn_helper -p tcp -m comment --comment "!fw3: IRC DCC connection tracking" -m tcp --dport 6667 -j CT --helper irc
[0:0] -A zone_wg_vpn_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp
[0:0] -A zone_wg_vpn_helper -p tcp -m comment --comment "!fw3: SIP VoIP connection tracking" -m tcp --dport 5060 -j CT --helper sip
[0:0] -A zone_wg_vpn_helper -p udp -m comment --comment "!fw3: SIP VoIP connection tracking" -m udp --dport 5060 -j CT --helper sip
[0:0] -A zone_wg_vpn_helper -p udp -m comment --comment "!fw3: SNMP monitoring connection tracking" -m udp --dport 161 -j CT --helper snmp
[0:0] -A zone_wg_vpn_helper -p udp -m comment --comment "!fw3: TFTP connection tracking" -m udp --dport 69 -j CT --helper tftp
COMMIT
# Completed on Thu Mar 24 20:34:53 2022
# Generated by iptables-save v1.8.3 on Thu Mar 24 20:34:53 2022
*mangle
:PREROUTING ACCEPT [5646:2219221]
:INPUT ACCEPT [2090:626832]
:FORWARD ACCEPT [3506:1588965]
:OUTPUT ACCEPT [2278:1174506]
:POSTROUTING ACCEPT [5777:2763191]
:mwan3_connected - [0:0]
:mwan3_hook - [0:0]
:mwan3_iface_in_wwan - [0:0]
:mwan3_ifaces_in - [0:0]
:mwan3_policy_default_poli - [0:0]
:mwan3_rules - [0:0]
[36360:15457392] -A PREROUTING -j mwan3_hook
[54:2808] -A FORWARD -o br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[54:2808] -A FORWARD -i br-lan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone lan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[49:2548] -A FORWARD -o wlan-sta -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[49:2548] -A FORWARD -i wlan-sta -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[5:260] -A FORWARD -o wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[5:260] -A FORWARD -i wg0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wg_vpn MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[11743:3041241] -A OUTPUT -j mwan3_hook
[20747:8585215] -A mwan3_connected -m set --match-set mwan3_connected dst -j MARK --set-xmark 0x3f00/0x3f00
[48103:18498633] -A mwan3_hook -j CONNMARK --restore-mark --nfmask 0x3f00 --ctmask 0x3f00
[4503:429713] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_ifaces_in
[3667:273285] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_connected
[1680:127587] -A mwan3_hook -m mark --mark 0x0/0x3f00 -j mwan3_rules
[48103:18498633] -A mwan3_hook -j CONNMARK --save-mark --nfmask 0x3f00 --ctmask 0x3f00
[28414:13192048] -A mwan3_hook -m mark ! --mark 0x3f00/0x3f00 -j mwan3_connected
[0:0] -A mwan3_iface_in_wwan -i wlan-sta -m set --match-set mwan3_connected src -m mark --mark 0x0/0x3f00 -m comment --comment default -j MARK --set-xmark 0x3f00/0x3f00
[245:55568] -A mwan3_iface_in_wwan -i wlan-sta -m mark --mark 0x0/0x3f00 -m comment --comment wwan -j MARK --set-xmark 0x200/0x3f00
[802:97322] -A mwan3_ifaces_in -m mark --mark 0x0/0x3f00 -j mwan3_iface_in_wwan
[164:14793] -A mwan3_policy_default_poli -m mark --mark 0x0/0x3f00 -m comment --comment "wwan 3 3" -j MARK --set-xmark 0x200/0x3f00
[164:14793] -A mwan3_rules -m mark --mark 0x0/0x3f00 -m comment --comment default_rule -j mwan3_policy_default_poli
COMMIT
# Completed on Thu Mar 24 20:34:53 2022
# Generated by iptables-save v1.8.3 on Thu Mar 24 20:34:53 2022
*filter

last one.....

:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:GL_SPEC_OPENING - [0:0]
:forwarding_guestzone_rule - [0:0]
:forwarding_lan_adt_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_vpn_rule - [0:0]
:input_guestzone_rule - [0:0]
:input_lan_adt_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_vpn_rule - [0:0]
:output_guestzone_rule - [0:0]
:output_lan_adt_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_vpn_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guestzone_dest_ACCEPT - [0:0]
:zone_guestzone_dest_REJECT - [0:0]
:zone_guestzone_forward - [0:0]
:zone_guestzone_input - [0:0]
:zone_guestzone_output - [0:0]
:zone_guestzone_src_REJECT - [0:0]
:zone_lan_adt_dest_ACCEPT - [0:0]
:zone_lan_adt_forward - [0:0]
:zone_lan_adt_input - [0:0]
:zone_lan_adt_output - [0:0]
:zone_lan_adt_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_DROP - [0:0]
:zone_wg_vpn_dest_ACCEPT - [0:0]
:zone_wg_vpn_forward - [0:0]
:zone_wg_vpn_input - [0:0]
:zone_wg_vpn_output - [0:0]
:zone_wg_vpn_src_ACCEPT - [0:0]
[2092:626018] -A INPUT -j GL_SPEC_OPENING
[69:15755] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[2029:611557] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[1811:583424] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[33:1716] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[114:7800] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[104:20333] -A INPUT -i wlan-sta -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guestzone_input
[0:0] -A INPUT -i br-lan_adt -m comment --comment "!fw3" -j zone_lan_adt_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg_vpn_input
[3506:1588965] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[3436:1581851] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[70:7114] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wlan-sta -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guestzone_forward
[0:0] -A FORWARD -i br-lan_adt -m comment --comment "!fw3" -j zone_lan_adt_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg_vpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[69:15755] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[2221:1163243] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2024:1148105] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[197:15138] -A OUTPUT -o wlan-sta -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guestzone_output
[0:0] -A OUTPUT -o br-lan_adt -m comment --comment "!fw3" -j zone_lan_adt_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg_vpn_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[33:1716] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guestzone_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guestzone_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3: Custom guestzone forwarding rule chain" -j forwarding_guestzone_rule
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3: Zone guestzone to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guestzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guestzone_forward -m comment --comment "!fw3" -j zone_guestzone_dest_REJECT
[0:0] -A zone_guestzone_input -m comment --comment "!fw3: Custom guestzone input rule chain" -j input_guestzone_rule
[0:0] -A zone_guestzone_input -p udp -m udp --dport 67:68 -m comment --comment "!fw3: guestzone_DHCP" -j ACCEPT
[0:0] -A zone_guestzone_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
[0:0] -A zone_guestzone_input -p udp -m udp --dport 53 -m comment --comment "!fw3: guestzone_DNS" -j ACCEPT
[0:0] -A zone_guestzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guestzone_input -m comment --comment "!fw3" -j zone_guestzone_src_REJECT
[0:0] -A zone_guestzone_output -m comment --comment "!fw3: Custom guestzone output rule chain" -j output_guestzone_rule
[0:0] -A zone_guestzone_output -m comment --comment "!fw3" -j zone_guestzone_dest_ACCEPT
[0:0] -A zone_guestzone_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_adt_dest_ACCEPT -o br-lan_adt -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_adt_forward -m comment --comment "!fw3: Custom lan_adt forwarding rule chain" -j forwarding_lan_adt_rule
[0:0] -A zone_lan_adt_forward -m comment --comment "!fw3: Zone lan_adt to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_adt_forward -m comment --comment "!fw3: Zone lan_adt to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_adt_forward -m comment --comment "!fw3: Zone lan_adt to wg_vpn forwarding policy" -j zone_wg_vpn_dest_ACCEPT
[0:0] -A zone_lan_adt_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_adt_forward -m comment --comment "!fw3" -j zone_lan_adt_dest_ACCEPT
[0:0] -A zone_lan_adt_input -m comment --comment "!fw3: Custom lan_adt input rule chain" -j input_lan_adt_rule
[0:0] -A zone_lan_adt_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_adt_input -m comment --comment "!fw3" -j zone_lan_adt_src_ACCEPT
[0:0] -A zone_lan_adt_output -m comment --comment "!fw3: Custom lan_adt output rule chain" -j output_lan_adt_rule
[0:0] -A zone_lan_adt_output -m comment --comment "!fw3" -j zone_lan_adt_dest_ACCEPT
[0:0] -A zone_lan_adt_src_ACCEPT -i br-lan_adt -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[70:7114] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[70:7114] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[8:4040] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg_vpn forwarding policy" -j zone_wg_vpn_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to lan_adt forwarding policy" -j zone_lan_adt_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[114:7800] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[18:1404] -A zone_lan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[96:6396] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[96:6396] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[7:280] -A zone_wan_dest_ACCEPT -o wlan-sta -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[252:17932] -A zone_wan_dest_ACCEPT -o wlan-sta -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o wlan-sta -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[104:20333] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 137 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 138 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 139 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p tcp -m tcp --dport 445 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 137 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 138 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 139 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -p udp -m udp --dport 445 -m comment --comment "!fw3: @rule[11]" -j DROP
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[104:20333] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_DROP
[197:15138] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[197:15138] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_DROP -i eth0.2 -m comment --comment "!fw3" -j DROP
[104:20333] -A zone_wan_src_DROP -i wlan-sta -m comment --comment "!fw3" -j DROP
[8:4040] -A zone_wg_vpn_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg_vpn_forward -m comment --comment "!fw3: Custom wg_vpn forwarding rule chain" -j forwarding_wg_vpn_rule
[0:0] -A zone_wg_vpn_forward -m comment --comment "!fw3: Zone wg_vpn to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_vpn_forward -m comment --comment "!fw3: Zone wg_vpn to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_vpn_forward -m comment --comment "!fw3: Zone wg_vpn to lan_adt forwarding policy" -j zone_lan_adt_dest_ACCEPT
[0:0] -A zone_wg_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg_vpn_forward -m comment --comment "!fw3" -j zone_wg_vpn_dest_ACCEPT
[0:0] -A zone_wg_vpn_input -m comment --comment "!fw3: Custom wg_vpn input rule chain" -j input_wg_vpn_rule
[0:0] -A zone_wg_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg_vpn_input -m comment --comment "!fw3" -j zone_wg_vpn_src_ACCEPT
[0:0] -A zone_wg_vpn_output -m comment --comment "!fw3: Custom wg_vpn output rule chain" -j output_wg_vpn_rule
[0:0] -A zone_wg_vpn_output -m comment --comment "!fw3" -j zone_wg_vpn_dest_ACCEPT
[0:0] -A zone_wg_vpn_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Thu Mar 24 20:34:53 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.116.1/24 brd 192.168.116.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: br-lan_adt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.117.1/24 brd 192.168.117.255 scope global br-lan_adt
       valid_lft forever preferred_lft forever
30: wlan-sta: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.7.174/24 brd 192.168.7.255 scope global wlan-sta
       valid_lft forever preferred_lft forever
33: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.113.4/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.7.156 dev wlan-sta table 2 metric 20
XX.XX.XX.XX via 192.168.7.156 dev wlan-sta table 2 proto static metric 20
192.168.7.0/24 dev wlan-sta table 2 proto static scope link metric 20
192.168.116.0/24 dev br-lan table 2 proto kernel scope link src 192.168.116.1
192.168.117.0/24 dev br-lan_adt table 2 proto kernel scope link src 192.168.117.1
default dev wg0 table 100 proto static scope link
192.168.111.0/24 dev wg0 table 101 proto static scope link
192.168.113.0/24 dev wg0 table 102 proto static scope link
192.168.115.0/24 dev wg0 table 103 proto static scope link
209.9.211.211 dev wg0 table 104 proto static scope link
default via 192.168.7.156 dev wlan-sta proto static src 192.168.7.174 metric 20
XX.XX.XX.XX via 192.168.7.156 dev wlan-sta proto static metric 20
192.168.7.0/24 dev wlan-sta proto static scope link metric 20
192.168.116.0/24 dev br-lan proto kernel scope link src 192.168.116.1
192.168.117.0/24 dev br-lan_adt proto kernel scope link src 192.168.117.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.7.0 dev wlan-sta table local proto kernel scope link src 192.168.7.174
local 192.168.7.174 dev wlan-sta table local proto kernel scope host src 192.168.7.174
broadcast 192.168.7.255 dev wlan-sta table local proto kernel scope link src 192.168.7.174
local 192.168.113.4 dev wg0 table local proto kernel scope host src 192.168.113.4
broadcast 192.168.116.0 dev br-lan table local proto kernel scope link src 192.168.116.1
local 192.168.116.1 dev br-lan table local proto kernel scope host src 192.168.116.1
broadcast 192.168.116.255 dev br-lan table local proto kernel scope link src 192.168.116.1
broadcast 192.168.117.0 dev br-lan_adt table local proto kernel scope link src 192.168.117.1
local 192.168.117.1 dev br-lan_adt table local proto kernel scope host src 192.168.117.1
broadcast 192.168.117.255 dev br-lan_adt table local proto kernel scope link src 192.168.117.1
0:      from all lookup local
1:      from all iif br-lan_adt lookup 100
2:      from all iif br-lan lookup 101
3:      from all iif br-lan lookup 102
4:      from all iif br-lan lookup 103
5:      from all iif br-lan lookup 104
1002:   from all iif wlan-sta lookup 2
2002:   from all fwmark 0x200/0x3f00 lookup 2
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 94:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
4: teql0: <NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 100
    link/void
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 94:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
8: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether 94:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
10: br-lan_adt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 94:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
13: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan_adt state UP mode DEFAULT group default qlen 1000
    link/ether 94:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
16: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether 96:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
30: wlan-sta: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 94:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
31: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan_adt state UP mode DEFAULT group default qlen 1000
    link/ether 96:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
32: wlan1-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP mode DEFAULT group default qlen 1000
    link/ether 92:83:c4:XX:XX:XX brd ff:ff:ff:ff:ff:ff
33: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Dec 27 11:51 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            21 Mar 24 16:18 /tmp/resolv.conf -> /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            42 Mar 24 20:31 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
# Interface wwan
nameserver 192.168.7.156

==> /tmp/resolv.conf <==
# Interface wwan
nameserver 192.168.7.156

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver 192.168.7.156
head: /tmp/resolv.*/*: No such file or directory
root@GL-AR750S:~#

ip rules 3-5 will never match.
Are you also running mwan3 by any chance?

Hi again,

It seems mwan3 was installed by default, I have removed it now but no improvement.

The rules 3-5 that will not match, I assume you mean the section below. The routing seems to work exactly as intended in both split and all down tunnel modes. It just seems to drop large packets once the TCP session is established.

For example I can SSH into a Linux machine over wireguard tunnel and issue basic commands that generate little output. But as soon as I do something that generates more traffic or larger packets, things seem to get lost.

I'm lost where to go next with this.

config rule
        option in 'lan_adt'
        option lookup '100'

config rule
        option in 'lan'
        option lookup '101'

config rule
        option in 'lan'
        option lookup '102'

config rule
        option in 'lan'
        option lookup '103'

config rule
        option in 'lan'
        option lookup '104'

Yes, tables 102-104 will never be looked up, as everything will match the first rule and look up table 101.
Other than that, the problem sounds a lot like MTU, but the settings look correct from this side.
I would run a tcpdump on OpenWrt to verify that packets larger than 1300 bytes don't leave the wg interface for a start. Installl iputils-ping and use -M do -s 1500 to verify that large packets cannot go without fragmentation.

Thanks Trendy, sorry for slow reply I have been travelling so I am now overseas hence the high pings!

This looks OK from my perspective:

root@GL-AR750S:~# ping -I wg0 -M do -s 1500 192.168.111.1
PING 192.168.111.1 (192.168.111.1) from 192.168.113.4 wg0: 1500(1528) bytes of data.
ping: local error: Message too long, mtu=1300
ping: local error: Message too long, mtu=1300
ping: local error: Message too long, mtu=1300
ping: local error: Message too long, mtu=1300
^C
--- 192.168.111.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3145ms

root@GL-AR750S:~# ping -I wg0 -s 1500 192.168.111.1
PING 192.168.111.1 (192.168.111.1) from 192.168.113.4 wg0: 1500(1528) bytes of data.
1508 bytes from 192.168.111.1: icmp_req=1 ttl=64 time=201 ms
1508 bytes from 192.168.111.1: icmp_req=2 ttl=64 time=179 ms
1508 bytes from 192.168.111.1: icmp_req=3 ttl=64 time=181 ms
1508 bytes from 192.168.111.1: icmp_req=4 ttl=64 time=183 ms
1508 bytes from 192.168.111.1: icmp_req=5 ttl=64 time=180 ms
^C
--- 192.168.111.1 ping statistics ---
6 packets transmitted, 5 received, 16% packet loss, time 5006ms
rtt min/avg/max/mdev = 179.309/185.211/201.423/8.242 ms

And I see the following in tcpdump when I remove the do not fragment flag which again looks good to me:

root@GL-AR750S:~# tcpdump -i wg0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
20:00:22.532179 IP 192.168.113.4 > 192.168.111.1: ICMP echo request, id 21617, seq 1, length 1280
20:00:22.532231 IP 192.168.113.4 > 192.168.111.1: icmp
20:00:22.733378 IP 192.168.111.1 > 192.168.113.4: ICMP echo reply, id 21617, seq 1, length 1280
20:00:22.733446 IP 192.168.111.1 > 192.168.113.4: icmp
20:00:23.533173 IP 192.168.113.4 > 192.168.111.1: ICMP echo request, id 21617, seq 2, length 1280
20:00:23.533221 IP 192.168.113.4 > 192.168.111.1: icmp
20:00:23.712301 IP 192.168.111.1 > 192.168.113.4: ICMP echo reply, id 21617, seq 2, length 1280
20:00:23.712352 IP 192.168.111.1 > 192.168.113.4: icmp
20:00:24.534177 IP 192.168.113.4 > 192.168.111.1: ICMP echo request, id 21617, seq 3, length 1280
20:00:24.534225 IP 192.168.113.4 > 192.168.111.1: icmp
20:00:24.713850 IP 192.168.111.1 > 192.168.113.4: ICMP echo reply, id 21617, seq 3, length 1280
20:00:24.715318 IP 192.168.111.1 > 192.168.113.4: icmp
20:00:25.535820 IP 192.168.113.4 > 192.168.111.1: ICMP echo request, id 21617, seq 4, length 1280
20:00:25.535870 IP 192.168.113.4 > 192.168.111.1: icmp
20:00:25.719407 IP 192.168.111.1 > 192.168.113.4: ICMP echo reply, id 21617, seq 4, length 1280
20:00:25.719476 IP 192.168.111.1 > 192.168.113.4: icmp
20:00:26.536930 IP 192.168.113.4 > 192.168.111.1: ICMP echo request, id 21617, seq 5, length 1280
20:00:26.536980 IP 192.168.113.4 > 192.168.111.1: icmp
20:00:26.715388 IP 192.168.111.1 > 192.168.113.4: ICMP echo reply, id 21617, seq 5, length 1280
20:00:26.717067 IP 192.168.111.1 > 192.168.113.4: icmp
20:00:27.538382 IP 192.168.113.4 > 192.168.111.1: ICMP echo request, id 21617, seq 6, length 1280
20:00:27.538432 IP 192.168.113.4 > 192.168.111.1: icmp
20:00:27.768559 IP 192.168.111.1 > 192.168.113.4: ICMP echo reply, id 21617, seq 6, length 1280
20:00:27.768636 IP 192.168.111.1 > 192.168.113.4: icmp
^C
24 packets captured
24 packets received by filter
0 packets dropped by kernel

I'll try to get wireshark traces showing exactly what happens on both sides of the tunnel and post it here.

1 Like

OK I have made some progress on this now and can see that connections over the tunnel work fine if I select the option within Wireguard to add the routes automatically.

Of course I want to use policy based routing so this is not a fix for me. But it seems to be an issue with the config on this OpenWRT device. Policy based routing seems to cause problems.

Are you referring to Route Allowed IPs option in the peer configuration?

Yes I just selected this option without removing any other config and traffic down the tunnel works fine to all destinations

That's strange as you had the default route already installed in the routing table with the static route.
What you did will install the default route from the wg tunnel in the main routing table.

Yes it looks like this guy had a similar issue and solved it with using the Route Allowed IP's option.

Are there any other methods I can use to achieve routing based on source interface / subnet so I can uncheck this option and revert to manual routing?

And what is the output of ip -4 addr; ip -4 ro list table all; ip -4 ru now?

It looks like both sets of routes are in there but the 'Route Allowed IP's' option is taking precendence:

root@GL-AR750S:~# ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.116.1/24 brd 192.168.116.255 scope global br-lan
       valid_lft forever preferred_lft forever
10: br-lan_adt: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.117.1/24 brd 192.168.117.255 scope global br-lan_adt
       valid_lft forever preferred_lft forever
12: wlan-sta: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.203.132.187/17 brd 10.203.255.255 scope global wlan-sta
       valid_lft forever preferred_lft forever
19: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1300 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.113.4/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default dev wg0 table 100 proto static scope link
192.168.111.0/24 dev wg0 table 101 proto static scope link
192.168.113.0/24 dev wg0 table 102 proto static scope link
192.168.115.0/24 dev wg0 table 103 proto static scope link
209.9.211.211 dev wg0 table 104 proto static scope link
default dev wg0 proto static scope link
default via 10.203.128.1 dev wlan-sta proto static src 10.203.132.187 metric 20
10.203.128.0/17 dev wlan-sta proto static scope link metric 20
XX.XX.XX.XX (my home pfsense IP) via 10.203.128.1 dev wlan-sta proto static metric 20
192.168.116.0/24 dev br-lan proto kernel scope link src 192.168.116.1
192.168.117.0/24 dev br-lan_adt proto kernel scope link src 192.168.117.1
broadcast 10.203.128.0 dev wlan-sta table local proto kernel scope link src 10.203.132.187
local 10.203.132.187 dev wlan-sta table local proto kernel scope host src 10.203.132.187
broadcast 10.203.255.255 dev wlan-sta table local proto kernel scope link src 10.203.132.187
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.113.4 dev wg0 table local proto kernel scope host src 192.168.113.4
broadcast 192.168.116.0 dev br-lan table local proto kernel scope link src 192.168.116.1
local 192.168.116.1 dev br-lan table local proto kernel scope host src 192.168.116.1
broadcast 192.168.116.255 dev br-lan table local proto kernel scope link src 192.168.116.1
broadcast 192.168.117.0 dev br-lan_adt table local proto kernel scope link src 192.168.117.1
local 192.168.117.1 dev br-lan_adt table local proto kernel scope host src 192.168.117.1
broadcast 192.168.117.255 dev br-lan_adt table local proto kernel scope link src 192.168.117.1
0:      from all lookup local
1:      from all iif br-lan_adt lookup 100
2:      from all iif br-lan lookup 101
3:      from all iif br-lan lookup 102
4:      from all iif br-lan lookup 103
5:      from all iif br-lan lookup 104
32766:  from all lookup main
32767:  from all lookup default
root@GL-AR750S:~#

That is expected and everything is routed out of wg interface.